From: Loup Vaillant Date: Tue, 29 Nov 2022 23:49:15 +0000 (+0100) Subject: Switch indentation from spaces to tabs. X-Git-Url: https://git.codecow.com/?a=commitdiff_plain;h=692206aec00159161717ef02b114a3903a22eaca;p=Monocypher.git Switch indentation from spaces to tabs. For the longest time I had a fairly strong personal preference for spaces. Then it came to my attention that using tabs meaningfully increases accessibility. As a cryptography library, Monocypher is supposed to ultimately help, among other people, the most vulnerable among us. It would be a shame to potentially exclude disabled contributors or auditors. Note that this patches sometimes changes a little more than just spacing. A few pieces of code in particular relied on indentation width, and had to be reworked a little bit to make them tab width agnostic. --- diff --git a/.editorconfig b/.editorconfig new file mode 100644 index 0000000..b791d00 --- /dev/null +++ b/.editorconfig @@ -0,0 +1,16 @@ +# https://EditorConfig.org + +root = true + +# UNIX style line ending rulez +# End all files with a single line ending OCD +[*] +end_of_line = lf +insert_final_newline = true + +# Tabs for indentation for accessibility reasons. +# Indent size of 4 because that's my preference. +# Note: line lengths limits (80 columns) assume tabs are 4 columns wide. +[*.{c,h}] +indent_style = tab +indent_size = 4 diff --git a/src/monocypher.c b/src/monocypher.c index bf66a69..1b7d827 100644 --- a/src/monocypher.c +++ b/src/monocypher.c @@ -86,70 +86,73 @@ static const u8 zero[128] = {0}; // Note: we use ~x+1 instead of -x to avoid compiler warnings static size_t align(size_t x, size_t pow_2) { - return (~x + 1) & (pow_2 - 1); + return (~x + 1) & (pow_2 - 1); } static u32 load24_le(const u8 s[3]) { - return (u32)s[0] - | ((u32)s[1] << 8) - | ((u32)s[2] << 16); + return + ((u32)s[0] << 0) | + ((u32)s[1] << 8) | + ((u32)s[2] << 16); } static u32 load32_le(const u8 s[4]) { - return (u32)s[0] - | ((u32)s[1] << 8) - | ((u32)s[2] << 16) - | ((u32)s[3] << 24); + return + ((u32)s[0] << 0) | + ((u32)s[1] << 8) | + ((u32)s[2] << 16) | + ((u32)s[3] << 24); } static u64 load64_le(const u8 s[8]) { - return load32_le(s) | ((u64)load32_le(s+4) << 32); + return load32_le(s) | ((u64)load32_le(s+4) << 32); } static void store32_le(u8 out[4], u32 in) { - out[0] = in & 0xff; - out[1] = (in >> 8) & 0xff; - out[2] = (in >> 16) & 0xff; - out[3] = (in >> 24) & 0xff; + out[0] = in & 0xff; + out[1] = (in >> 8) & 0xff; + out[2] = (in >> 16) & 0xff; + out[3] = (in >> 24) & 0xff; } static void store64_le(u8 out[8], u64 in) { - store32_le(out , (u32)in ); - store32_le(out + 4, in >> 32); + store32_le(out , (u32)in ); + store32_le(out + 4, in >> 32); } static void load32_le_buf (u32 *dst, const u8 *src, size_t size) { - FOR(i, 0, size) { dst[i] = load32_le(src + i*4); } + FOR(i, 0, size) { dst[i] = load32_le(src + i*4); } } static void load64_le_buf (u64 *dst, const u8 *src, size_t size) { - FOR(i, 0, size) { dst[i] = load64_le(src + i*8); } + FOR(i, 0, size) { dst[i] = load64_le(src + i*8); } } static void store32_le_buf(u8 *dst, const u32 *src, size_t size) { - FOR(i, 0, size) { store32_le(dst + i*4, src[i]); } + FOR(i, 0, size) { store32_le(dst + i*4, src[i]); } } static void store64_le_buf(u8 *dst, const u64 *src, size_t size) { - FOR(i, 0, size) { store64_le(dst + i*8, src[i]); } + FOR(i, 0, size) { store64_le(dst + i*8, src[i]); } } static u64 rotr64(u64 x, u64 n) { return (x >> n) ^ (x << (64 - n)); } static u32 rotl32(u32 x, u32 n) { return (x << n) ^ (x >> (32 - n)); } static int neq0(u64 diff) -{ // constant time comparison to zero - // return diff != 0 ? -1 : 0 - u64 half = (diff >> 32) | ((u32)diff); - return (1 & ((half - 1) >> 32)) - 1; +{ + // constant time comparison to zero + // return diff != 0 ? -1 : 0 + u64 half = (diff >> 32) | ((u32)diff); + return (1 & ((half - 1) >> 32)) - 1; } static u64 x16(const u8 a[16], const u8 b[16]) { - return (load64_le(a + 0) ^ load64_le(b + 0)) - | (load64_le(a + 8) ^ load64_le(b + 8)); + return (load64_le(a + 0) ^ load64_le(b + 0)) + | (load64_le(a + 8) ^ load64_le(b + 8)); } static u64 x32(const u8 a[32],const u8 b[32]){return x16(a,b)| x16(a+16, b+16);} static u64 x64(const u8 a[64],const u8 b[64]){return x32(a,b)| x32(a+32, b+32);} @@ -159,157 +162,157 @@ int crypto_verify64(const u8 a[64], const u8 b[64]){ return neq0(x64(a, b)); } void crypto_wipe(void *secret, size_t size) { - volatile u8 *v_secret = (u8*)secret; - ZERO(v_secret, size); + volatile u8 *v_secret = (u8*)secret; + ZERO(v_secret, size); } ///////////////// /// Chacha 20 /// ///////////////// -#define QUARTERROUND(a, b, c, d) \ - a += b; d = rotl32(d ^ a, 16); \ - c += d; b = rotl32(b ^ c, 12); \ - a += b; d = rotl32(d ^ a, 8); \ - c += d; b = rotl32(b ^ c, 7) +#define QUARTERROUND(a, b, c, d) \ + a += b; d = rotl32(d ^ a, 16); \ + c += d; b = rotl32(b ^ c, 12); \ + a += b; d = rotl32(d ^ a, 8); \ + c += d; b = rotl32(b ^ c, 7) static void chacha20_rounds(u32 out[16], const u32 in[16]) { - // The temporary variables make Chacha20 10% faster. - u32 t0 = in[ 0]; u32 t1 = in[ 1]; u32 t2 = in[ 2]; u32 t3 = in[ 3]; - u32 t4 = in[ 4]; u32 t5 = in[ 5]; u32 t6 = in[ 6]; u32 t7 = in[ 7]; - u32 t8 = in[ 8]; u32 t9 = in[ 9]; u32 t10 = in[10]; u32 t11 = in[11]; - u32 t12 = in[12]; u32 t13 = in[13]; u32 t14 = in[14]; u32 t15 = in[15]; - - FOR (i, 0, 10) { // 20 rounds, 2 rounds per loop. - QUARTERROUND(t0, t4, t8 , t12); // column 0 - QUARTERROUND(t1, t5, t9 , t13); // column 1 - QUARTERROUND(t2, t6, t10, t14); // column 2 - QUARTERROUND(t3, t7, t11, t15); // column 3 - QUARTERROUND(t0, t5, t10, t15); // diagonal 0 - QUARTERROUND(t1, t6, t11, t12); // diagonal 1 - QUARTERROUND(t2, t7, t8 , t13); // diagonal 2 - QUARTERROUND(t3, t4, t9 , t14); // diagonal 3 - } - out[ 0] = t0; out[ 1] = t1; out[ 2] = t2; out[ 3] = t3; - out[ 4] = t4; out[ 5] = t5; out[ 6] = t6; out[ 7] = t7; - out[ 8] = t8; out[ 9] = t9; out[10] = t10; out[11] = t11; - out[12] = t12; out[13] = t13; out[14] = t14; out[15] = t15; + // The temporary variables make Chacha20 10% faster. + u32 t0 = in[ 0]; u32 t1 = in[ 1]; u32 t2 = in[ 2]; u32 t3 = in[ 3]; + u32 t4 = in[ 4]; u32 t5 = in[ 5]; u32 t6 = in[ 6]; u32 t7 = in[ 7]; + u32 t8 = in[ 8]; u32 t9 = in[ 9]; u32 t10 = in[10]; u32 t11 = in[11]; + u32 t12 = in[12]; u32 t13 = in[13]; u32 t14 = in[14]; u32 t15 = in[15]; + + FOR (i, 0, 10) { // 20 rounds, 2 rounds per loop. + QUARTERROUND(t0, t4, t8 , t12); // column 0 + QUARTERROUND(t1, t5, t9 , t13); // column 1 + QUARTERROUND(t2, t6, t10, t14); // column 2 + QUARTERROUND(t3, t7, t11, t15); // column 3 + QUARTERROUND(t0, t5, t10, t15); // diagonal 0 + QUARTERROUND(t1, t6, t11, t12); // diagonal 1 + QUARTERROUND(t2, t7, t8 , t13); // diagonal 2 + QUARTERROUND(t3, t4, t9 , t14); // diagonal 3 + } + out[ 0] = t0; out[ 1] = t1; out[ 2] = t2; out[ 3] = t3; + out[ 4] = t4; out[ 5] = t5; out[ 6] = t6; out[ 7] = t7; + out[ 8] = t8; out[ 9] = t9; out[10] = t10; out[11] = t11; + out[12] = t12; out[13] = t13; out[14] = t14; out[15] = t15; } static const u8 *chacha20_constant = (const u8*)"expand 32-byte k"; // 16 bytes void crypto_hchacha20(u8 out[32], const u8 key[32], const u8 in [16]) { - u32 block[16]; - load32_le_buf(block , chacha20_constant, 4); - load32_le_buf(block + 4, key , 8); - load32_le_buf(block + 12, in , 4); + u32 block[16]; + load32_le_buf(block , chacha20_constant, 4); + load32_le_buf(block + 4, key , 8); + load32_le_buf(block + 12, in , 4); - chacha20_rounds(block, block); + chacha20_rounds(block, block); - // prevent reversal of the rounds by revealing only half of the buffer. - store32_le_buf(out , block , 4); // constant - store32_le_buf(out+16, block+12, 4); // counter and nonce - WIPE_BUFFER(block); + // prevent reversal of the rounds by revealing only half of the buffer. + store32_le_buf(out , block , 4); // constant + store32_le_buf(out+16, block+12, 4); // counter and nonce + WIPE_BUFFER(block); } u64 crypto_chacha20_ctr(u8 *cipher_text, const u8 *plain_text, size_t text_size, const u8 key[32], const u8 nonce[8], u64 ctr) { - u32 input[16]; - load32_le_buf(input , chacha20_constant, 4); - load32_le_buf(input + 4, key , 8); - load32_le_buf(input + 14, nonce , 2); - input[12] = (u32) ctr; - input[13] = (u32)(ctr >> 32); - - // Whole blocks - u32 pool[16]; - size_t nb_blocks = text_size >> 6; - FOR (i, 0, nb_blocks) { - chacha20_rounds(pool, input); - if (plain_text != 0) { - FOR (j, 0, 16) { - u32 p = pool[j] + input[j]; - store32_le(cipher_text, p ^ load32_le(plain_text)); - cipher_text += 4; - plain_text += 4; - } - } else { - FOR (j, 0, 16) { - u32 p = pool[j] + input[j]; - store32_le(cipher_text, p); - cipher_text += 4; - } - } - input[12]++; - if (input[12] == 0) { - input[13]++; - } - } - text_size &= 63; - - // Last (incomplete) block - if (text_size > 0) { - if (plain_text == 0) { - plain_text = zero; - } - chacha20_rounds(pool, input); - u8 tmp[64]; - FOR (i, 0, 16) { - store32_le(tmp + i*4, pool[i] + input[i]); - } - FOR (i, 0, text_size) { - cipher_text[i] = tmp[i] ^ plain_text[i]; - } - WIPE_BUFFER(tmp); - } - ctr = input[12] + ((u64)input[13] << 32) + (text_size > 0); - - WIPE_BUFFER(pool); - WIPE_BUFFER(input); - return ctr; + u32 input[16]; + load32_le_buf(input , chacha20_constant, 4); + load32_le_buf(input + 4, key , 8); + load32_le_buf(input + 14, nonce , 2); + input[12] = (u32) ctr; + input[13] = (u32)(ctr >> 32); + + // Whole blocks + u32 pool[16]; + size_t nb_blocks = text_size >> 6; + FOR (i, 0, nb_blocks) { + chacha20_rounds(pool, input); + if (plain_text != 0) { + FOR (j, 0, 16) { + u32 p = pool[j] + input[j]; + store32_le(cipher_text, p ^ load32_le(plain_text)); + cipher_text += 4; + plain_text += 4; + } + } else { + FOR (j, 0, 16) { + u32 p = pool[j] + input[j]; + store32_le(cipher_text, p); + cipher_text += 4; + } + } + input[12]++; + if (input[12] == 0) { + input[13]++; + } + } + text_size &= 63; + + // Last (incomplete) block + if (text_size > 0) { + if (plain_text == 0) { + plain_text = zero; + } + chacha20_rounds(pool, input); + u8 tmp[64]; + FOR (i, 0, 16) { + store32_le(tmp + i*4, pool[i] + input[i]); + } + FOR (i, 0, text_size) { + cipher_text[i] = tmp[i] ^ plain_text[i]; + } + WIPE_BUFFER(tmp); + } + ctr = input[12] + ((u64)input[13] << 32) + (text_size > 0); + + WIPE_BUFFER(pool); + WIPE_BUFFER(input); + return ctr; } u32 crypto_ietf_chacha20_ctr(u8 *cipher_text, const u8 *plain_text, size_t text_size, const u8 key[32], const u8 nonce[12], u32 ctr) { - u64 big_ctr = ctr + ((u64)load32_le(nonce) << 32); - return (u32)crypto_chacha20_ctr(cipher_text, plain_text, text_size, - key, nonce + 4, big_ctr); + u64 big_ctr = ctr + ((u64)load32_le(nonce) << 32); + return (u32)crypto_chacha20_ctr(cipher_text, plain_text, text_size, + key, nonce + 4, big_ctr); } u64 crypto_xchacha20_ctr(u8 *cipher_text, const u8 *plain_text, size_t text_size, const u8 key[32], const u8 nonce[24], u64 ctr) { - u8 sub_key[32]; - crypto_hchacha20(sub_key, key, nonce); - ctr = crypto_chacha20_ctr(cipher_text, plain_text, text_size, - sub_key, nonce+16, ctr); - WIPE_BUFFER(sub_key); - return ctr; + u8 sub_key[32]; + crypto_hchacha20(sub_key, key, nonce); + ctr = crypto_chacha20_ctr(cipher_text, plain_text, text_size, + sub_key, nonce+16, ctr); + WIPE_BUFFER(sub_key); + return ctr; } void crypto_chacha20(u8 *cipher_text, const u8 *plain_text, size_t text_size, const u8 key[32], const u8 nonce[8]) { - crypto_chacha20_ctr(cipher_text, plain_text, text_size, key, nonce, 0); + crypto_chacha20_ctr(cipher_text, plain_text, text_size, key, nonce, 0); } void crypto_ietf_chacha20(u8 *cipher_text, const u8 *plain_text, size_t text_size, const u8 key[32], const u8 nonce[12]) { - crypto_ietf_chacha20_ctr(cipher_text, plain_text, text_size, key, nonce, 0); + crypto_ietf_chacha20_ctr(cipher_text, plain_text, text_size, key, nonce, 0); } void crypto_xchacha20(u8 *cipher_text, const u8 *plain_text, size_t text_size, const u8 key[32], const u8 nonce[24]) { - crypto_xchacha20_ctr(cipher_text, plain_text, text_size, key, nonce, 0); + crypto_xchacha20_ctr(cipher_text, plain_text, text_size, key, nonce, 0); } ///////////////// @@ -325,330 +328,330 @@ void crypto_xchacha20(u8 *cipher_text, const u8 *plain_text, size_t text_size, // ctx->h <= 4_ffffffff_ffffffff_ffffffff_ffffffff static void poly_block(crypto_poly1305_ctx *ctx, const u8 in[16], unsigned end) { - u32 s[4]; - load32_le_buf(s, in, 4); - - // s = h + c, without carry propagation - const u64 s0 = ctx->h[0] + (u64)s[0]; // s0 <= 1_fffffffe - const u64 s1 = ctx->h[1] + (u64)s[1]; // s1 <= 1_fffffffe - const u64 s2 = ctx->h[2] + (u64)s[2]; // s2 <= 1_fffffffe - const u64 s3 = ctx->h[3] + (u64)s[3]; // s3 <= 1_fffffffe - const u32 s4 = ctx->h[4] + end; // s4 <= 5 - - // Local all the things! - const u32 r0 = ctx->r[0]; // r0 <= 0fffffff - const u32 r1 = ctx->r[1]; // r1 <= 0ffffffc - const u32 r2 = ctx->r[2]; // r2 <= 0ffffffc - const u32 r3 = ctx->r[3]; // r3 <= 0ffffffc - const u32 rr0 = (r0 >> 2) * 5; // rr0 <= 13fffffb // lose 2 bits... - const u32 rr1 = (r1 >> 2) + r1; // rr1 <= 13fffffb // rr1 == (r1 >> 2) * 5 - const u32 rr2 = (r2 >> 2) + r2; // rr2 <= 13fffffb // rr1 == (r2 >> 2) * 5 - const u32 rr3 = (r3 >> 2) + r3; // rr3 <= 13fffffb // rr1 == (r3 >> 2) * 5 - - // (h + c) * r, without carry propagation - const u64 x0 = s0*r0+ s1*rr3+ s2*rr2+ s3*rr1+ s4*rr0; // <= 97ffffe007fffff8 - const u64 x1 = s0*r1+ s1*r0 + s2*rr3+ s3*rr2+ s4*rr1; // <= 8fffffe20ffffff6 - const u64 x2 = s0*r2+ s1*r1 + s2*r0 + s3*rr3+ s4*rr2; // <= 87ffffe417fffff4 - const u64 x3 = s0*r3+ s1*r2 + s2*r1 + s3*r0 + s4*rr3; // <= 7fffffe61ffffff2 - const u32 x4 = s4 * (r0 & 3); // ...recover 2 bits // <= f - - // partial reduction modulo 2^130 - 5 - const u32 u5 = x4 + (x3 >> 32); // u5 <= 7ffffff5 - const u64 u0 = (u5 >> 2) * 5 + (x0 & 0xffffffff); - const u64 u1 = (u0 >> 32) + (x1 & 0xffffffff) + (x0 >> 32); - const u64 u2 = (u1 >> 32) + (x2 & 0xffffffff) + (x1 >> 32); - const u64 u3 = (u2 >> 32) + (x3 & 0xffffffff) + (x2 >> 32); - const u64 u4 = (u3 >> 32) + (u5 & 3); - - // Update the hash - ctx->h[0] = (u32)u0; // u0 <= 1_9ffffff0 - ctx->h[1] = (u32)u1; // u1 <= 1_97ffffe0 - ctx->h[2] = (u32)u2; // u2 <= 1_8fffffe2 - ctx->h[3] = (u32)u3; // u3 <= 1_87ffffe4 - ctx->h[4] = (u32)u4; // u4 <= 4 + u32 s[4]; + load32_le_buf(s, in, 4); + + // s = h + c, without carry propagation + const u64 s0 = ctx->h[0] + (u64)s[0]; // s0 <= 1_fffffffe + const u64 s1 = ctx->h[1] + (u64)s[1]; // s1 <= 1_fffffffe + const u64 s2 = ctx->h[2] + (u64)s[2]; // s2 <= 1_fffffffe + const u64 s3 = ctx->h[3] + (u64)s[3]; // s3 <= 1_fffffffe + const u32 s4 = ctx->h[4] + end; // s4 <= 5 + + // Local all the things! + const u32 r0 = ctx->r[0]; // r0 <= 0fffffff + const u32 r1 = ctx->r[1]; // r1 <= 0ffffffc + const u32 r2 = ctx->r[2]; // r2 <= 0ffffffc + const u32 r3 = ctx->r[3]; // r3 <= 0ffffffc + const u32 rr0 = (r0 >> 2) * 5; // rr0 <= 13fffffb // lose 2 bits... + const u32 rr1 = (r1 >> 2) + r1; // rr1 <= 13fffffb // rr1 == (r1 >> 2) * 5 + const u32 rr2 = (r2 >> 2) + r2; // rr2 <= 13fffffb // rr1 == (r2 >> 2) * 5 + const u32 rr3 = (r3 >> 2) + r3; // rr3 <= 13fffffb // rr1 == (r3 >> 2) * 5 + + // (h + c) * r, without carry propagation + const u64 x0 = s0*r0+ s1*rr3+ s2*rr2+ s3*rr1+ s4*rr0; // <= 97ffffe007fffff8 + const u64 x1 = s0*r1+ s1*r0 + s2*rr3+ s3*rr2+ s4*rr1; // <= 8fffffe20ffffff6 + const u64 x2 = s0*r2+ s1*r1 + s2*r0 + s3*rr3+ s4*rr2; // <= 87ffffe417fffff4 + const u64 x3 = s0*r3+ s1*r2 + s2*r1 + s3*r0 + s4*rr3; // <= 7fffffe61ffffff2 + const u32 x4 = s4 * (r0 & 3); // ...recover 2 bits // <= f + + // partial reduction modulo 2^130 - 5 + const u32 u5 = x4 + (x3 >> 32); // u5 <= 7ffffff5 + const u64 u0 = (u5 >> 2) * 5 + (x0 & 0xffffffff); + const u64 u1 = (u0 >> 32) + (x1 & 0xffffffff) + (x0 >> 32); + const u64 u2 = (u1 >> 32) + (x2 & 0xffffffff) + (x1 >> 32); + const u64 u3 = (u2 >> 32) + (x3 & 0xffffffff) + (x2 >> 32); + const u64 u4 = (u3 >> 32) + (u5 & 3); + + // Update the hash + ctx->h[0] = (u32)u0; // u0 <= 1_9ffffff0 + ctx->h[1] = (u32)u1; // u1 <= 1_97ffffe0 + ctx->h[2] = (u32)u2; // u2 <= 1_8fffffe2 + ctx->h[3] = (u32)u3; // u3 <= 1_87ffffe4 + ctx->h[4] = (u32)u4; // u4 <= 4 } void crypto_poly1305_init(crypto_poly1305_ctx *ctx, const u8 key[32]) { - ZERO(ctx->h, 5); // Initial hash is zero - ctx->c_idx = 0; - // load r and pad (r has some of its bits cleared) - load32_le_buf(ctx->r , key , 4); - load32_le_buf(ctx->pad, key+16, 4); - FOR (i, 0, 1) { ctx->r[i] &= 0x0fffffff; } - FOR (i, 1, 4) { ctx->r[i] &= 0x0ffffffc; } + ZERO(ctx->h, 5); // Initial hash is zero + ctx->c_idx = 0; + // load r and pad (r has some of its bits cleared) + load32_le_buf(ctx->r , key , 4); + load32_le_buf(ctx->pad, key+16, 4); + FOR (i, 0, 1) { ctx->r[i] &= 0x0fffffff; } + FOR (i, 1, 4) { ctx->r[i] &= 0x0ffffffc; } } void crypto_poly1305_update(crypto_poly1305_ctx *ctx, const u8 *message, size_t message_size) { - // Align ourselves with block boundaries - size_t aligned = MIN(align(ctx->c_idx, 16), message_size); - FOR (i, 0, aligned) { - ctx->c[ctx->c_idx] = *message; - ctx->c_idx++; - message++; - message_size--; - } - - // If block is complete, process it - if (ctx->c_idx == 16) { - poly_block(ctx, ctx->c, 1); - ctx->c_idx = 0; - } - - // Process the message block by block - size_t nb_blocks = message_size >> 4; - FOR (i, 0, nb_blocks) { - poly_block(ctx, message, 1); - message += 16; - } - message_size &= 15; - - // remaining bytes (we never complete a block here) - FOR (i, 0, message_size) { - ctx->c[ctx->c_idx] = message[i]; - ctx->c_idx++; - } + // Align ourselves with block boundaries + size_t aligned = MIN(align(ctx->c_idx, 16), message_size); + FOR (i, 0, aligned) { + ctx->c[ctx->c_idx] = *message; + ctx->c_idx++; + message++; + message_size--; + } + + // If block is complete, process it + if (ctx->c_idx == 16) { + poly_block(ctx, ctx->c, 1); + ctx->c_idx = 0; + } + + // Process the message block by block + size_t nb_blocks = message_size >> 4; + FOR (i, 0, nb_blocks) { + poly_block(ctx, message, 1); + message += 16; + } + message_size &= 15; + + // remaining bytes (we never complete a block here) + FOR (i, 0, message_size) { + ctx->c[ctx->c_idx] = message[i]; + ctx->c_idx++; + } } void crypto_poly1305_final(crypto_poly1305_ctx *ctx, u8 mac[16]) { - // Process the last block (if any) - // We move the final 1 according to remaining input length - // (this will add less than 2^130 to the last input block) - if (ctx->c_idx != 0) { - ZERO(ctx->c + ctx->c_idx, 16 - ctx->c_idx); - ctx->c[ctx->c_idx] = 1; - poly_block(ctx, ctx->c, 0); - } - - // check if we should subtract 2^130-5 by performing the - // corresponding carry propagation. - u64 c = 5; - FOR (i, 0, 4) { - c += ctx->h[i]; - c >>= 32; - } - c += ctx->h[4]; - c = (c >> 2) * 5; // shift the carry back to the beginning - // c now indicates how many times we should subtract 2^130-5 (0 or 1) - FOR (i, 0, 4) { - c += (u64)ctx->h[i] + ctx->pad[i]; - store32_le(mac + i*4, (u32)c); - c = c >> 32; - } - WIPE_CTX(ctx); + // Process the last block (if any) + // We move the final 1 according to remaining input length + // (this will add less than 2^130 to the last input block) + if (ctx->c_idx != 0) { + ZERO(ctx->c + ctx->c_idx, 16 - ctx->c_idx); + ctx->c[ctx->c_idx] = 1; + poly_block(ctx, ctx->c, 0); + } + + // check if we should subtract 2^130-5 by performing the + // corresponding carry propagation. + u64 c = 5; + FOR (i, 0, 4) { + c += ctx->h[i]; + c >>= 32; + } + c += ctx->h[4]; + c = (c >> 2) * 5; // shift the carry back to the beginning + // c now indicates how many times we should subtract 2^130-5 (0 or 1) + FOR (i, 0, 4) { + c += (u64)ctx->h[i] + ctx->pad[i]; + store32_le(mac + i*4, (u32)c); + c = c >> 32; + } + WIPE_CTX(ctx); } void crypto_poly1305(u8 mac[16], const u8 *message, size_t message_size, const u8 key[32]) { - crypto_poly1305_ctx ctx; - crypto_poly1305_init (&ctx, key); - crypto_poly1305_update(&ctx, message, message_size); - crypto_poly1305_final (&ctx, mac); + crypto_poly1305_ctx ctx; + crypto_poly1305_init (&ctx, key); + crypto_poly1305_update(&ctx, message, message_size); + crypto_poly1305_final (&ctx, mac); } //////////////// /// BLAKE2 b /// //////////////// static const u64 iv[8] = { - 0x6a09e667f3bcc908, 0xbb67ae8584caa73b, - 0x3c6ef372fe94f82b, 0xa54ff53a5f1d36f1, - 0x510e527fade682d1, 0x9b05688c2b3e6c1f, - 0x1f83d9abfb41bd6b, 0x5be0cd19137e2179, + 0x6a09e667f3bcc908, 0xbb67ae8584caa73b, + 0x3c6ef372fe94f82b, 0xa54ff53a5f1d36f1, + 0x510e527fade682d1, 0x9b05688c2b3e6c1f, + 0x1f83d9abfb41bd6b, 0x5be0cd19137e2179, }; static void blake2b_compress(crypto_blake2b_ctx *ctx, int is_last_block) { - static const u8 sigma[12][16] = { - { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, - { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, - { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, - { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, - { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, - { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, - { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, - { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, - { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, - { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }, - { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, - { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, - }; - - // increment input offset - u64 *x = ctx->input_offset; - size_t y = ctx->input_idx; - x[0] += y; - if (x[0] < y) { - x[1]++; - } - - // init work vector - u64 v0 = ctx->hash[0]; u64 v8 = iv[0]; - u64 v1 = ctx->hash[1]; u64 v9 = iv[1]; - u64 v2 = ctx->hash[2]; u64 v10 = iv[2]; - u64 v3 = ctx->hash[3]; u64 v11 = iv[3]; - u64 v4 = ctx->hash[4]; u64 v12 = iv[4] ^ ctx->input_offset[0]; - u64 v5 = ctx->hash[5]; u64 v13 = iv[5] ^ ctx->input_offset[1]; - u64 v6 = ctx->hash[6]; u64 v14 = iv[6] ^ (u64)~(is_last_block - 1); - u64 v7 = ctx->hash[7]; u64 v15 = iv[7]; - - // mangle work vector - u64 *input = ctx->input; -#define BLAKE2_G(a, b, c, d, x, y) \ - a += b + x; d = rotr64(d ^ a, 32); \ - c += d; b = rotr64(b ^ c, 24); \ - a += b + y; d = rotr64(d ^ a, 16); \ - c += d; b = rotr64(b ^ c, 63) -#define BLAKE2_ROUND(i) \ - BLAKE2_G(v0, v4, v8 , v12, input[sigma[i][ 0]], input[sigma[i][ 1]]); \ - BLAKE2_G(v1, v5, v9 , v13, input[sigma[i][ 2]], input[sigma[i][ 3]]); \ - BLAKE2_G(v2, v6, v10, v14, input[sigma[i][ 4]], input[sigma[i][ 5]]); \ - BLAKE2_G(v3, v7, v11, v15, input[sigma[i][ 6]], input[sigma[i][ 7]]); \ - BLAKE2_G(v0, v5, v10, v15, input[sigma[i][ 8]], input[sigma[i][ 9]]); \ - BLAKE2_G(v1, v6, v11, v12, input[sigma[i][10]], input[sigma[i][11]]); \ - BLAKE2_G(v2, v7, v8 , v13, input[sigma[i][12]], input[sigma[i][13]]); \ - BLAKE2_G(v3, v4, v9 , v14, input[sigma[i][14]], input[sigma[i][15]]) + static const u8 sigma[12][16] = { + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, + { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, + { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, + { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, + { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, + { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, + { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, + { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, + { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }, + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, + }; + + // increment input offset + u64 *x = ctx->input_offset; + size_t y = ctx->input_idx; + x[0] += y; + if (x[0] < y) { + x[1]++; + } + + // init work vector + u64 v0 = ctx->hash[0]; u64 v8 = iv[0]; + u64 v1 = ctx->hash[1]; u64 v9 = iv[1]; + u64 v2 = ctx->hash[2]; u64 v10 = iv[2]; + u64 v3 = ctx->hash[3]; u64 v11 = iv[3]; + u64 v4 = ctx->hash[4]; u64 v12 = iv[4] ^ ctx->input_offset[0]; + u64 v5 = ctx->hash[5]; u64 v13 = iv[5] ^ ctx->input_offset[1]; + u64 v6 = ctx->hash[6]; u64 v14 = iv[6] ^ (u64)~(is_last_block - 1); + u64 v7 = ctx->hash[7]; u64 v15 = iv[7]; + + // mangle work vector + u64 *input = ctx->input; +#define BLAKE2_G(a, b, c, d, x, y) \ + a += b + x; d = rotr64(d ^ a, 32); \ + c += d; b = rotr64(b ^ c, 24); \ + a += b + y; d = rotr64(d ^ a, 16); \ + c += d; b = rotr64(b ^ c, 63) +#define BLAKE2_ROUND(i) \ + BLAKE2_G(v0, v4, v8 , v12, input[sigma[i][ 0]], input[sigma[i][ 1]]); \ + BLAKE2_G(v1, v5, v9 , v13, input[sigma[i][ 2]], input[sigma[i][ 3]]); \ + BLAKE2_G(v2, v6, v10, v14, input[sigma[i][ 4]], input[sigma[i][ 5]]); \ + BLAKE2_G(v3, v7, v11, v15, input[sigma[i][ 6]], input[sigma[i][ 7]]); \ + BLAKE2_G(v0, v5, v10, v15, input[sigma[i][ 8]], input[sigma[i][ 9]]); \ + BLAKE2_G(v1, v6, v11, v12, input[sigma[i][10]], input[sigma[i][11]]); \ + BLAKE2_G(v2, v7, v8 , v13, input[sigma[i][12]], input[sigma[i][13]]); \ + BLAKE2_G(v3, v4, v9 , v14, input[sigma[i][14]], input[sigma[i][15]]) #ifdef BLAKE2_NO_UNROLLING - FOR (i, 0, 12) { - BLAKE2_ROUND(i); - } + FOR (i, 0, 12) { + BLAKE2_ROUND(i); + } #else - BLAKE2_ROUND(0); BLAKE2_ROUND(1); BLAKE2_ROUND(2); BLAKE2_ROUND(3); - BLAKE2_ROUND(4); BLAKE2_ROUND(5); BLAKE2_ROUND(6); BLAKE2_ROUND(7); - BLAKE2_ROUND(8); BLAKE2_ROUND(9); BLAKE2_ROUND(10); BLAKE2_ROUND(11); + BLAKE2_ROUND(0); BLAKE2_ROUND(1); BLAKE2_ROUND(2); BLAKE2_ROUND(3); + BLAKE2_ROUND(4); BLAKE2_ROUND(5); BLAKE2_ROUND(6); BLAKE2_ROUND(7); + BLAKE2_ROUND(8); BLAKE2_ROUND(9); BLAKE2_ROUND(10); BLAKE2_ROUND(11); #endif - // update hash - ctx->hash[0] ^= v0 ^ v8; ctx->hash[1] ^= v1 ^ v9; - ctx->hash[2] ^= v2 ^ v10; ctx->hash[3] ^= v3 ^ v11; - ctx->hash[4] ^= v4 ^ v12; ctx->hash[5] ^= v5 ^ v13; - ctx->hash[6] ^= v6 ^ v14; ctx->hash[7] ^= v7 ^ v15; + // update hash + ctx->hash[0] ^= v0 ^ v8; ctx->hash[1] ^= v1 ^ v9; + ctx->hash[2] ^= v2 ^ v10; ctx->hash[3] ^= v3 ^ v11; + ctx->hash[4] ^= v4 ^ v12; ctx->hash[5] ^= v5 ^ v13; + ctx->hash[6] ^= v6 ^ v14; ctx->hash[7] ^= v7 ^ v15; } static void blake2b_set_input(crypto_blake2b_ctx *ctx, u8 input, size_t index) { - if (index == 0) { - ZERO(ctx->input, 16); - } - size_t word = index >> 3; - size_t byte = index & 7; - ctx->input[word] |= (u64)input << (byte << 3); + if (index == 0) { + ZERO(ctx->input, 16); + } + size_t word = index >> 3; + size_t byte = index & 7; + ctx->input[word] |= (u64)input << (byte << 3); } void crypto_blake2b_general_init(crypto_blake2b_ctx *ctx, size_t hash_size, const u8 *key, size_t key_size) { - // initial hash - COPY(ctx->hash, iv, 8); - ctx->hash[0] ^= 0x01010000 ^ (key_size << 8) ^ hash_size; + // initial hash + COPY(ctx->hash, iv, 8); + ctx->hash[0] ^= 0x01010000 ^ (key_size << 8) ^ hash_size; - ctx->input_offset[0] = 0; // beginning of the input, no offset - ctx->input_offset[1] = 0; // beginning of the input, no offset - ctx->hash_size = hash_size; // remember the hash size we want - ctx->input_idx = 0; + ctx->input_offset[0] = 0; // beginning of the input, no offset + ctx->input_offset[1] = 0; // beginning of the input, no offset + ctx->hash_size = hash_size; // remember the hash size we want + ctx->input_idx = 0; - // if there is a key, the first block is that key (padded with zeroes) - if (key_size > 0) { - u8 key_block[128] = {0}; - COPY(key_block, key, key_size); - // same as calling crypto_blake2b_update(ctx, key_block , 128) - load64_le_buf(ctx->input, key_block, 16); - ctx->input_idx = 128; - } + // if there is a key, the first block is that key (padded with zeroes) + if (key_size > 0) { + u8 key_block[128] = {0}; + COPY(key_block, key, key_size); + // same as calling crypto_blake2b_update(ctx, key_block , 128) + load64_le_buf(ctx->input, key_block, 16); + ctx->input_idx = 128; + } } void crypto_blake2b_init(crypto_blake2b_ctx *ctx) { - crypto_blake2b_general_init(ctx, 64, 0, 0); + crypto_blake2b_general_init(ctx, 64, 0, 0); } void crypto_blake2b_update(crypto_blake2b_ctx *ctx, const u8 *message, size_t message_size) { - // Align ourselves with block boundaries - // The block that may result is not compressed yet - size_t aligned = MIN(align(ctx->input_idx, 128), message_size); - FOR (i, 0, aligned) { - blake2b_set_input(ctx, *message, ctx->input_idx); - ctx->input_idx++; - message++; - message_size--; - } - - // Process the message block by block - // The last block is not compressed yet. - size_t nb_blocks = message_size >> 7; - FOR (i, 0, nb_blocks) { - if (ctx->input_idx == 128) { - blake2b_compress(ctx, 0); - } - load64_le_buf(ctx->input, message, 16); - message += 128; - ctx->input_idx = 128; - } - message_size &= 127; - - // Fill remaining bytes (not the whole buffer) - // The last block is never fully filled - FOR (i, 0, message_size) { - if (ctx->input_idx == 128) { - blake2b_compress(ctx, 0); - ctx->input_idx = 0; - } - blake2b_set_input(ctx, message[i], ctx->input_idx); - ctx->input_idx++; - } + // Align ourselves with block boundaries + // The block that may result is not compressed yet + size_t aligned = MIN(align(ctx->input_idx, 128), message_size); + FOR (i, 0, aligned) { + blake2b_set_input(ctx, *message, ctx->input_idx); + ctx->input_idx++; + message++; + message_size--; + } + + // Process the message block by block + // The last block is not compressed yet. + size_t nb_blocks = message_size >> 7; + FOR (i, 0, nb_blocks) { + if (ctx->input_idx == 128) { + blake2b_compress(ctx, 0); + } + load64_le_buf(ctx->input, message, 16); + message += 128; + ctx->input_idx = 128; + } + message_size &= 127; + + // Fill remaining bytes (not the whole buffer) + // The last block is never fully filled + FOR (i, 0, message_size) { + if (ctx->input_idx == 128) { + blake2b_compress(ctx, 0); + ctx->input_idx = 0; + } + blake2b_set_input(ctx, message[i], ctx->input_idx); + ctx->input_idx++; + } } void crypto_blake2b_final(crypto_blake2b_ctx *ctx, u8 *hash) { - // Pad the end of the block with zeroes - FOR (i, ctx->input_idx, 128) { - blake2b_set_input(ctx, 0, i); - } - blake2b_compress(ctx, 1); // compress the last block - size_t nb_words = ctx->hash_size >> 3; - store64_le_buf(hash, ctx->hash, nb_words); - FOR (i, nb_words << 3, ctx->hash_size) { - hash[i] = (ctx->hash[i >> 3] >> (8 * (i & 7))) & 0xff; - } - WIPE_CTX(ctx); + // Pad the end of the block with zeroes + FOR (i, ctx->input_idx, 128) { + blake2b_set_input(ctx, 0, i); + } + blake2b_compress(ctx, 1); // compress the last block + size_t nb_words = ctx->hash_size >> 3; + store64_le_buf(hash, ctx->hash, nb_words); + FOR (i, nb_words << 3, ctx->hash_size) { + hash[i] = (ctx->hash[i >> 3] >> (8 * (i & 7))) & 0xff; + } + WIPE_CTX(ctx); } void crypto_blake2b_general(u8 *hash , size_t hash_size, const u8 *key , size_t key_size, const u8 *message, size_t message_size) { - crypto_blake2b_ctx ctx; - crypto_blake2b_general_init(&ctx, hash_size, key, key_size); - crypto_blake2b_update(&ctx, message, message_size); - crypto_blake2b_final(&ctx, hash); + crypto_blake2b_ctx ctx; + crypto_blake2b_general_init(&ctx, hash_size, key, key_size); + crypto_blake2b_update(&ctx, message, message_size); + crypto_blake2b_final(&ctx, hash); } void crypto_blake2b(u8 hash[64], const u8 *message, size_t message_size) { - crypto_blake2b_general(hash, 64, 0, 0, message, message_size); + crypto_blake2b_general(hash, 64, 0, 0, message, message_size); } static void blake2b_vtable_init(void *ctx) { - crypto_blake2b_init(&((crypto_sign_ctx*)ctx)->hash); + crypto_blake2b_init(&((crypto_sign_ctx*)ctx)->hash); } static void blake2b_vtable_update(void *ctx, const u8 *m, size_t s) { - crypto_blake2b_update(&((crypto_sign_ctx*)ctx)->hash, m, s); + crypto_blake2b_update(&((crypto_sign_ctx*)ctx)->hash, m, s); } static void blake2b_vtable_final(void *ctx, u8 *h) { - crypto_blake2b_final(&((crypto_sign_ctx*)ctx)->hash, h); + crypto_blake2b_final(&((crypto_sign_ctx*)ctx)->hash, h); } const crypto_sign_vtable crypto_blake2b_vtable = { - crypto_blake2b, - blake2b_vtable_init, - blake2b_vtable_update, - blake2b_vtable_final, - sizeof(crypto_sign_ctx), + crypto_blake2b, + blake2b_vtable_init, + blake2b_vtable_update, + blake2b_vtable_final, + sizeof(crypto_sign_ctx), }; //////////////// @@ -661,27 +664,27 @@ typedef struct { u64 a[128]; } block; static void wipe_block(block *b) { - volatile u64* a = b->a; - ZERO(a, 128); + volatile u64* a = b->a; + ZERO(a, 128); } // updates a BLAKE2 hash with a 32 bit word, little endian. static void blake_update_32(crypto_blake2b_ctx *ctx, u32 input) { - u8 buf[4]; - store32_le(buf, input); - crypto_blake2b_update(ctx, buf, 4); - WIPE_BUFFER(buf); + u8 buf[4]; + store32_le(buf, input); + crypto_blake2b_update(ctx, buf, 4); + WIPE_BUFFER(buf); } static void load_block(block *b, const u8 bytes[1024]) { - load64_le_buf(b->a, bytes, 128); + load64_le_buf(b->a, bytes, 128); } static void store_block(u8 bytes[1024], const block *b) { - store64_le_buf(bytes, b->a, 128); + store64_le_buf(bytes, b->a, 128); } static void copy_block(block *o,const block*in){FOR(i,0,128)o->a[i] = in->a[i];} @@ -695,70 +698,70 @@ static void xor_block(block *o,const block*in){FOR(i,0,128)o->a[i]^= in->a[i];} static void extended_hash(u8 *digest, u32 digest_size, const u8 *input , u32 input_size) { - crypto_blake2b_ctx ctx; - crypto_blake2b_general_init(&ctx, MIN(digest_size, 64), 0, 0); - blake_update_32 (&ctx, digest_size); - crypto_blake2b_update (&ctx, input, input_size); - crypto_blake2b_final (&ctx, digest); - - if (digest_size > 64) { - // the conversion to u64 avoids integer overflow on - // ludicrously big hash sizes. - u32 r = (u32)(((u64)digest_size + 31) >> 5) - 2; - u32 i = 1; - u32 in = 0; - u32 out = 32; - while (i < r) { - // Input and output overlap. This is intentional - crypto_blake2b(digest + out, digest + in, 64); - i += 1; - in += 32; - out += 32; - } - crypto_blake2b_general(digest + out, digest_size - (32 * r), - 0, 0, // no key - digest + in , 64); - } + crypto_blake2b_ctx ctx; + crypto_blake2b_general_init(&ctx, MIN(digest_size, 64), 0, 0); + blake_update_32 (&ctx, digest_size); + crypto_blake2b_update (&ctx, input, input_size); + crypto_blake2b_final (&ctx, digest); + + if (digest_size > 64) { + // the conversion to u64 avoids integer overflow on + // ludicrously big hash sizes. + u32 r = (u32)(((u64)digest_size + 31) >> 5) - 2; + u32 i = 1; + u32 in = 0; + u32 out = 32; + while (i < r) { + // Input and output overlap. This is intentional + crypto_blake2b(digest + out, digest + in, 64); + i += 1; + in += 32; + out += 32; + } + crypto_blake2b_general(digest + out, digest_size - (32 * r), + 0, 0, // no key + digest + in , 64); + } } #define LSB(x) ((x) & 0xffffffff) -#define G(a, b, c, d) \ - a += b + 2 * LSB(a) * LSB(b); d ^= a; d = rotr64(d, 32); \ - c += d + 2 * LSB(c) * LSB(d); b ^= c; b = rotr64(b, 24); \ - a += b + 2 * LSB(a) * LSB(b); d ^= a; d = rotr64(d, 16); \ - c += d + 2 * LSB(c) * LSB(d); b ^= c; b = rotr64(b, 63) -#define ROUND(v0, v1, v2, v3, v4, v5, v6, v7, \ - v8, v9, v10, v11, v12, v13, v14, v15) \ - G(v0, v4, v8, v12); G(v1, v5, v9, v13); \ - G(v2, v6, v10, v14); G(v3, v7, v11, v15); \ - G(v0, v5, v10, v15); G(v1, v6, v11, v12); \ - G(v2, v7, v8, v13); G(v3, v4, v9, v14) +#define G(a, b, c, d) \ + a += b + 2 * LSB(a) * LSB(b); d ^= a; d = rotr64(d, 32); \ + c += d + 2 * LSB(c) * LSB(d); b ^= c; b = rotr64(b, 24); \ + a += b + 2 * LSB(a) * LSB(b); d ^= a; d = rotr64(d, 16); \ + c += d + 2 * LSB(c) * LSB(d); b ^= c; b = rotr64(b, 63) +#define ROUND(v0, v1, v2, v3, v4, v5, v6, v7, \ + v8, v9, v10, v11, v12, v13, v14, v15) \ + G(v0, v4, v8, v12); G(v1, v5, v9, v13); \ + G(v2, v6, v10, v14); G(v3, v7, v11, v15); \ + G(v0, v5, v10, v15); G(v1, v6, v11, v12); \ + G(v2, v7, v8, v13); G(v3, v4, v9, v14) // Core of the compression function G. Computes Z from R in place. static void g_rounds(block *work_block) { - // column rounds (work_block = Q) - for (int i = 0; i < 128; i += 16) { - ROUND(work_block->a[i ], work_block->a[i + 1], - work_block->a[i + 2], work_block->a[i + 3], - work_block->a[i + 4], work_block->a[i + 5], - work_block->a[i + 6], work_block->a[i + 7], - work_block->a[i + 8], work_block->a[i + 9], - work_block->a[i + 10], work_block->a[i + 11], - work_block->a[i + 12], work_block->a[i + 13], - work_block->a[i + 14], work_block->a[i + 15]); - } - // row rounds (work_block = Z) - for (int i = 0; i < 16; i += 2) { - ROUND(work_block->a[i ], work_block->a[i + 1], - work_block->a[i + 16], work_block->a[i + 17], - work_block->a[i + 32], work_block->a[i + 33], - work_block->a[i + 48], work_block->a[i + 49], - work_block->a[i + 64], work_block->a[i + 65], - work_block->a[i + 80], work_block->a[i + 81], - work_block->a[i + 96], work_block->a[i + 97], - work_block->a[i + 112], work_block->a[i + 113]); - } + // column rounds (work_block = Q) + for (int i = 0; i < 128; i += 16) { + ROUND(work_block->a[i ], work_block->a[i + 1], + work_block->a[i + 2], work_block->a[i + 3], + work_block->a[i + 4], work_block->a[i + 5], + work_block->a[i + 6], work_block->a[i + 7], + work_block->a[i + 8], work_block->a[i + 9], + work_block->a[i + 10], work_block->a[i + 11], + work_block->a[i + 12], work_block->a[i + 13], + work_block->a[i + 14], work_block->a[i + 15]); + } + // row rounds (work_block = Z) + for (int i = 0; i < 16; i += 2) { + ROUND(work_block->a[i ], work_block->a[i + 1], + work_block->a[i + 16], work_block->a[i + 17], + work_block->a[i + 32], work_block->a[i + 33], + work_block->a[i + 48], work_block->a[i + 49], + work_block->a[i + 64], work_block->a[i + 65], + work_block->a[i + 80], work_block->a[i + 81], + work_block->a[i + 96], work_block->a[i + 97], + work_block->a[i + 112], work_block->a[i + 113]); + } } // Argon2i uses a kind of stream cipher to determine which reference @@ -766,13 +769,13 @@ static void g_rounds(block *work_block) // that stream's state. (It's very similar to Chacha20. The block b // is analogous to Chacha's own pool) typedef struct { - block b; - u32 pass_number; - u32 slice_number; - u32 nb_blocks; - u32 nb_iterations; - u32 ctr; - u32 offset; + block b; + u32 pass_number; + u32 slice_number; + u32 nb_blocks; + u32 nb_iterations; + u32 ctr; + u32 offset; } gidx_ctx; // The block in the context will determine array indices. To avoid @@ -781,85 +784,85 @@ typedef struct { // easier, but timing attacks are the bigger threat in many settings. static void gidx_refresh(gidx_ctx *ctx) { - // seed the beginning of the block... - ctx->b.a[0] = ctx->pass_number; - ctx->b.a[1] = 0; // lane number (we have only one) - ctx->b.a[2] = ctx->slice_number; - ctx->b.a[3] = ctx->nb_blocks; - ctx->b.a[4] = ctx->nb_iterations; - ctx->b.a[5] = 1; // type: Argon2i - ctx->b.a[6] = ctx->ctr; - ZERO(ctx->b.a + 7, 121); // ...then zero the rest out - - // Shuffle the block thus: ctx->b = G((G(ctx->b, zero)), zero) - // (G "square" function), to get cheap pseudo-random numbers. - block tmp; - copy_block(&tmp, &ctx->b); - g_rounds (&ctx->b); - xor_block (&ctx->b, &tmp); - copy_block(&tmp, &ctx->b); - g_rounds (&ctx->b); - xor_block (&ctx->b, &tmp); - wipe_block(&tmp); + // seed the beginning of the block... + ctx->b.a[0] = ctx->pass_number; + ctx->b.a[1] = 0; // lane number (we have only one) + ctx->b.a[2] = ctx->slice_number; + ctx->b.a[3] = ctx->nb_blocks; + ctx->b.a[4] = ctx->nb_iterations; + ctx->b.a[5] = 1; // type: Argon2i + ctx->b.a[6] = ctx->ctr; + ZERO(ctx->b.a + 7, 121); // ...then zero the rest out + + // Shuffle the block thus: ctx->b = G((G(ctx->b, zero)), zero) + // (G "square" function), to get cheap pseudo-random numbers. + block tmp; + copy_block(&tmp, &ctx->b); + g_rounds (&ctx->b); + xor_block (&ctx->b, &tmp); + copy_block(&tmp, &ctx->b); + g_rounds (&ctx->b); + xor_block (&ctx->b, &tmp); + wipe_block(&tmp); } static void gidx_init(gidx_ctx *ctx, u32 pass_number, u32 slice_number, u32 nb_blocks, u32 nb_iterations) { - ctx->pass_number = pass_number; - ctx->slice_number = slice_number; - ctx->nb_blocks = nb_blocks; - ctx->nb_iterations = nb_iterations; - ctx->ctr = 0; + ctx->pass_number = pass_number; + ctx->slice_number = slice_number; + ctx->nb_blocks = nb_blocks; + ctx->nb_iterations = nb_iterations; + ctx->ctr = 0; - // Offset from the beginning of the segment. For the first slice - // of the first pass, we start at the *third* block, so the offset - // starts at 2, not 0. - if (pass_number != 0 || slice_number != 0) { - ctx->offset = 0; - } else { - ctx->offset = 2; - ctx->ctr++; // Compensates for missed lazy creation - gidx_refresh(ctx); // at the start of gidx_next() - } + // Offset from the beginning of the segment. For the first slice + // of the first pass, we start at the *third* block, so the offset + // starts at 2, not 0. + if (pass_number != 0 || slice_number != 0) { + ctx->offset = 0; + } else { + ctx->offset = 2; + ctx->ctr++; // Compensates for missed lazy creation + gidx_refresh(ctx); // at the start of gidx_next() + } } static u32 gidx_next(gidx_ctx *ctx) { - // lazily creates the offset block we need - if ((ctx->offset & 127) == 0) { - ctx->ctr++; - gidx_refresh(ctx); - } - u32 index = ctx->offset & 127; // save index for current call - u32 offset = ctx->offset; // save offset for current call - ctx->offset++; // update offset for next call - - // Computes the area size. - // Pass 0 : all already finished segments plus already constructed - // blocks in this segment - // Pass 1+: 3 last segments plus already constructed - // blocks in this segment. THE SPEC SUGGESTS OTHERWISE. - // I CONFORM TO THE REFERENCE IMPLEMENTATION. - int first_pass = ctx->pass_number == 0; - u32 slice_size = ctx->nb_blocks >> 2; - u32 nb_segments = first_pass ? ctx->slice_number : 3; - u32 area_size = nb_segments * slice_size + offset - 1; - - // Computes the starting position of the reference area. - // CONTRARY TO WHAT THE SPEC SUGGESTS, IT STARTS AT THE - // NEXT SEGMENT, NOT THE NEXT BLOCK. - u32 next_slice = ((ctx->slice_number + 1) & 3) * slice_size; - u32 start_pos = first_pass ? 0 : next_slice; - - // Generate offset from J1 (no need for J2, there's only one lane) - u64 j1 = ctx->b.a[index] & 0xffffffff; // pseudo-random number - u64 x = (j1 * j1) >> 32; - u64 y = (area_size * x) >> 32; - u64 z = (area_size - 1) - y; - u64 ref = start_pos + z; // ref < 2 * nb_blocks - return (u32)(ref < ctx->nb_blocks ? ref : ref - ctx->nb_blocks); + // lazily creates the offset block we need + if ((ctx->offset & 127) == 0) { + ctx->ctr++; + gidx_refresh(ctx); + } + u32 index = ctx->offset & 127; // save index for current call + u32 offset = ctx->offset; // save offset for current call + ctx->offset++; // update offset for next call + + // Computes the area size. + // Pass 0 : all already finished segments plus already constructed + // blocks in this segment + // Pass 1+: 3 last segments plus already constructed + // blocks in this segment. THE SPEC SUGGESTS OTHERWISE. + // I CONFORM TO THE REFERENCE IMPLEMENTATION. + int first_pass = ctx->pass_number == 0; + u32 slice_size = ctx->nb_blocks >> 2; + u32 nb_segments = first_pass ? ctx->slice_number : 3; + u32 area_size = nb_segments * slice_size + offset - 1; + + // Computes the starting position of the reference area. + // CONTRARY TO WHAT THE SPEC SUGGESTS, IT STARTS AT THE + // NEXT SEGMENT, NOT THE NEXT BLOCK. + u32 next_slice = ((ctx->slice_number + 1) & 3) * slice_size; + u32 start_pos = first_pass ? 0 : next_slice; + + // Generate offset from J1 (no need for J2, there's only one lane) + u64 j1 = ctx->b.a[index] & 0xffffffff; // pseudo-random number + u64 x = (j1 * j1) >> 32; + u64 y = (area_size * x) >> 32; + u64 z = (area_size - 1) - y; + u64 ref = start_pos + z; // ref < 2 * nb_blocks + return (u32)(ref < ctx->nb_blocks ? ref : ref - ctx->nb_blocks); } // Main algorithm @@ -871,92 +874,93 @@ void crypto_argon2i_general(u8 *hash, u32 hash_size, const u8 *key, u32 key_size, const u8 *ad, u32 ad_size) { - // work area seen as blocks (must be suitably aligned) - block *blocks = (block*)work_area; - { - crypto_blake2b_ctx ctx; - crypto_blake2b_init(&ctx); - - blake_update_32 (&ctx, 1 ); // p: number of threads - blake_update_32 (&ctx, hash_size ); - blake_update_32 (&ctx, nb_blocks ); - blake_update_32 (&ctx, nb_iterations); - blake_update_32 (&ctx, 0x13 ); // v: version number - blake_update_32 (&ctx, 1 ); // y: Argon2i - blake_update_32 (&ctx, password_size); - crypto_blake2b_update(&ctx, password, password_size); - blake_update_32 (&ctx, salt_size); - crypto_blake2b_update(&ctx, salt, salt_size); - blake_update_32 (&ctx, key_size); - crypto_blake2b_update(&ctx, key, key_size); - blake_update_32 (&ctx, ad_size); - crypto_blake2b_update(&ctx, ad, ad_size); - - u8 initial_hash[72]; // 64 bytes plus 2 words for future hashes - crypto_blake2b_final(&ctx, initial_hash); - - // fill first 2 blocks - u8 hash_area[1024]; - store32_le(initial_hash + 64, 0); // first additional word - store32_le(initial_hash + 68, 0); // second additional word - extended_hash(hash_area, 1024, initial_hash, 72); - load_block(blocks, hash_area); - - store32_le(initial_hash + 64, 1); // slight modification - extended_hash(hash_area, 1024, initial_hash, 72); - load_block(blocks + 1, hash_area); - - WIPE_BUFFER(initial_hash); - WIPE_BUFFER(hash_area); - } - - // Actual number of blocks - nb_blocks -= nb_blocks & 3; // round down to 4 p (p == 1 thread) - const u32 segment_size = nb_blocks >> 2; - - // fill (then re-fill) the rest of the blocks - block tmp; - gidx_ctx ctx; // public information, no need to wipe - FOR_T (u32, pass_number, 0, nb_iterations) { - int first_pass = pass_number == 0; - - FOR_T (u32, segment, 0, 4) { - gidx_init(&ctx, pass_number, segment, nb_blocks, nb_iterations); - - // On the first segment of the first pass, - // blocks 0 and 1 are already filled. - // We use the offset to skip them. - u32 start_offset = first_pass && segment == 0 ? 2 : 0; - u32 segment_start = segment * segment_size + start_offset; - u32 segment_end = (segment + 1) * segment_size; - FOR_T (u32, current_block, segment_start, segment_end) { - block *reference = blocks + gidx_next(&ctx); - block *current = blocks + current_block; - block *previous = current_block == 0 - ? blocks + nb_blocks - 1 - : blocks + current_block - 1; - // Apply compression function G, - // And copy it (or XOR it) to the current block. - copy_block(&tmp, previous); - xor_block (&tmp, reference); - if (first_pass) { copy_block(current, &tmp); } - else { xor_block (current, &tmp); } - g_rounds (&tmp); - xor_block (current, &tmp); - } - } - } - wipe_block(&tmp); - u8 final_block[1024]; - store_block(final_block, blocks + (nb_blocks - 1)); - - // wipe work area - volatile u64 *p = (u64*)work_area; - ZERO(p, 128 * nb_blocks); - - // hash the very last block with H' into the output hash - extended_hash(hash, hash_size, final_block, 1024); - WIPE_BUFFER(final_block); + // work area seen as blocks (must be suitably aligned) + block *blocks = (block*)work_area; + { + crypto_blake2b_ctx ctx; + crypto_blake2b_init(&ctx); + + blake_update_32 (&ctx, 1 ); // p: number of threads + blake_update_32 (&ctx, hash_size ); + blake_update_32 (&ctx, nb_blocks ); + blake_update_32 (&ctx, nb_iterations); + blake_update_32 (&ctx, 0x13 ); // v: version number + blake_update_32 (&ctx, 1 ); // y: Argon2i + blake_update_32 (&ctx, password_size); + crypto_blake2b_update(&ctx, password, password_size); + blake_update_32 (&ctx, salt_size); + crypto_blake2b_update(&ctx, salt, salt_size); + blake_update_32 (&ctx, key_size); + crypto_blake2b_update(&ctx, key, key_size); + blake_update_32 (&ctx, ad_size); + crypto_blake2b_update(&ctx, ad, ad_size); + + u8 initial_hash[72]; // 64 bytes plus 2 words for future hashes + crypto_blake2b_final(&ctx, initial_hash); + + // fill first 2 blocks + u8 hash_area[1024]; + store32_le(initial_hash + 64, 0); // first additional word + store32_le(initial_hash + 68, 0); // second additional word + extended_hash(hash_area, 1024, initial_hash, 72); + load_block(blocks, hash_area); + + store32_le(initial_hash + 64, 1); // slight modification + extended_hash(hash_area, 1024, initial_hash, 72); + load_block(blocks + 1, hash_area); + + WIPE_BUFFER(initial_hash); + WIPE_BUFFER(hash_area); + } + + // Actual number of blocks + nb_blocks -= nb_blocks & 3; // round down to 4 p (p == 1 thread) + const u32 segment_size = nb_blocks >> 2; + + // fill (then re-fill) the rest of the blocks + block tmp; + gidx_ctx ctx; // public information, no need to wipe + FOR_T (u32, pass_number, 0, nb_iterations) { + int first_pass = pass_number == 0; + + FOR_T (u32, segment, 0, 4) { + gidx_init(&ctx, pass_number, segment, nb_blocks, nb_iterations); + + // On the first segment of the first pass, + // blocks 0 and 1 are already filled. + // We use the offset to skip them. + u32 start_offset = first_pass && segment == 0 ? 2 : 0; + u32 segment_start = segment * segment_size + start_offset; + u32 segment_end = (segment + 1) * segment_size; + FOR_T (u32, current_block, segment_start, segment_end) { + block *reference = blocks + gidx_next(&ctx); + block *current = blocks + current_block; + block *previous = + current_block == 0 + ? blocks + nb_blocks - 1 + : blocks + current_block - 1; + // Apply compression function G, + // And copy it (or XOR it) to the current block. + copy_block(&tmp, previous); + xor_block (&tmp, reference); + if (first_pass) { copy_block(current, &tmp); } + else { xor_block (current, &tmp); } + g_rounds (&tmp); + xor_block (current, &tmp); + } + } + } + wipe_block(&tmp); + u8 final_block[1024]; + store_block(final_block, blocks + (nb_blocks - 1)); + + // wipe work area + volatile u64 *p = (u64*)work_area; + ZERO(p, 128 * nb_blocks); + + // hash the very last block with H' into the output hash + extended_hash(hash, hash_size, final_block, 1024); + WIPE_BUFFER(final_block); } void crypto_argon2i(u8 *hash, u32 hash_size, @@ -964,8 +968,8 @@ void crypto_argon2i(u8 *hash, u32 hash_size, const u8 *password, u32 password_size, const u8 *salt, u32 salt_size) { - crypto_argon2i_general(hash, hash_size, work_area, nb_blocks, nb_iterations, - password, password_size, salt , salt_size, 0,0,0,0); + crypto_argon2i_general(hash, hash_size, work_area, nb_blocks, nb_iterations, + password, password_size, salt , salt_size, 0,0,0,0); } //////////////////////////////////// @@ -987,18 +991,30 @@ typedef i32 fe[10]; // ufactor : -sqrt(-1) * 2 // A2 : 486662^2 (A squared) static const fe fe_one = {1}; -static const fe sqrtm1 = {-32595792, -7943725, 9377950, 3500415, 12389472, - -272473, -25146209, -2005654, 326686, 11406482,}; -static const fe d = {-10913610, 13857413, -15372611, 6949391, 114729, - -8787816, -6275908, -3247719, -18696448, -12055116,}; -static const fe D2 = {-21827239, -5839606, -30745221, 13898782, 229458, - 15978800, -12551817, -6495438, 29715968, 9444199,}; -static const fe lop_x = {21352778, 5345713, 4660180, -8347857, 24143090, - 14568123, 30185756, -12247770, -33528939, 8345319,}; -static const fe lop_y = {-6952922, -1265500, 6862341, -7057498, -4037696, - -5447722, 31680899, -15325402, -19365852, 1569102,}; -static const fe ufactor = {-1917299, 15887451, -18755900, -7000830, -24778944, - 544946, -16816446, 4011309, -653372, 10741468,}; +static const fe sqrtm1 = { + -32595792, -7943725, 9377950, 3500415, 12389472, + -272473, -25146209, -2005654, 326686, 11406482, +}; +static const fe d = { + -10913610, 13857413, -15372611, 6949391, 114729, + -8787816, -6275908, -3247719, -18696448, -12055116, +}; +static const fe D2 = { + -21827239, -5839606, -30745221, 13898782, 229458, + 15978800, -12551817, -6495438, 29715968, 9444199, +}; +static const fe lop_x = { + 21352778, 5345713, 4660180, -8347857, 24143090, + 14568123, 30185756, -12247770, -33528939, 8345319, +}; +static const fe lop_y = { + -6952922, -1265500, 6862341, -7057498, -4037696, + -5447722, 31680899, -15325402, -19365852, 1569102, +}; +static const fe ufactor = { + -1917299, 15887451, -18755900, -7000830, -24778944, + 544946, -16816446, 4011309, -653372, 10741468, +}; static const fe A2 = {12721188, 3529, 0, 0, 0, 0, 0, 0, 0, 0,}; static void fe_0(fe h) { ZERO(h , 10); } @@ -1011,21 +1027,21 @@ static void fe_sub (fe h,const fe f,const fe g){FOR(i,0,10) h[i] = f[i] - g[i];} static void fe_cswap(fe f, fe g, int b) { - i32 mask = -b; // -1 = 0xffffffff - FOR (i, 0, 10) { - i32 x = (f[i] ^ g[i]) & mask; - f[i] = f[i] ^ x; - g[i] = g[i] ^ x; - } + i32 mask = -b; // -1 = 0xffffffff + FOR (i, 0, 10) { + i32 x = (f[i] ^ g[i]) & mask; + f[i] = f[i] ^ x; + g[i] = g[i] ^ x; + } } static void fe_ccopy(fe f, const fe g, int b) { - i32 mask = -b; // -1 = 0xffffffff - FOR (i, 0, 10) { - i32 x = (f[i] ^ g[i]) & mask; - f[i] = f[i] ^ x; - } + i32 mask = -b; // -1 = 0xffffffff + FOR (i, 0, 10) { + i32 x = (f[i] ^ g[i]) & mask; + f[i] = f[i] ^ x; + } } @@ -1137,22 +1153,22 @@ static void fe_ccopy(fe f, const fe g, int b) // ------------- // |t0|, |t2|, |t4|, |t6|, |t8| < 1.1 * 2^25 // |t1|, |t3|, |t5|, |t7|, |t9| < 1.1 * 2^24 -#define FE_CARRY \ - i64 c; \ - c = (t0 + ((i64)1<<25)) >> 26; t0 -= c * ((i64)1 << 26); t1 += c; \ - c = (t4 + ((i64)1<<25)) >> 26; t4 -= c * ((i64)1 << 26); t5 += c; \ - c = (t1 + ((i64)1<<24)) >> 25; t1 -= c * ((i64)1 << 25); t2 += c; \ - c = (t5 + ((i64)1<<24)) >> 25; t5 -= c * ((i64)1 << 25); t6 += c; \ - c = (t2 + ((i64)1<<25)) >> 26; t2 -= c * ((i64)1 << 26); t3 += c; \ - c = (t6 + ((i64)1<<25)) >> 26; t6 -= c * ((i64)1 << 26); t7 += c; \ - c = (t3 + ((i64)1<<24)) >> 25; t3 -= c * ((i64)1 << 25); t4 += c; \ - c = (t7 + ((i64)1<<24)) >> 25; t7 -= c * ((i64)1 << 25); t8 += c; \ - c = (t4 + ((i64)1<<25)) >> 26; t4 -= c * ((i64)1 << 26); t5 += c; \ - c = (t8 + ((i64)1<<25)) >> 26; t8 -= c * ((i64)1 << 26); t9 += c; \ - c = (t9 + ((i64)1<<24)) >> 25; t9 -= c * ((i64)1 << 25); t0 += c * 19; \ - c = (t0 + ((i64)1<<25)) >> 26; t0 -= c * ((i64)1 << 26); t1 += c; \ - h[0]=(i32)t0; h[1]=(i32)t1; h[2]=(i32)t2; h[3]=(i32)t3; h[4]=(i32)t4; \ - h[5]=(i32)t5; h[6]=(i32)t6; h[7]=(i32)t7; h[8]=(i32)t8; h[9]=(i32)t9 +#define FE_CARRY \ + i64 c; \ + c = (t0 + ((i64)1<<25)) >> 26; t0 -= c * ((i64)1 << 26); t1 += c; \ + c = (t4 + ((i64)1<<25)) >> 26; t4 -= c * ((i64)1 << 26); t5 += c; \ + c = (t1 + ((i64)1<<24)) >> 25; t1 -= c * ((i64)1 << 25); t2 += c; \ + c = (t5 + ((i64)1<<24)) >> 25; t5 -= c * ((i64)1 << 25); t6 += c; \ + c = (t2 + ((i64)1<<25)) >> 26; t2 -= c * ((i64)1 << 26); t3 += c; \ + c = (t6 + ((i64)1<<25)) >> 26; t6 -= c * ((i64)1 << 26); t7 += c; \ + c = (t3 + ((i64)1<<24)) >> 25; t3 -= c * ((i64)1 << 25); t4 += c; \ + c = (t7 + ((i64)1<<24)) >> 25; t7 -= c * ((i64)1 << 25); t8 += c; \ + c = (t4 + ((i64)1<<25)) >> 26; t4 -= c * ((i64)1 << 26); t5 += c; \ + c = (t8 + ((i64)1<<25)) >> 26; t8 -= c * ((i64)1 << 26); t9 += c; \ + c = (t9 + ((i64)1<<24)) >> 25; t9 -= c * ((i64)1 << 25); t0 += c * 19; \ + c = (t0 + ((i64)1<<25)) >> 26; t0 -= c * ((i64)1 << 26); t1 += c; \ + h[0]=(i32)t0; h[1]=(i32)t1; h[2]=(i32)t2; h[3]=(i32)t3; h[4]=(i32)t4; \ + h[5]=(i32)t5; h[6]=(i32)t6; h[7]=(i32)t7; h[8]=(i32)t8; h[9]=(i32)t9 // Decodes a field element from a byte buffer. // mask specifies how many bits we ignore. @@ -1162,23 +1178,23 @@ static void fe_ccopy(fe f, const fe g, int b) // which means ignoring 2 bits instead. static void fe_frombytes_mask(fe h, const u8 s[32], unsigned nb_mask) { - u32 mask = 0xffffff >> nb_mask; - i64 t0 = load32_le(s); // t0 < 2^32 - i64 t1 = load24_le(s + 4) << 6; // t1 < 2^30 - i64 t2 = load24_le(s + 7) << 5; // t2 < 2^29 - i64 t3 = load24_le(s + 10) << 3; // t3 < 2^27 - i64 t4 = load24_le(s + 13) << 2; // t4 < 2^26 - i64 t5 = load32_le(s + 16); // t5 < 2^32 - i64 t6 = load24_le(s + 20) << 7; // t6 < 2^31 - i64 t7 = load24_le(s + 23) << 5; // t7 < 2^29 - i64 t8 = load24_le(s + 26) << 4; // t8 < 2^28 - i64 t9 = (load24_le(s + 29) & mask) << 2; // t9 < 2^25 - FE_CARRY; // Carry precondition OK + u32 mask = 0xffffff >> nb_mask; + i64 t0 = load32_le(s); // t0 < 2^32 + i64 t1 = load24_le(s + 4) << 6; // t1 < 2^30 + i64 t2 = load24_le(s + 7) << 5; // t2 < 2^29 + i64 t3 = load24_le(s + 10) << 3; // t3 < 2^27 + i64 t4 = load24_le(s + 13) << 2; // t4 < 2^26 + i64 t5 = load32_le(s + 16); // t5 < 2^32 + i64 t6 = load24_le(s + 20) << 7; // t6 < 2^31 + i64 t7 = load24_le(s + 23) << 5; // t7 < 2^29 + i64 t8 = load24_le(s + 26) << 4; // t8 < 2^28 + i64 t9 = (load24_le(s + 29) & mask) << 2; // t9 < 2^25 + FE_CARRY; // Carry precondition OK } static void fe_frombytes(fe h, const u8 s[32]) { - fe_frombytes_mask(h, s, 1); + fe_frombytes_mask(h, s, 1); } @@ -1195,39 +1211,39 @@ static void fe_frombytes(fe h, const u8 s[32]) // Or just remove 19 and chop off any excess bit. static void fe_tobytes(u8 s[32], const fe h) { - i32 t[10]; - COPY(t, h, 10); - i32 q = (19 * t[9] + (((i32) 1) << 24)) >> 25; - // |t9| < 1.1 * 2^24 - // -1.1 * 2^24 < t9 < 1.1 * 2^24 - // -21 * 2^24 < 19 * t9 < 21 * 2^24 - // -2^29 < 19 * t9 + 2^24 < 2^29 - // -2^29 / 2^25 < (19 * t9 + 2^24) / 2^25 < 2^29 / 2^25 - // -16 < (19 * t9 + 2^24) / 2^25 < 16 - FOR (i, 0, 5) { - q += t[2*i ]; q >>= 26; // q = 0 or -1 - q += t[2*i+1]; q >>= 25; // q = 0 or -1 - } - // q = 0 iff h >= 0 - // q = -1 iff h < 0 - // Adding q * 19 to h reduces h to its proper range. - q *= 19; // Shift carry back to the beginning - FOR (i, 0, 5) { - t[i*2 ] += q; q = t[i*2 ] >> 26; t[i*2 ] -= q * ((i32)1 << 26); - t[i*2+1] += q; q = t[i*2+1] >> 25; t[i*2+1] -= q * ((i32)1 << 25); - } - // h is now fully reduced, and q represents the excess bit. - - store32_le(s + 0, ((u32)t[0] >> 0) | ((u32)t[1] << 26)); - store32_le(s + 4, ((u32)t[1] >> 6) | ((u32)t[2] << 19)); - store32_le(s + 8, ((u32)t[2] >> 13) | ((u32)t[3] << 13)); - store32_le(s + 12, ((u32)t[3] >> 19) | ((u32)t[4] << 6)); - store32_le(s + 16, ((u32)t[5] >> 0) | ((u32)t[6] << 25)); - store32_le(s + 20, ((u32)t[6] >> 7) | ((u32)t[7] << 19)); - store32_le(s + 24, ((u32)t[7] >> 13) | ((u32)t[8] << 12)); - store32_le(s + 28, ((u32)t[8] >> 20) | ((u32)t[9] << 6)); - - WIPE_BUFFER(t); + i32 t[10]; + COPY(t, h, 10); + i32 q = (19 * t[9] + (((i32) 1) << 24)) >> 25; + // |t9| < 1.1 * 2^24 + // -1.1 * 2^24 < t9 < 1.1 * 2^24 + // -21 * 2^24 < 19 * t9 < 21 * 2^24 + // -2^29 < 19 * t9 + 2^24 < 2^29 + // -2^29 / 2^25 < (19 * t9 + 2^24) / 2^25 < 2^29 / 2^25 + // -16 < (19 * t9 + 2^24) / 2^25 < 16 + FOR (i, 0, 5) { + q += t[2*i ]; q >>= 26; // q = 0 or -1 + q += t[2*i+1]; q >>= 25; // q = 0 or -1 + } + // q = 0 iff h >= 0 + // q = -1 iff h < 0 + // Adding q * 19 to h reduces h to its proper range. + q *= 19; // Shift carry back to the beginning + FOR (i, 0, 5) { + t[i*2 ] += q; q = t[i*2 ] >> 26; t[i*2 ] -= q * ((i32)1 << 26); + t[i*2+1] += q; q = t[i*2+1] >> 25; t[i*2+1] -= q * ((i32)1 << 25); + } + // h is now fully reduced, and q represents the excess bit. + + store32_le(s + 0, ((u32)t[0] >> 0) | ((u32)t[1] << 26)); + store32_le(s + 4, ((u32)t[1] >> 6) | ((u32)t[2] << 19)); + store32_le(s + 8, ((u32)t[2] >> 13) | ((u32)t[3] << 13)); + store32_le(s + 12, ((u32)t[3] >> 19) | ((u32)t[4] << 6)); + store32_le(s + 16, ((u32)t[5] >> 0) | ((u32)t[6] << 25)); + store32_le(s + 20, ((u32)t[6] >> 7) | ((u32)t[7] << 19)); + store32_le(s + 24, ((u32)t[7] >> 13) | ((u32)t[8] << 12)); + store32_le(s + 28, ((u32)t[8] >> 20) | ((u32)t[9] << 6)); + + WIPE_BUFFER(t); } // Precondition @@ -1239,15 +1255,15 @@ static void fe_tobytes(u8 s[32], const fe h) // |g1|, |g3|, |g5|, |g7|, |g9| < 1.65 * 2^25 static void fe_mul_small(fe h, const fe f, i32 g) { - i64 t0 = f[0] * (i64) g; i64 t1 = f[1] * (i64) g; - i64 t2 = f[2] * (i64) g; i64 t3 = f[3] * (i64) g; - i64 t4 = f[4] * (i64) g; i64 t5 = f[5] * (i64) g; - i64 t6 = f[6] * (i64) g; i64 t7 = f[7] * (i64) g; - i64 t8 = f[8] * (i64) g; i64 t9 = f[9] * (i64) g; - // |t0|, |t2|, |t4|, |t6|, |t8| < 1.65 * 2^26 * 2^31 < 2^58 - // |t1|, |t3|, |t5|, |t7|, |t9| < 1.65 * 2^25 * 2^31 < 2^57 + i64 t0 = f[0] * (i64) g; i64 t1 = f[1] * (i64) g; + i64 t2 = f[2] * (i64) g; i64 t3 = f[3] * (i64) g; + i64 t4 = f[4] * (i64) g; i64 t5 = f[5] * (i64) g; + i64 t6 = f[6] * (i64) g; i64 t7 = f[7] * (i64) g; + i64 t8 = f[8] * (i64) g; i64 t9 = f[9] * (i64) g; + // |t0|, |t2|, |t4|, |t6|, |t8| < 1.65 * 2^26 * 2^31 < 2^58 + // |t1|, |t3|, |t5|, |t7|, |t9| < 1.65 * 2^25 * 2^31 < 2^57 - FE_CARRY; // Carry precondition OK + FE_CARRY; // Carry precondition OK } // Precondition @@ -1259,52 +1275,52 @@ static void fe_mul_small(fe h, const fe f, i32 g) // |g1|, |g3|, |g5|, |g7|, |g9| < 1.65 * 2^25 static void fe_mul(fe h, const fe f, const fe g) { - // Everything is unrolled and put in temporary variables. - // We could roll the loop, but that would make curve25519 twice as slow. - i32 f0 = f[0]; i32 f1 = f[1]; i32 f2 = f[2]; i32 f3 = f[3]; i32 f4 = f[4]; - i32 f5 = f[5]; i32 f6 = f[6]; i32 f7 = f[7]; i32 f8 = f[8]; i32 f9 = f[9]; - i32 g0 = g[0]; i32 g1 = g[1]; i32 g2 = g[2]; i32 g3 = g[3]; i32 g4 = g[4]; - i32 g5 = g[5]; i32 g6 = g[6]; i32 g7 = g[7]; i32 g8 = g[8]; i32 g9 = g[9]; - i32 F1 = f1*2; i32 F3 = f3*2; i32 F5 = f5*2; i32 F7 = f7*2; i32 F9 = f9*2; - i32 G1 = g1*19; i32 G2 = g2*19; i32 G3 = g3*19; - i32 G4 = g4*19; i32 G5 = g5*19; i32 G6 = g6*19; - i32 G7 = g7*19; i32 G8 = g8*19; i32 G9 = g9*19; - // |F1|, |F3|, |F5|, |F7|, |F9| < 1.65 * 2^26 - // |G0|, |G2|, |G4|, |G6|, |G8| < 2^31 - // |G1|, |G3|, |G5|, |G7|, |G9| < 2^30 - - i64 t0 = f0*(i64)g0 + F1*(i64)G9 + f2*(i64)G8 + F3*(i64)G7 + f4*(i64)G6 - + F5*(i64)G5 + f6*(i64)G4 + F7*(i64)G3 + f8*(i64)G2 + F9*(i64)G1; - i64 t1 = f0*(i64)g1 + f1*(i64)g0 + f2*(i64)G9 + f3*(i64)G8 + f4*(i64)G7 - + f5*(i64)G6 + f6*(i64)G5 + f7*(i64)G4 + f8*(i64)G3 + f9*(i64)G2; - i64 t2 = f0*(i64)g2 + F1*(i64)g1 + f2*(i64)g0 + F3*(i64)G9 + f4*(i64)G8 - + F5*(i64)G7 + f6*(i64)G6 + F7*(i64)G5 + f8*(i64)G4 + F9*(i64)G3; - i64 t3 = f0*(i64)g3 + f1*(i64)g2 + f2*(i64)g1 + f3*(i64)g0 + f4*(i64)G9 - + f5*(i64)G8 + f6*(i64)G7 + f7*(i64)G6 + f8*(i64)G5 + f9*(i64)G4; - i64 t4 = f0*(i64)g4 + F1*(i64)g3 + f2*(i64)g2 + F3*(i64)g1 + f4*(i64)g0 - + F5*(i64)G9 + f6*(i64)G8 + F7*(i64)G7 + f8*(i64)G6 + F9*(i64)G5; - i64 t5 = f0*(i64)g5 + f1*(i64)g4 + f2*(i64)g3 + f3*(i64)g2 + f4*(i64)g1 - + f5*(i64)g0 + f6*(i64)G9 + f7*(i64)G8 + f8*(i64)G7 + f9*(i64)G6; - i64 t6 = f0*(i64)g6 + F1*(i64)g5 + f2*(i64)g4 + F3*(i64)g3 + f4*(i64)g2 - + F5*(i64)g1 + f6*(i64)g0 + F7*(i64)G9 + f8*(i64)G8 + F9*(i64)G7; - i64 t7 = f0*(i64)g7 + f1*(i64)g6 + f2*(i64)g5 + f3*(i64)g4 + f4*(i64)g3 - + f5*(i64)g2 + f6*(i64)g1 + f7*(i64)g0 + f8*(i64)G9 + f9*(i64)G8; - i64 t8 = f0*(i64)g8 + F1*(i64)g7 + f2*(i64)g6 + F3*(i64)g5 + f4*(i64)g4 - + F5*(i64)g3 + f6*(i64)g2 + F7*(i64)g1 + f8*(i64)g0 + F9*(i64)G9; - i64 t9 = f0*(i64)g9 + f1*(i64)g8 + f2*(i64)g7 + f3*(i64)g6 + f4*(i64)g5 - + f5*(i64)g4 + f6*(i64)g3 + f7*(i64)g2 + f8*(i64)g1 + f9*(i64)g0; - // t0 < 0.67 * 2^61 - // t1 < 0.41 * 2^61 - // t2 < 0.52 * 2^61 - // t3 < 0.32 * 2^61 - // t4 < 0.38 * 2^61 - // t5 < 0.22 * 2^61 - // t6 < 0.23 * 2^61 - // t7 < 0.13 * 2^61 - // t8 < 0.09 * 2^61 - // t9 < 0.03 * 2^61 - - FE_CARRY; // Everything below 2^62, Carry precondition OK + // Everything is unrolled and put in temporary variables. + // We could roll the loop, but that would make curve25519 twice as slow. + i32 f0 = f[0]; i32 f1 = f[1]; i32 f2 = f[2]; i32 f3 = f[3]; i32 f4 = f[4]; + i32 f5 = f[5]; i32 f6 = f[6]; i32 f7 = f[7]; i32 f8 = f[8]; i32 f9 = f[9]; + i32 g0 = g[0]; i32 g1 = g[1]; i32 g2 = g[2]; i32 g3 = g[3]; i32 g4 = g[4]; + i32 g5 = g[5]; i32 g6 = g[6]; i32 g7 = g[7]; i32 g8 = g[8]; i32 g9 = g[9]; + i32 F1 = f1*2; i32 F3 = f3*2; i32 F5 = f5*2; i32 F7 = f7*2; i32 F9 = f9*2; + i32 G1 = g1*19; i32 G2 = g2*19; i32 G3 = g3*19; + i32 G4 = g4*19; i32 G5 = g5*19; i32 G6 = g6*19; + i32 G7 = g7*19; i32 G8 = g8*19; i32 G9 = g9*19; + // |F1|, |F3|, |F5|, |F7|, |F9| < 1.65 * 2^26 + // |G0|, |G2|, |G4|, |G6|, |G8| < 2^31 + // |G1|, |G3|, |G5|, |G7|, |G9| < 2^30 + + i64 t0 = f0*(i64)g0 + F1*(i64)G9 + f2*(i64)G8 + F3*(i64)G7 + f4*(i64)G6 + + F5*(i64)G5 + f6*(i64)G4 + F7*(i64)G3 + f8*(i64)G2 + F9*(i64)G1; + i64 t1 = f0*(i64)g1 + f1*(i64)g0 + f2*(i64)G9 + f3*(i64)G8 + f4*(i64)G7 + + f5*(i64)G6 + f6*(i64)G5 + f7*(i64)G4 + f8*(i64)G3 + f9*(i64)G2; + i64 t2 = f0*(i64)g2 + F1*(i64)g1 + f2*(i64)g0 + F3*(i64)G9 + f4*(i64)G8 + + F5*(i64)G7 + f6*(i64)G6 + F7*(i64)G5 + f8*(i64)G4 + F9*(i64)G3; + i64 t3 = f0*(i64)g3 + f1*(i64)g2 + f2*(i64)g1 + f3*(i64)g0 + f4*(i64)G9 + + f5*(i64)G8 + f6*(i64)G7 + f7*(i64)G6 + f8*(i64)G5 + f9*(i64)G4; + i64 t4 = f0*(i64)g4 + F1*(i64)g3 + f2*(i64)g2 + F3*(i64)g1 + f4*(i64)g0 + + F5*(i64)G9 + f6*(i64)G8 + F7*(i64)G7 + f8*(i64)G6 + F9*(i64)G5; + i64 t5 = f0*(i64)g5 + f1*(i64)g4 + f2*(i64)g3 + f3*(i64)g2 + f4*(i64)g1 + + f5*(i64)g0 + f6*(i64)G9 + f7*(i64)G8 + f8*(i64)G7 + f9*(i64)G6; + i64 t6 = f0*(i64)g6 + F1*(i64)g5 + f2*(i64)g4 + F3*(i64)g3 + f4*(i64)g2 + + F5*(i64)g1 + f6*(i64)g0 + F7*(i64)G9 + f8*(i64)G8 + F9*(i64)G7; + i64 t7 = f0*(i64)g7 + f1*(i64)g6 + f2*(i64)g5 + f3*(i64)g4 + f4*(i64)g3 + + f5*(i64)g2 + f6*(i64)g1 + f7*(i64)g0 + f8*(i64)G9 + f9*(i64)G8; + i64 t8 = f0*(i64)g8 + F1*(i64)g7 + f2*(i64)g6 + F3*(i64)g5 + f4*(i64)g4 + + F5*(i64)g3 + f6*(i64)g2 + F7*(i64)g1 + f8*(i64)g0 + F9*(i64)G9; + i64 t9 = f0*(i64)g9 + f1*(i64)g8 + f2*(i64)g7 + f3*(i64)g6 + f4*(i64)g5 + + f5*(i64)g4 + f6*(i64)g3 + f7*(i64)g2 + f8*(i64)g1 + f9*(i64)g0; + // t0 < 0.67 * 2^61 + // t1 < 0.41 * 2^61 + // t2 < 0.52 * 2^61 + // t3 < 0.32 * 2^61 + // t4 < 0.38 * 2^61 + // t5 < 0.22 * 2^61 + // t6 < 0.23 * 2^61 + // t7 < 0.13 * 2^61 + // t8 < 0.09 * 2^61 + // t9 < 0.03 * 2^61 + + FE_CARRY; // Everything below 2^62, Carry precondition OK } // Precondition @@ -1315,71 +1331,71 @@ static void fe_mul(fe h, const fe f, const fe g) // Note: we could use fe_mul() for this, but this is significantly faster static void fe_sq(fe h, const fe f) { - i32 f0 = f[0]; i32 f1 = f[1]; i32 f2 = f[2]; i32 f3 = f[3]; i32 f4 = f[4]; - i32 f5 = f[5]; i32 f6 = f[6]; i32 f7 = f[7]; i32 f8 = f[8]; i32 f9 = f[9]; - i32 f0_2 = f0*2; i32 f1_2 = f1*2; i32 f2_2 = f2*2; i32 f3_2 = f3*2; - i32 f4_2 = f4*2; i32 f5_2 = f5*2; i32 f6_2 = f6*2; i32 f7_2 = f7*2; - i32 f5_38 = f5*38; i32 f6_19 = f6*19; i32 f7_38 = f7*38; - i32 f8_19 = f8*19; i32 f9_38 = f9*38; - // |f0_2| , |f2_2| , |f4_2| , |f6_2| , |f8_2| < 1.65 * 2^27 - // |f1_2| , |f3_2| , |f5_2| , |f7_2| , |f9_2| < 1.65 * 2^26 - // |f5_38|, |f6_19|, |f7_38|, |f8_19|, |f9_38| < 2^31 - - i64 t0 = f0 *(i64)f0 + f1_2*(i64)f9_38 + f2_2*(i64)f8_19 - + f3_2*(i64)f7_38 + f4_2*(i64)f6_19 + f5 *(i64)f5_38; - i64 t1 = f0_2*(i64)f1 + f2 *(i64)f9_38 + f3_2*(i64)f8_19 - + f4 *(i64)f7_38 + f5_2*(i64)f6_19; - i64 t2 = f0_2*(i64)f2 + f1_2*(i64)f1 + f3_2*(i64)f9_38 - + f4_2*(i64)f8_19 + f5_2*(i64)f7_38 + f6 *(i64)f6_19; - i64 t3 = f0_2*(i64)f3 + f1_2*(i64)f2 + f4 *(i64)f9_38 - + f5_2*(i64)f8_19 + f6 *(i64)f7_38; - i64 t4 = f0_2*(i64)f4 + f1_2*(i64)f3_2 + f2 *(i64)f2 - + f5_2*(i64)f9_38 + f6_2*(i64)f8_19 + f7 *(i64)f7_38; - i64 t5 = f0_2*(i64)f5 + f1_2*(i64)f4 + f2_2*(i64)f3 - + f6 *(i64)f9_38 + f7_2*(i64)f8_19; - i64 t6 = f0_2*(i64)f6 + f1_2*(i64)f5_2 + f2_2*(i64)f4 - + f3_2*(i64)f3 + f7_2*(i64)f9_38 + f8 *(i64)f8_19; - i64 t7 = f0_2*(i64)f7 + f1_2*(i64)f6 + f2_2*(i64)f5 - + f3_2*(i64)f4 + f8 *(i64)f9_38; - i64 t8 = f0_2*(i64)f8 + f1_2*(i64)f7_2 + f2_2*(i64)f6 - + f3_2*(i64)f5_2 + f4 *(i64)f4 + f9 *(i64)f9_38; - i64 t9 = f0_2*(i64)f9 + f1_2*(i64)f8 + f2_2*(i64)f7 - + f3_2*(i64)f6 + f4 *(i64)f5_2; - // t0 < 0.67 * 2^61 - // t1 < 0.41 * 2^61 - // t2 < 0.52 * 2^61 - // t3 < 0.32 * 2^61 - // t4 < 0.38 * 2^61 - // t5 < 0.22 * 2^61 - // t6 < 0.23 * 2^61 - // t7 < 0.13 * 2^61 - // t8 < 0.09 * 2^61 - // t9 < 0.03 * 2^61 - - FE_CARRY; + i32 f0 = f[0]; i32 f1 = f[1]; i32 f2 = f[2]; i32 f3 = f[3]; i32 f4 = f[4]; + i32 f5 = f[5]; i32 f6 = f[6]; i32 f7 = f[7]; i32 f8 = f[8]; i32 f9 = f[9]; + i32 f0_2 = f0*2; i32 f1_2 = f1*2; i32 f2_2 = f2*2; i32 f3_2 = f3*2; + i32 f4_2 = f4*2; i32 f5_2 = f5*2; i32 f6_2 = f6*2; i32 f7_2 = f7*2; + i32 f5_38 = f5*38; i32 f6_19 = f6*19; i32 f7_38 = f7*38; + i32 f8_19 = f8*19; i32 f9_38 = f9*38; + // |f0_2| , |f2_2| , |f4_2| , |f6_2| , |f8_2| < 1.65 * 2^27 + // |f1_2| , |f3_2| , |f5_2| , |f7_2| , |f9_2| < 1.65 * 2^26 + // |f5_38|, |f6_19|, |f7_38|, |f8_19|, |f9_38| < 2^31 + + i64 t0 = f0 *(i64)f0 + f1_2*(i64)f9_38 + f2_2*(i64)f8_19 + + f3_2*(i64)f7_38 + f4_2*(i64)f6_19 + f5 *(i64)f5_38; + i64 t1 = f0_2*(i64)f1 + f2 *(i64)f9_38 + f3_2*(i64)f8_19 + + f4 *(i64)f7_38 + f5_2*(i64)f6_19; + i64 t2 = f0_2*(i64)f2 + f1_2*(i64)f1 + f3_2*(i64)f9_38 + + f4_2*(i64)f8_19 + f5_2*(i64)f7_38 + f6 *(i64)f6_19; + i64 t3 = f0_2*(i64)f3 + f1_2*(i64)f2 + f4 *(i64)f9_38 + + f5_2*(i64)f8_19 + f6 *(i64)f7_38; + i64 t4 = f0_2*(i64)f4 + f1_2*(i64)f3_2 + f2 *(i64)f2 + + f5_2*(i64)f9_38 + f6_2*(i64)f8_19 + f7 *(i64)f7_38; + i64 t5 = f0_2*(i64)f5 + f1_2*(i64)f4 + f2_2*(i64)f3 + + f6 *(i64)f9_38 + f7_2*(i64)f8_19; + i64 t6 = f0_2*(i64)f6 + f1_2*(i64)f5_2 + f2_2*(i64)f4 + + f3_2*(i64)f3 + f7_2*(i64)f9_38 + f8 *(i64)f8_19; + i64 t7 = f0_2*(i64)f7 + f1_2*(i64)f6 + f2_2*(i64)f5 + + f3_2*(i64)f4 + f8 *(i64)f9_38; + i64 t8 = f0_2*(i64)f8 + f1_2*(i64)f7_2 + f2_2*(i64)f6 + + f3_2*(i64)f5_2 + f4 *(i64)f4 + f9 *(i64)f9_38; + i64 t9 = f0_2*(i64)f9 + f1_2*(i64)f8 + f2_2*(i64)f7 + + f3_2*(i64)f6 + f4 *(i64)f5_2; + // t0 < 0.67 * 2^61 + // t1 < 0.41 * 2^61 + // t2 < 0.52 * 2^61 + // t3 < 0.32 * 2^61 + // t4 < 0.38 * 2^61 + // t5 < 0.22 * 2^61 + // t6 < 0.23 * 2^61 + // t7 < 0.13 * 2^61 + // t8 < 0.09 * 2^61 + // t9 < 0.03 * 2^61 + + FE_CARRY; } // Parity check. Returns 0 if even, 1 if odd static int fe_isodd(const fe f) { - u8 s[32]; - fe_tobytes(s, f); - u8 isodd = s[0] & 1; - WIPE_BUFFER(s); - return isodd; + u8 s[32]; + fe_tobytes(s, f); + u8 isodd = s[0] & 1; + WIPE_BUFFER(s); + return isodd; } // Returns 1 if equal, 0 if not equal static int fe_isequal(const fe f, const fe g) { - u8 fs[32]; - u8 gs[32]; - fe_tobytes(fs, f); - fe_tobytes(gs, g); - int isdifferent = crypto_verify32(fs, gs); - WIPE_BUFFER(fs); - WIPE_BUFFER(gs); - return 1 + isdifferent; + u8 fs[32]; + u8 gs[32]; + fe_tobytes(fs, f); + fe_tobytes(gs, g); + int isdifferent = crypto_verify32(fs, gs); + WIPE_BUFFER(fs); + WIPE_BUFFER(gs); + return 1 + isdifferent; } // Inverse square root. @@ -1441,45 +1457,45 @@ static int fe_isequal(const fe f, const fe g) // x^((p-5)/8) * sqrt(-1) = -sqrt(sqrt(-1)/x) or sqrt(sqrt(-1)/x) static int invsqrt(fe isr, const fe x) { - fe t0, t1, t2; - - // t0 = x^((p-5)/8) - // Can be achieved with a simple double & add ladder, - // but it would be slower. - fe_sq(t0, x); - fe_sq(t1,t0); fe_sq(t1, t1); fe_mul(t1, x, t1); - fe_mul(t0, t0, t1); - fe_sq(t0, t0); fe_mul(t0, t1, t0); - fe_sq(t1, t0); FOR (i, 1, 5) fe_sq(t1, t1); fe_mul(t0, t1, t0); - fe_sq(t1, t0); FOR (i, 1, 10) fe_sq(t1, t1); fe_mul(t1, t1, t0); - fe_sq(t2, t1); FOR (i, 1, 20) fe_sq(t2, t2); fe_mul(t1, t2, t1); - fe_sq(t1, t1); FOR (i, 1, 10) fe_sq(t1, t1); fe_mul(t0, t1, t0); - fe_sq(t1, t0); FOR (i, 1, 50) fe_sq(t1, t1); fe_mul(t1, t1, t0); - fe_sq(t2, t1); FOR (i, 1, 100) fe_sq(t2, t2); fe_mul(t1, t2, t1); - fe_sq(t1, t1); FOR (i, 1, 50) fe_sq(t1, t1); fe_mul(t0, t1, t0); - fe_sq(t0, t0); FOR (i, 1, 2) fe_sq(t0, t0); fe_mul(t0, t0, x); - - // quartic = x^((p-1)/4) - i32 *quartic = t1; - fe_sq (quartic, t0); - fe_mul(quartic, quartic, x); - - i32 *check = t2; - fe_0 (check); int z0 = fe_isequal(x , check); - fe_1 (check); int p1 = fe_isequal(quartic, check); - fe_neg(check, check ); int m1 = fe_isequal(quartic, check); - fe_neg(check, sqrtm1); int ms = fe_isequal(quartic, check); - - // if quartic == -1 or sqrt(-1) - // then isr = x^((p-1)/4) * sqrt(-1) - // else isr = x^((p-1)/4) - fe_mul(isr, t0, sqrtm1); - fe_ccopy(isr, t0, 1 - (m1 | ms)); - - WIPE_BUFFER(t0); - WIPE_BUFFER(t1); - WIPE_BUFFER(t2); - return p1 | m1 | z0; + fe t0, t1, t2; + + // t0 = x^((p-5)/8) + // Can be achieved with a simple double & add ladder, + // but it would be slower. + fe_sq(t0, x); + fe_sq(t1,t0); fe_sq(t1, t1); fe_mul(t1, x, t1); + fe_mul(t0, t0, t1); + fe_sq(t0, t0); fe_mul(t0, t1, t0); + fe_sq(t1, t0); FOR (i, 1, 5) fe_sq(t1, t1); fe_mul(t0, t1, t0); + fe_sq(t1, t0); FOR (i, 1, 10) fe_sq(t1, t1); fe_mul(t1, t1, t0); + fe_sq(t2, t1); FOR (i, 1, 20) fe_sq(t2, t2); fe_mul(t1, t2, t1); + fe_sq(t1, t1); FOR (i, 1, 10) fe_sq(t1, t1); fe_mul(t0, t1, t0); + fe_sq(t1, t0); FOR (i, 1, 50) fe_sq(t1, t1); fe_mul(t1, t1, t0); + fe_sq(t2, t1); FOR (i, 1, 100) fe_sq(t2, t2); fe_mul(t1, t2, t1); + fe_sq(t1, t1); FOR (i, 1, 50) fe_sq(t1, t1); fe_mul(t0, t1, t0); + fe_sq(t0, t0); FOR (i, 1, 2) fe_sq(t0, t0); fe_mul(t0, t0, x); + + // quartic = x^((p-1)/4) + i32 *quartic = t1; + fe_sq (quartic, t0); + fe_mul(quartic, quartic, x); + + i32 *check = t2; + fe_0 (check); int z0 = fe_isequal(x , check); + fe_1 (check); int p1 = fe_isequal(quartic, check); + fe_neg(check, check ); int m1 = fe_isequal(quartic, check); + fe_neg(check, sqrtm1); int ms = fe_isequal(quartic, check); + + // if quartic == -1 or sqrt(-1) + // then isr = x^((p-1)/4) * sqrt(-1) + // else isr = x^((p-1)/4) + fe_mul(isr, t0, sqrtm1); + fe_ccopy(isr, t0, 1 - (m1 | ms)); + + WIPE_BUFFER(t0); + WIPE_BUFFER(t1); + WIPE_BUFFER(t2); + return p1 | m1 | z0; } // Inverse in terms of inverse square root. @@ -1492,27 +1508,27 @@ static int invsqrt(fe isr, const fe x) // multiplications, but it would require more code. static void fe_invert(fe out, const fe x) { - fe tmp; - fe_sq(tmp, x); - invsqrt(tmp, tmp); - fe_sq(tmp, tmp); - fe_mul(out, tmp, x); - WIPE_BUFFER(tmp); + fe tmp; + fe_sq(tmp, x); + invsqrt(tmp, tmp); + fe_sq(tmp, tmp); + fe_mul(out, tmp, x); + WIPE_BUFFER(tmp); } // trim a scalar for scalar multiplication static void trim_scalar(u8 scalar[32]) { - scalar[ 0] &= 248; - scalar[31] &= 127; - scalar[31] |= 64; + scalar[ 0] &= 248; + scalar[31] &= 127; + scalar[31] |= 64; } // get bit from scalar at position i static int scalar_bit(const u8 s[32], int i) { - if (i < 0) { return 0; } // handle -1 for sliding windows - return (s[i>>3] >> (i&7)) & 1; + if (i < 0) { return 0; } // handle -1 for sliding windows + return (s[i>>3] >> (i&7)) & 1; } /////////////// @@ -1521,111 +1537,113 @@ static int scalar_bit(const u8 s[32], int i) static void scalarmult(u8 q[32], const u8 scalar[32], const u8 p[32], int nb_bits) { - // computes the scalar product - fe x1; - fe_frombytes(x1, p); - - // computes the actual scalar product (the result is in x2 and z2) - fe x2, z2, x3, z3, t0, t1; - // Montgomery ladder - // In projective coordinates, to avoid divisions: x = X / Z - // We don't care about the y coordinate, it's only 1 bit of information - fe_1(x2); fe_0(z2); // "zero" point - fe_copy(x3, x1); fe_1(z3); // "one" point - int swap = 0; - for (int pos = nb_bits-1; pos >= 0; --pos) { - // constant time conditional swap before ladder step - int b = scalar_bit(scalar, pos); - swap ^= b; // xor trick avoids swapping at the end of the loop - fe_cswap(x2, x3, swap); - fe_cswap(z2, z3, swap); - swap = b; // anticipates one last swap after the loop - - // Montgomery ladder step: replaces (P2, P3) by (P2*2, P2+P3) - // with differential addition - fe_sub(t0, x3, z3); - fe_sub(t1, x2, z2); - fe_add(x2, x2, z2); - fe_add(z2, x3, z3); - fe_mul(z3, t0, x2); - fe_mul(z2, z2, t1); - fe_sq (t0, t1 ); - fe_sq (t1, x2 ); - fe_add(x3, z3, z2); - fe_sub(z2, z3, z2); - fe_mul(x2, t1, t0); - fe_sub(t1, t1, t0); - fe_sq (z2, z2 ); - fe_mul_small(z3, t1, 121666); - fe_sq (x3, x3 ); - fe_add(t0, t0, z3); - fe_mul(z3, x1, z2); - fe_mul(z2, t1, t0); - } - // last swap is necessary to compensate for the xor trick - // Note: after this swap, P3 == P2 + P1. - fe_cswap(x2, x3, swap); - fe_cswap(z2, z3, swap); - - // normalises the coordinates: x == X / Z - fe_invert(z2, z2); - fe_mul(x2, x2, z2); - fe_tobytes(q, x2); - - WIPE_BUFFER(x1); - WIPE_BUFFER(x2); WIPE_BUFFER(z2); WIPE_BUFFER(t0); - WIPE_BUFFER(x3); WIPE_BUFFER(z3); WIPE_BUFFER(t1); + // computes the scalar product + fe x1; + fe_frombytes(x1, p); + + // computes the actual scalar product (the result is in x2 and z2) + fe x2, z2, x3, z3, t0, t1; + // Montgomery ladder + // In projective coordinates, to avoid divisions: x = X / Z + // We don't care about the y coordinate, it's only 1 bit of information + fe_1(x2); fe_0(z2); // "zero" point + fe_copy(x3, x1); fe_1(z3); // "one" point + int swap = 0; + for (int pos = nb_bits-1; pos >= 0; --pos) { + // constant time conditional swap before ladder step + int b = scalar_bit(scalar, pos); + swap ^= b; // xor trick avoids swapping at the end of the loop + fe_cswap(x2, x3, swap); + fe_cswap(z2, z3, swap); + swap = b; // anticipates one last swap after the loop + + // Montgomery ladder step: replaces (P2, P3) by (P2*2, P2+P3) + // with differential addition + fe_sub(t0, x3, z3); + fe_sub(t1, x2, z2); + fe_add(x2, x2, z2); + fe_add(z2, x3, z3); + fe_mul(z3, t0, x2); + fe_mul(z2, z2, t1); + fe_sq (t0, t1 ); + fe_sq (t1, x2 ); + fe_add(x3, z3, z2); + fe_sub(z2, z3, z2); + fe_mul(x2, t1, t0); + fe_sub(t1, t1, t0); + fe_sq (z2, z2 ); + fe_mul_small(z3, t1, 121666); + fe_sq (x3, x3 ); + fe_add(t0, t0, z3); + fe_mul(z3, x1, z2); + fe_mul(z2, t1, t0); + } + // last swap is necessary to compensate for the xor trick + // Note: after this swap, P3 == P2 + P1. + fe_cswap(x2, x3, swap); + fe_cswap(z2, z3, swap); + + // normalises the coordinates: x == X / Z + fe_invert(z2, z2); + fe_mul(x2, x2, z2); + fe_tobytes(q, x2); + + WIPE_BUFFER(x1); + WIPE_BUFFER(x2); WIPE_BUFFER(z2); WIPE_BUFFER(t0); + WIPE_BUFFER(x3); WIPE_BUFFER(z3); WIPE_BUFFER(t1); } void crypto_x25519(u8 raw_shared_secret[32], const u8 your_secret_key [32], const u8 their_public_key [32]) { - // restrict the possible scalar values - u8 e[32]; - COPY(e, your_secret_key, 32); - trim_scalar(e); - scalarmult(raw_shared_secret, e, their_public_key, 255); - WIPE_BUFFER(e); + // restrict the possible scalar values + u8 e[32]; + COPY(e, your_secret_key, 32); + trim_scalar(e); + scalarmult(raw_shared_secret, e, their_public_key, 255); + WIPE_BUFFER(e); } void crypto_x25519_public_key(u8 public_key[32], const u8 secret_key[32]) { - static const u8 base_point[32] = {9}; - crypto_x25519(public_key, secret_key, base_point); + static const u8 base_point[32] = {9}; + crypto_x25519(public_key, secret_key, base_point); } /////////////////////////// /// Arithmetic modulo L /// /////////////////////////// -static const u32 L[8] = {0x5cf5d3ed, 0x5812631a, 0xa2f79cd6, 0x14def9de, - 0x00000000, 0x00000000, 0x00000000, 0x10000000,}; +static const u32 L[8] = { + 0x5cf5d3ed, 0x5812631a, 0xa2f79cd6, 0x14def9de, + 0x00000000, 0x00000000, 0x00000000, 0x10000000, +}; // p = a*b + p static void multiply(u32 p[16], const u32 a[8], const u32 b[8]) { - FOR (i, 0, 8) { - u64 carry = 0; - FOR (j, 0, 8) { - carry += p[i+j] + (u64)a[i] * b[j]; - p[i+j] = (u32)carry; - carry >>= 32; - } - p[i+8] = (u32)carry; - } + FOR (i, 0, 8) { + u64 carry = 0; + FOR (j, 0, 8) { + carry += p[i+j] + (u64)a[i] * b[j]; + p[i+j] = (u32)carry; + carry >>= 32; + } + p[i+8] = (u32)carry; + } } static int is_above_l(const u32 x[8]) { - // We work with L directly, in a 2's complement encoding - // (-L == ~L + 1) - u64 carry = 1; - FOR (i, 0, 8) { - carry += (u64)x[i] + (~L[i] & 0xffffffff); - carry >>= 32; - } - return (int)carry; // carry is either 0 or 1 + // We work with L directly, in a 2's complement encoding + // (-L == ~L + 1) + u64 carry = 1; + FOR (i, 0, 8) { + carry += (u64)x[i] + (~L[i] & 0xffffffff); + carry >>= 32; + } + return (int)carry; // carry is either 0 or 1 } // Final reduction modulo L, by conditionally removing L. @@ -1634,77 +1652,79 @@ static int is_above_l(const u32 x[8]) // otherwise the result will be wrong static void remove_l(u32 r[8], const u32 x[8]) { - u64 carry = (u64)is_above_l(x); - u32 mask = ~(u32)carry + 1; // carry == 0 or 1 - FOR (i, 0, 8) { - carry += (u64)x[i] + (~L[i] & mask); - r[i] = (u32)carry; - carry >>= 32; - } + u64 carry = (u64)is_above_l(x); + u32 mask = ~(u32)carry + 1; // carry == 0 or 1 + FOR (i, 0, 8) { + carry += (u64)x[i] + (~L[i] & mask); + r[i] = (u32)carry; + carry >>= 32; + } } // Full reduction modulo L (Barrett reduction) static void mod_l(u8 reduced[32], const u32 x[16]) { - static const u32 r[9] = {0x0a2c131b,0xed9ce5a3,0x086329a7,0x2106215d, - 0xffffffeb,0xffffffff,0xffffffff,0xffffffff,0xf,}; - // xr = x * r - u32 xr[25] = {0}; - FOR (i, 0, 9) { - u64 carry = 0; - FOR (j, 0, 16) { - carry += xr[i+j] + (u64)r[i] * x[j]; - xr[i+j] = (u32)carry; - carry >>= 32; - } - xr[i+16] = (u32)carry; - } - // xr = floor(xr / 2^512) * L - // Since the result is guaranteed to be below 2*L, - // it is enough to only compute the first 256 bits. - // The division is performed by saying xr[i+16]. (16 * 32 = 512) - ZERO(xr, 8); - FOR (i, 0, 8) { - u64 carry = 0; - FOR (j, 0, 8-i) { - carry += xr[i+j] + (u64)xr[i+16] * L[j]; - xr[i+j] = (u32)carry; - carry >>= 32; - } - } - // xr = x - xr - u64 carry = 1; - FOR (i, 0, 8) { - carry += (u64)x[i] + (~xr[i] & 0xffffffff); - xr[i] = (u32)carry; - carry >>= 32; - } - // Final reduction modulo L (conditional subtraction) - remove_l(xr, xr); - store32_le_buf(reduced, xr, 8); - - WIPE_BUFFER(xr); + static const u32 r[9] = { + 0x0a2c131b,0xed9ce5a3,0x086329a7,0x2106215d, + 0xffffffeb,0xffffffff,0xffffffff,0xffffffff,0xf, + }; + // xr = x * r + u32 xr[25] = {0}; + FOR (i, 0, 9) { + u64 carry = 0; + FOR (j, 0, 16) { + carry += xr[i+j] + (u64)r[i] * x[j]; + xr[i+j] = (u32)carry; + carry >>= 32; + } + xr[i+16] = (u32)carry; + } + // xr = floor(xr / 2^512) * L + // Since the result is guaranteed to be below 2*L, + // it is enough to only compute the first 256 bits. + // The division is performed by saying xr[i+16]. (16 * 32 = 512) + ZERO(xr, 8); + FOR (i, 0, 8) { + u64 carry = 0; + FOR (j, 0, 8-i) { + carry += xr[i+j] + (u64)xr[i+16] * L[j]; + xr[i+j] = (u32)carry; + carry >>= 32; + } + } + // xr = x - xr + u64 carry = 1; + FOR (i, 0, 8) { + carry += (u64)x[i] + (~xr[i] & 0xffffffff); + xr[i] = (u32)carry; + carry >>= 32; + } + // Final reduction modulo L (conditional subtraction) + remove_l(xr, xr); + store32_le_buf(reduced, xr, 8); + + WIPE_BUFFER(xr); } static void reduce(u8 r[64]) { - u32 x[16]; - load32_le_buf(x, r, 16); - mod_l(r, x); - WIPE_BUFFER(x); + u32 x[16]; + load32_le_buf(x, r, 16); + mod_l(r, x); + WIPE_BUFFER(x); } // r = (a * b) + c static void mul_add(u8 r[32], const u8 a[32], const u8 b[32], const u8 c[32]) { - u32 A[8]; load32_le_buf(A, a, 8); - u32 B[8]; load32_le_buf(B, b, 8); - u32 p[16]; load32_le_buf(p, c, 8); ZERO(p + 8, 8); - multiply(p, A, B); - mod_l(r, p); - WIPE_BUFFER(p); - WIPE_BUFFER(A); - WIPE_BUFFER(B); + u32 A[8]; load32_le_buf(A, a, 8); + u32 B[8]; load32_le_buf(B, b, 8); + u32 p[16]; load32_le_buf(p, c, 8); ZERO(p + 8, 8); + multiply(p, A, B); + mod_l(r, p); + WIPE_BUFFER(p); + WIPE_BUFFER(A); + WIPE_BUFFER(B); } /////////////// @@ -1722,24 +1742,24 @@ typedef struct { fe Yp; fe Ym; fe T2; } ge_precomp; static void ge_zero(ge *p) { - fe_0(p->X); - fe_1(p->Y); - fe_1(p->Z); - fe_0(p->T); + fe_0(p->X); + fe_1(p->Y); + fe_1(p->Z); + fe_0(p->T); } static void ge_tobytes(u8 s[32], const ge *h) { - fe recip, x, y; - fe_invert(recip, h->Z); - fe_mul(x, h->X, recip); - fe_mul(y, h->Y, recip); - fe_tobytes(s, y); - s[31] ^= fe_isodd(x) << 7; + fe recip, x, y; + fe_invert(recip, h->Z); + fe_mul(x, h->X, recip); + fe_mul(y, h->Y, recip); + fe_tobytes(s, y); + s[31] ^= fe_isodd(x) << 7; - WIPE_BUFFER(recip); - WIPE_BUFFER(x); - WIPE_BUFFER(y); + WIPE_BUFFER(recip); + WIPE_BUFFER(x); + WIPE_BUFFER(y); } // h = -s, where s is a point encoded in 32 bytes @@ -1771,223 +1791,224 @@ static void ge_tobytes(u8 s[32], const ge *h) // Finally, negate x if its sign is not as specified. static int ge_frombytes_neg_vartime(ge *h, const u8 s[32]) { - fe_frombytes(h->Y, s); - fe_1(h->Z); - fe_sq (h->T, h->Y); // t = y^2 - fe_mul(h->X, h->T, d ); // x = d*y^2 - fe_sub(h->T, h->T, h->Z); // t = y^2 - 1 - fe_add(h->X, h->X, h->Z); // x = d*y^2 + 1 - fe_mul(h->X, h->T, h->X); // x = (y^2 - 1) * (d*y^2 + 1) - int is_square = invsqrt(h->X, h->X); - if (!is_square) { - return -1; // Not on the curve, abort - } - fe_mul(h->X, h->T, h->X); // x = sqrt((y^2 - 1) / (d*y^2 + 1)) - if (fe_isodd(h->X) == (s[31] >> 7)) { - fe_neg(h->X, h->X); - } - fe_mul(h->T, h->X, h->Y); - return 0; + fe_frombytes(h->Y, s); + fe_1(h->Z); + fe_sq (h->T, h->Y); // t = y^2 + fe_mul(h->X, h->T, d ); // x = d*y^2 + fe_sub(h->T, h->T, h->Z); // t = y^2 - 1 + fe_add(h->X, h->X, h->Z); // x = d*y^2 + 1 + fe_mul(h->X, h->T, h->X); // x = (y^2 - 1) * (d*y^2 + 1) + int is_square = invsqrt(h->X, h->X); + if (!is_square) { + return -1; // Not on the curve, abort + } + fe_mul(h->X, h->T, h->X); // x = sqrt((y^2 - 1) / (d*y^2 + 1)) + if (fe_isodd(h->X) == (s[31] >> 7)) { + fe_neg(h->X, h->X); + } + fe_mul(h->T, h->X, h->Y); + return 0; } static void ge_cache(ge_cached *c, const ge *p) { - fe_add (c->Yp, p->Y, p->X); - fe_sub (c->Ym, p->Y, p->X); - fe_copy(c->Z , p->Z ); - fe_mul (c->T2, p->T, D2 ); + fe_add (c->Yp, p->Y, p->X); + fe_sub (c->Ym, p->Y, p->X); + fe_copy(c->Z , p->Z ); + fe_mul (c->T2, p->T, D2 ); } // Internal buffers are not wiped! Inputs must not be secret! // => Use only to *check* signatures. static void ge_add(ge *s, const ge *p, const ge_cached *q) { - fe a, b; - fe_add(a , p->Y, p->X ); - fe_sub(b , p->Y, p->X ); - fe_mul(a , a , q->Yp); - fe_mul(b , b , q->Ym); - fe_add(s->Y, a , b ); - fe_sub(s->X, a , b ); + fe a, b; + fe_add(a , p->Y, p->X ); + fe_sub(b , p->Y, p->X ); + fe_mul(a , a , q->Yp); + fe_mul(b , b , q->Ym); + fe_add(s->Y, a , b ); + fe_sub(s->X, a , b ); - fe_add(s->Z, p->Z, p->Z ); - fe_mul(s->Z, s->Z, q->Z ); - fe_mul(s->T, p->T, q->T2); - fe_add(a , s->Z, s->T ); - fe_sub(b , s->Z, s->T ); + fe_add(s->Z, p->Z, p->Z ); + fe_mul(s->Z, s->Z, q->Z ); + fe_mul(s->T, p->T, q->T2); + fe_add(a , s->Z, s->T ); + fe_sub(b , s->Z, s->T ); - fe_mul(s->T, s->X, s->Y); - fe_mul(s->X, s->X, b ); - fe_mul(s->Y, s->Y, a ); - fe_mul(s->Z, a , b ); + fe_mul(s->T, s->X, s->Y); + fe_mul(s->X, s->X, b ); + fe_mul(s->Y, s->Y, a ); + fe_mul(s->Z, a , b ); } // Internal buffers are not wiped! Inputs must not be secret! // => Use only to *check* signatures. static void ge_sub(ge *s, const ge *p, const ge_cached *q) { - ge_cached neg; - fe_copy(neg.Ym, q->Yp); - fe_copy(neg.Yp, q->Ym); - fe_copy(neg.Z , q->Z ); - fe_neg (neg.T2, q->T2); - ge_add(s, p, &neg); + ge_cached neg; + fe_copy(neg.Ym, q->Yp); + fe_copy(neg.Yp, q->Ym); + fe_copy(neg.Z , q->Z ); + fe_neg (neg.T2, q->T2); + ge_add(s, p, &neg); } static void ge_madd(ge *s, const ge *p, const ge_precomp *q, fe a, fe b) { - fe_add(a , p->Y, p->X ); - fe_sub(b , p->Y, p->X ); - fe_mul(a , a , q->Yp); - fe_mul(b , b , q->Ym); - fe_add(s->Y, a , b ); - fe_sub(s->X, a , b ); + fe_add(a , p->Y, p->X ); + fe_sub(b , p->Y, p->X ); + fe_mul(a , a , q->Yp); + fe_mul(b , b , q->Ym); + fe_add(s->Y, a , b ); + fe_sub(s->X, a , b ); - fe_add(s->Z, p->Z, p->Z ); - fe_mul(s->T, p->T, q->T2); - fe_add(a , s->Z, s->T ); - fe_sub(b , s->Z, s->T ); + fe_add(s->Z, p->Z, p->Z ); + fe_mul(s->T, p->T, q->T2); + fe_add(a , s->Z, s->T ); + fe_sub(b , s->Z, s->T ); - fe_mul(s->T, s->X, s->Y); - fe_mul(s->X, s->X, b ); - fe_mul(s->Y, s->Y, a ); - fe_mul(s->Z, a , b ); + fe_mul(s->T, s->X, s->Y); + fe_mul(s->X, s->X, b ); + fe_mul(s->Y, s->Y, a ); + fe_mul(s->Z, a , b ); } // Internal buffers are not wiped! Inputs must not be secret! // => Use only to *check* signatures. static void ge_msub(ge *s, const ge *p, const ge_precomp *q, fe a, fe b) { - ge_precomp neg; - fe_copy(neg.Ym, q->Yp); - fe_copy(neg.Yp, q->Ym); - fe_neg (neg.T2, q->T2); - ge_madd(s, p, &neg, a, b); + ge_precomp neg; + fe_copy(neg.Ym, q->Yp); + fe_copy(neg.Yp, q->Ym); + fe_neg (neg.T2, q->T2); + ge_madd(s, p, &neg, a, b); } static void ge_double(ge *s, const ge *p, ge *q) { - fe_sq (q->X, p->X); - fe_sq (q->Y, p->Y); - fe_sq (q->Z, p->Z); // qZ = pZ^2 - fe_mul_small(q->Z, q->Z, 2); // qZ = pZ^2 * 2 - fe_add(q->T, p->X, p->Y); - fe_sq (s->T, q->T); - fe_add(q->T, q->Y, q->X); - fe_sub(q->Y, q->Y, q->X); - fe_sub(q->X, s->T, q->T); - fe_sub(q->Z, q->Z, q->Y); + fe_sq (q->X, p->X); + fe_sq (q->Y, p->Y); + fe_sq (q->Z, p->Z); // qZ = pZ^2 + fe_mul_small(q->Z, q->Z, 2); // qZ = pZ^2 * 2 + fe_add(q->T, p->X, p->Y); + fe_sq (s->T, q->T); + fe_add(q->T, q->Y, q->X); + fe_sub(q->Y, q->Y, q->X); + fe_sub(q->X, s->T, q->T); + fe_sub(q->Z, q->Z, q->Y); - fe_mul(s->X, q->X , q->Z); - fe_mul(s->Y, q->T , q->Y); - fe_mul(s->Z, q->Y , q->Z); - fe_mul(s->T, q->X , q->T); + fe_mul(s->X, q->X , q->Z); + fe_mul(s->Y, q->T , q->Y); + fe_mul(s->Z, q->Y , q->Z); + fe_mul(s->T, q->X , q->T); } // 5-bit signed window in cached format (Niels coordinates, Z=1) static const ge_precomp b_window[8] = { - {{25967493,-14356035,29566456,3660896,-12694345, - 4014787,27544626,-11754271,-6079156,2047605,}, - {-12545711,934262,-2722910,3049990,-727428, - 9406986,12720692,5043384,19500929,-15469378,}, - {-8738181,4489570,9688441,-14785194,10184609, - -12363380,29287919,11864899,-24514362,-4438546,},}, - {{15636291,-9688557,24204773,-7912398,616977, - -16685262,27787600,-14772189,28944400,-1550024,}, - {16568933,4717097,-11556148,-1102322,15682896, - -11807043,16354577,-11775962,7689662,11199574,}, - {30464156,-5976125,-11779434,-15670865,23220365, - 15915852,7512774,10017326,-17749093,-9920357,},}, - {{10861363,11473154,27284546,1981175,-30064349, - 12577861,32867885,14515107,-15438304,10819380,}, - {4708026,6336745,20377586,9066809,-11272109, - 6594696,-25653668,12483688,-12668491,5581306,}, - {19563160,16186464,-29386857,4097519,10237984, - -4348115,28542350,13850243,-23678021,-15815942,},}, - {{5153746,9909285,1723747,-2777874,30523605, - 5516873,19480852,5230134,-23952439,-15175766,}, - {-30269007,-3463509,7665486,10083793,28475525, - 1649722,20654025,16520125,30598449,7715701,}, - {28881845,14381568,9657904,3680757,-20181635, - 7843316,-31400660,1370708,29794553,-1409300,},}, - {{-22518993,-6692182,14201702,-8745502,-23510406, - 8844726,18474211,-1361450,-13062696,13821877,}, - {-6455177,-7839871,3374702,-4740862,-27098617, - -10571707,31655028,-7212327,18853322,-14220951,}, - {4566830,-12963868,-28974889,-12240689,-7602672, - -2830569,-8514358,-10431137,2207753,-3209784,},}, - {{-25154831,-4185821,29681144,7868801,-6854661, - -9423865,-12437364,-663000,-31111463,-16132436,}, - {25576264,-2703214,7349804,-11814844,16472782, - 9300885,3844789,15725684,171356,6466918,}, - {23103977,13316479,9739013,-16149481,817875, - -15038942,8965339,-14088058,-30714912,16193877,},}, - {{-33521811,3180713,-2394130,14003687,-16903474, - -16270840,17238398,4729455,-18074513,9256800,}, - {-25182317,-4174131,32336398,5036987,-21236817, - 11360617,22616405,9761698,-19827198,630305,}, - {-13720693,2639453,-24237460,-7406481,9494427, - -5774029,-6554551,-15960994,-2449256,-14291300,},}, - {{-3151181,-5046075,9282714,6866145,-31907062, - -863023,-18940575,15033784,25105118,-7894876,}, - {-24326370,15950226,-31801215,-14592823,-11662737, - -5090925,1573892,-2625887,2198790,-15804619,}, - {-3099351,10324967,-2241613,7453183,-5446979, - -2735503,-13812022,-16236442,-32461234,-12290683,},}, + {{25967493,-14356035,29566456,3660896,-12694345, + 4014787,27544626,-11754271,-6079156,2047605,}, + {-12545711,934262,-2722910,3049990,-727428, + 9406986,12720692,5043384,19500929,-15469378,}, + {-8738181,4489570,9688441,-14785194,10184609, + -12363380,29287919,11864899,-24514362,-4438546,},}, + {{15636291,-9688557,24204773,-7912398,616977, + -16685262,27787600,-14772189,28944400,-1550024,}, + {16568933,4717097,-11556148,-1102322,15682896, + -11807043,16354577,-11775962,7689662,11199574,}, + {30464156,-5976125,-11779434,-15670865,23220365, + 15915852,7512774,10017326,-17749093,-9920357,},}, + {{10861363,11473154,27284546,1981175,-30064349, + 12577861,32867885,14515107,-15438304,10819380,}, + {4708026,6336745,20377586,9066809,-11272109, + 6594696,-25653668,12483688,-12668491,5581306,}, + {19563160,16186464,-29386857,4097519,10237984, + -4348115,28542350,13850243,-23678021,-15815942,},}, + {{5153746,9909285,1723747,-2777874,30523605, + 5516873,19480852,5230134,-23952439,-15175766,}, + {-30269007,-3463509,7665486,10083793,28475525, + 1649722,20654025,16520125,30598449,7715701,}, + {28881845,14381568,9657904,3680757,-20181635, + 7843316,-31400660,1370708,29794553,-1409300,},}, + {{-22518993,-6692182,14201702,-8745502,-23510406, + 8844726,18474211,-1361450,-13062696,13821877,}, + {-6455177,-7839871,3374702,-4740862,-27098617, + -10571707,31655028,-7212327,18853322,-14220951,}, + {4566830,-12963868,-28974889,-12240689,-7602672, + -2830569,-8514358,-10431137,2207753,-3209784,},}, + {{-25154831,-4185821,29681144,7868801,-6854661, + -9423865,-12437364,-663000,-31111463,-16132436,}, + {25576264,-2703214,7349804,-11814844,16472782, + 9300885,3844789,15725684,171356,6466918,}, + {23103977,13316479,9739013,-16149481,817875, + -15038942,8965339,-14088058,-30714912,16193877,},}, + {{-33521811,3180713,-2394130,14003687,-16903474, + -16270840,17238398,4729455,-18074513,9256800,}, + {-25182317,-4174131,32336398,5036987,-21236817, + 11360617,22616405,9761698,-19827198,630305,}, + {-13720693,2639453,-24237460,-7406481,9494427, + -5774029,-6554551,-15960994,-2449256,-14291300,},}, + {{-3151181,-5046075,9282714,6866145,-31907062, + -863023,-18940575,15033784,25105118,-7894876,}, + {-24326370,15950226,-31801215,-14592823,-11662737, + -5090925,1573892,-2625887,2198790,-15804619,}, + {-3099351,10324967,-2241613,7453183,-5446979, + -2735503,-13812022,-16236442,-32461234,-12290683,},}, }; // Incremental sliding windows (left to right) // Based on Roberto Maria Avanzi[2005] typedef struct { - i16 next_index; // position of the next signed digit - i8 next_digit; // next signed digit (odd number below 2^window_width) - u8 next_check; // point at which we must check for a new window + i16 next_index; // position of the next signed digit + i8 next_digit; // next signed digit (odd number below 2^window_width) + u8 next_check; // point at which we must check for a new window } slide_ctx; static void slide_init(slide_ctx *ctx, const u8 scalar[32]) { - // scalar is guaranteed to be below L, either because we checked (s), - // or because we reduced it modulo L (h_ram). L is under 2^253, so - // so bits 253 to 255 are guaranteed to be zero. No need to test them. - // - // Note however that L is very close to 2^252, so bit 252 is almost - // always zero. If we were to start at bit 251, the tests wouldn't - // catch the off-by-one error (constructing one that does would be - // prohibitively expensive). - // - // We should still check bit 252, though. - int i = 252; - while (i > 0 && scalar_bit(scalar, i) == 0) { - i--; - } - ctx->next_check = (u8)(i + 1); - ctx->next_index = -1; - ctx->next_digit = -1; + // scalar is guaranteed to be below L, either because we checked (s), + // or because we reduced it modulo L (h_ram). L is under 2^253, so + // so bits 253 to 255 are guaranteed to be zero. No need to test them. + // + // Note however that L is very close to 2^252, so bit 252 is almost + // always zero. If we were to start at bit 251, the tests wouldn't + // catch the off-by-one error (constructing one that does would be + // prohibitively expensive). + // + // We should still check bit 252, though. + int i = 252; + while (i > 0 && scalar_bit(scalar, i) == 0) { + i--; + } + ctx->next_check = (u8)(i + 1); + ctx->next_index = -1; + ctx->next_digit = -1; } static int slide_step(slide_ctx *ctx, int width, int i, const u8 scalar[32]) { - if (i == ctx->next_check) { - if (scalar_bit(scalar, i) == scalar_bit(scalar, i - 1)) { - ctx->next_check--; - } else { - // compute digit of next window - int w = MIN(width, i + 1); - int v = -(scalar_bit(scalar, i) << (w-1)); - FOR_T (int, j, 0, w-1) { - v += scalar_bit(scalar, i-(w-1)+j) << j; - } - v += scalar_bit(scalar, i-w); - int lsb = v & (~v + 1); // smallest bit of v - int s = ( ((lsb & 0xAA) != 0) // log2(lsb) - | (((lsb & 0xCC) != 0) << 1) - | (((lsb & 0xF0) != 0) << 2)); - ctx->next_index = (i16)(i-(w-1)+s); - ctx->next_digit = (i8) (v >> s ); - ctx->next_check -= (u8) w; - } - } - return i == ctx->next_index ? ctx->next_digit: 0; + if (i == ctx->next_check) { + if (scalar_bit(scalar, i) == scalar_bit(scalar, i - 1)) { + ctx->next_check--; + } else { + // compute digit of next window + int w = MIN(width, i + 1); + int v = -(scalar_bit(scalar, i) << (w-1)); + FOR_T (int, j, 0, w-1) { + v += scalar_bit(scalar, i-(w-1)+j) << j; + } + v += scalar_bit(scalar, i-w); + int lsb = v & (~v + 1); // smallest bit of v + int s = // log2(lsb) + (((lsb & 0xAA) != 0) << 0) | + (((lsb & 0xCC) != 0) << 1) | + (((lsb & 0xF0) != 0) << 2); + ctx->next_index = (i16)(i-(w-1)+s); + ctx->next_digit = (i8) (v >> s ); + ctx->next_check -= (u8) w; + } + } + return i == ctx->next_index ? ctx->next_digit: 0; } #define P_W_WIDTH 3 // Affects the size of the stack @@ -2000,227 +2021,229 @@ static int slide_step(slide_ctx *ctx, int width, int i, const u8 scalar[32]) // => Use only to *check* signatures. static void ge_double_scalarmult_vartime(ge *P, const u8 p[32], const u8 b[32]) { - // cache P window for addition - ge_cached cP[P_W_SIZE]; - { - ge P2, tmp; - ge_double(&P2, P, &tmp); - ge_cache(&cP[0], P); - FOR (i, 1, P_W_SIZE) { - ge_add(&tmp, &P2, &cP[i-1]); - ge_cache(&cP[i], &tmp); - } - } - - // Merged double and add ladder, fused with sliding - slide_ctx p_slide; slide_init(&p_slide, p); - slide_ctx b_slide; slide_init(&b_slide, b); - int i = MAX(p_slide.next_check, b_slide.next_check); - ge *sum = P; - ge_zero(sum); - while (i >= 0) { - ge tmp; - ge_double(sum, sum, &tmp); - int p_digit = slide_step(&p_slide, P_W_WIDTH, i, p); - int b_digit = slide_step(&b_slide, B_W_WIDTH, i, b); - if (p_digit > 0) { ge_add(sum, sum, &cP[ p_digit / 2]); } - if (p_digit < 0) { ge_sub(sum, sum, &cP[-p_digit / 2]); } - fe t1, t2; - if (b_digit > 0) { ge_madd(sum, sum, b_window + b_digit/2, t1, t2); } - if (b_digit < 0) { ge_msub(sum, sum, b_window + -b_digit/2, t1, t2); } - i--; - } + // cache P window for addition + ge_cached cP[P_W_SIZE]; + { + ge P2, tmp; + ge_double(&P2, P, &tmp); + ge_cache(&cP[0], P); + FOR (i, 1, P_W_SIZE) { + ge_add(&tmp, &P2, &cP[i-1]); + ge_cache(&cP[i], &tmp); + } + } + + // Merged double and add ladder, fused with sliding + slide_ctx p_slide; slide_init(&p_slide, p); + slide_ctx b_slide; slide_init(&b_slide, b); + int i = MAX(p_slide.next_check, b_slide.next_check); + ge *sum = P; + ge_zero(sum); + while (i >= 0) { + ge tmp; + ge_double(sum, sum, &tmp); + int p_digit = slide_step(&p_slide, P_W_WIDTH, i, p); + int b_digit = slide_step(&b_slide, B_W_WIDTH, i, b); + if (p_digit > 0) { ge_add(sum, sum, &cP[ p_digit / 2]); } + if (p_digit < 0) { ge_sub(sum, sum, &cP[-p_digit / 2]); } + fe t1, t2; + if (b_digit > 0) { ge_madd(sum, sum, b_window + b_digit/2, t1, t2); } + if (b_digit < 0) { ge_msub(sum, sum, b_window + -b_digit/2, t1, t2); } + i--; + } } // 5-bit signed comb in cached format (Niels coordinates, Z=1) static const ge_precomp b_comb_low[8] = { - {{-6816601,-2324159,-22559413,124364,18015490, - 8373481,19993724,1979872,-18549925,9085059,}, - {10306321,403248,14839893,9633706,8463310, - -8354981,-14305673,14668847,26301366,2818560,}, - {-22701500,-3210264,-13831292,-2927732,-16326337, - -14016360,12940910,177905,12165515,-2397893,},}, - {{-12282262,-7022066,9920413,-3064358,-32147467, - 2927790,22392436,-14852487,2719975,16402117,}, - {-7236961,-4729776,2685954,-6525055,-24242706, - -15940211,-6238521,14082855,10047669,12228189,}, - {-30495588,-12893761,-11161261,3539405,-11502464, - 16491580,-27286798,-15030530,-7272871,-15934455,},}, - {{17650926,582297,-860412,-187745,-12072900, - -10683391,-20352381,15557840,-31072141,-5019061,}, - {-6283632,-2259834,-4674247,-4598977,-4089240, - 12435688,-31278303,1060251,6256175,10480726,}, - {-13871026,2026300,-21928428,-2741605,-2406664, - -8034988,7355518,15733500,-23379862,7489131,},}, - {{6883359,695140,23196907,9644202,-33430614, - 11354760,-20134606,6388313,-8263585,-8491918,}, - {-7716174,-13605463,-13646110,14757414,-19430591, - -14967316,10359532,-11059670,-21935259,12082603,}, - {-11253345,-15943946,10046784,5414629,24840771, - 8086951,-6694742,9868723,15842692,-16224787,},}, - {{9639399,11810955,-24007778,-9320054,3912937, - -9856959,996125,-8727907,-8919186,-14097242,}, - {7248867,14468564,25228636,-8795035,14346339, - 8224790,6388427,-7181107,6468218,-8720783,}, - {15513115,15439095,7342322,-10157390,18005294, - -7265713,2186239,4884640,10826567,7135781,},}, - {{-14204238,5297536,-5862318,-6004934,28095835, - 4236101,-14203318,1958636,-16816875,3837147,}, - {-5511166,-13176782,-29588215,12339465,15325758, - -15945770,-8813185,11075932,-19608050,-3776283,}, - {11728032,9603156,-4637821,-5304487,-7827751, - 2724948,31236191,-16760175,-7268616,14799772,},}, - {{-28842672,4840636,-12047946,-9101456,-1445464, - 381905,-30977094,-16523389,1290540,12798615,}, - {27246947,-10320914,14792098,-14518944,5302070, - -8746152,-3403974,-4149637,-27061213,10749585,}, - {25572375,-6270368,-15353037,16037944,1146292, - 32198,23487090,9585613,24714571,-1418265,},}, - {{19844825,282124,-17583147,11004019,-32004269, - -2716035,6105106,-1711007,-21010044,14338445,}, - {8027505,8191102,-18504907,-12335737,25173494, - -5923905,15446145,7483684,-30440441,10009108,}, - {-14134701,-4174411,10246585,-14677495,33553567, - -14012935,23366126,15080531,-7969992,7663473,},}, + {{-6816601,-2324159,-22559413,124364,18015490, + 8373481,19993724,1979872,-18549925,9085059,}, + {10306321,403248,14839893,9633706,8463310, + -8354981,-14305673,14668847,26301366,2818560,}, + {-22701500,-3210264,-13831292,-2927732,-16326337, + -14016360,12940910,177905,12165515,-2397893,},}, + {{-12282262,-7022066,9920413,-3064358,-32147467, + 2927790,22392436,-14852487,2719975,16402117,}, + {-7236961,-4729776,2685954,-6525055,-24242706, + -15940211,-6238521,14082855,10047669,12228189,}, + {-30495588,-12893761,-11161261,3539405,-11502464, + 16491580,-27286798,-15030530,-7272871,-15934455,},}, + {{17650926,582297,-860412,-187745,-12072900, + -10683391,-20352381,15557840,-31072141,-5019061,}, + {-6283632,-2259834,-4674247,-4598977,-4089240, + 12435688,-31278303,1060251,6256175,10480726,}, + {-13871026,2026300,-21928428,-2741605,-2406664, + -8034988,7355518,15733500,-23379862,7489131,},}, + {{6883359,695140,23196907,9644202,-33430614, + 11354760,-20134606,6388313,-8263585,-8491918,}, + {-7716174,-13605463,-13646110,14757414,-19430591, + -14967316,10359532,-11059670,-21935259,12082603,}, + {-11253345,-15943946,10046784,5414629,24840771, + 8086951,-6694742,9868723,15842692,-16224787,},}, + {{9639399,11810955,-24007778,-9320054,3912937, + -9856959,996125,-8727907,-8919186,-14097242,}, + {7248867,14468564,25228636,-8795035,14346339, + 8224790,6388427,-7181107,6468218,-8720783,}, + {15513115,15439095,7342322,-10157390,18005294, + -7265713,2186239,4884640,10826567,7135781,},}, + {{-14204238,5297536,-5862318,-6004934,28095835, + 4236101,-14203318,1958636,-16816875,3837147,}, + {-5511166,-13176782,-29588215,12339465,15325758, + -15945770,-8813185,11075932,-19608050,-3776283,}, + {11728032,9603156,-4637821,-5304487,-7827751, + 2724948,31236191,-16760175,-7268616,14799772,},}, + {{-28842672,4840636,-12047946,-9101456,-1445464, + 381905,-30977094,-16523389,1290540,12798615,}, + {27246947,-10320914,14792098,-14518944,5302070, + -8746152,-3403974,-4149637,-27061213,10749585,}, + {25572375,-6270368,-15353037,16037944,1146292, + 32198,23487090,9585613,24714571,-1418265,},}, + {{19844825,282124,-17583147,11004019,-32004269, + -2716035,6105106,-1711007,-21010044,14338445,}, + {8027505,8191102,-18504907,-12335737,25173494, + -5923905,15446145,7483684,-30440441,10009108,}, + {-14134701,-4174411,10246585,-14677495,33553567, + -14012935,23366126,15080531,-7969992,7663473,},}, }; static const ge_precomp b_comb_high[8] = { - {{33055887,-4431773,-521787,6654165,951411, - -6266464,-5158124,6995613,-5397442,-6985227,}, - {4014062,6967095,-11977872,3960002,8001989, - 5130302,-2154812,-1899602,-31954493,-16173976,}, - {16271757,-9212948,23792794,731486,-25808309, - -3546396,6964344,-4767590,10976593,10050757,},}, - {{2533007,-4288439,-24467768,-12387405,-13450051, - 14542280,12876301,13893535,15067764,8594792,}, - {20073501,-11623621,3165391,-13119866,13188608, - -11540496,-10751437,-13482671,29588810,2197295,}, - {-1084082,11831693,6031797,14062724,14748428, - -8159962,-20721760,11742548,31368706,13161200,},}, - {{2050412,-6457589,15321215,5273360,25484180, - 124590,-18187548,-7097255,-6691621,-14604792,}, - {9938196,2162889,-6158074,-1711248,4278932, - -2598531,-22865792,-7168500,-24323168,11746309,}, - {-22691768,-14268164,5965485,9383325,20443693, - 5854192,28250679,-1381811,-10837134,13717818,},}, - {{-8495530,16382250,9548884,-4971523,-4491811, - -3902147,6182256,-12832479,26628081,10395408,}, - {27329048,-15853735,7715764,8717446,-9215518, - -14633480,28982250,-5668414,4227628,242148,}, - {-13279943,-7986904,-7100016,8764468,-27276630, - 3096719,29678419,-9141299,3906709,11265498,},}, - {{11918285,15686328,-17757323,-11217300,-27548967, - 4853165,-27168827,6807359,6871949,-1075745,}, - {-29002610,13984323,-27111812,-2713442,28107359, - -13266203,6155126,15104658,3538727,-7513788,}, - {14103158,11233913,-33165269,9279850,31014152, - 4335090,-1827936,4590951,13960841,12787712,},}, - {{1469134,-16738009,33411928,13942824,8092558, - -8778224,-11165065,1437842,22521552,-2792954,}, - {31352705,-4807352,-25327300,3962447,12541566, - -9399651,-27425693,7964818,-23829869,5541287,}, - {-25732021,-6864887,23848984,3039395,-9147354, - 6022816,-27421653,10590137,25309915,-1584678,},}, - {{-22951376,5048948,31139401,-190316,-19542447, - -626310,-17486305,-16511925,-18851313,-12985140,}, - {-9684890,14681754,30487568,7717771,-10829709, - 9630497,30290549,-10531496,-27798994,-13812825,}, - {5827835,16097107,-24501327,12094619,7413972, - 11447087,28057551,-1793987,-14056981,4359312,},}, - {{26323183,2342588,-21887793,-1623758,-6062284, - 2107090,-28724907,9036464,-19618351,-13055189,}, - {-29697200,14829398,-4596333,14220089,-30022969, - 2955645,12094100,-13693652,-5941445,7047569,}, - {-3201977,14413268,-12058324,-16417589,-9035655, - -7224648,9258160,1399236,30397584,-5684634,},}, + {{33055887,-4431773,-521787,6654165,951411, + -6266464,-5158124,6995613,-5397442,-6985227,}, + {4014062,6967095,-11977872,3960002,8001989, + 5130302,-2154812,-1899602,-31954493,-16173976,}, + {16271757,-9212948,23792794,731486,-25808309, + -3546396,6964344,-4767590,10976593,10050757,},}, + {{2533007,-4288439,-24467768,-12387405,-13450051, + 14542280,12876301,13893535,15067764,8594792,}, + {20073501,-11623621,3165391,-13119866,13188608, + -11540496,-10751437,-13482671,29588810,2197295,}, + {-1084082,11831693,6031797,14062724,14748428, + -8159962,-20721760,11742548,31368706,13161200,},}, + {{2050412,-6457589,15321215,5273360,25484180, + 124590,-18187548,-7097255,-6691621,-14604792,}, + {9938196,2162889,-6158074,-1711248,4278932, + -2598531,-22865792,-7168500,-24323168,11746309,}, + {-22691768,-14268164,5965485,9383325,20443693, + 5854192,28250679,-1381811,-10837134,13717818,},}, + {{-8495530,16382250,9548884,-4971523,-4491811, + -3902147,6182256,-12832479,26628081,10395408,}, + {27329048,-15853735,7715764,8717446,-9215518, + -14633480,28982250,-5668414,4227628,242148,}, + {-13279943,-7986904,-7100016,8764468,-27276630, + 3096719,29678419,-9141299,3906709,11265498,},}, + {{11918285,15686328,-17757323,-11217300,-27548967, + 4853165,-27168827,6807359,6871949,-1075745,}, + {-29002610,13984323,-27111812,-2713442,28107359, + -13266203,6155126,15104658,3538727,-7513788,}, + {14103158,11233913,-33165269,9279850,31014152, + 4335090,-1827936,4590951,13960841,12787712,},}, + {{1469134,-16738009,33411928,13942824,8092558, + -8778224,-11165065,1437842,22521552,-2792954,}, + {31352705,-4807352,-25327300,3962447,12541566, + -9399651,-27425693,7964818,-23829869,5541287,}, + {-25732021,-6864887,23848984,3039395,-9147354, + 6022816,-27421653,10590137,25309915,-1584678,},}, + {{-22951376,5048948,31139401,-190316,-19542447, + -626310,-17486305,-16511925,-18851313,-12985140,}, + {-9684890,14681754,30487568,7717771,-10829709, + 9630497,30290549,-10531496,-27798994,-13812825,}, + {5827835,16097107,-24501327,12094619,7413972, + 11447087,28057551,-1793987,-14056981,4359312,},}, + {{26323183,2342588,-21887793,-1623758,-6062284, + 2107090,-28724907,9036464,-19618351,-13055189,}, + {-29697200,14829398,-4596333,14220089,-30022969, + 2955645,12094100,-13693652,-5941445,7047569,}, + {-3201977,14413268,-12058324,-16417589,-9035655, + -7224648,9258160,1399236,30397584,-5684634,},}, }; static void lookup_add(ge *p, ge_precomp *tmp_c, fe tmp_a, fe tmp_b, const ge_precomp comb[8], const u8 scalar[32], int i) { - u8 teeth = (u8)((scalar_bit(scalar, i) ) + - (scalar_bit(scalar, i + 32) << 1) + - (scalar_bit(scalar, i + 64) << 2) + - (scalar_bit(scalar, i + 96) << 3)); - u8 high = teeth >> 3; - u8 index = (teeth ^ (high - 1)) & 7; - FOR (j, 0, 8) { - i32 select = 1 & (((j ^ index) - 1) >> 8); - fe_ccopy(tmp_c->Yp, comb[j].Yp, select); - fe_ccopy(tmp_c->Ym, comb[j].Ym, select); - fe_ccopy(tmp_c->T2, comb[j].T2, select); - } - fe_neg(tmp_a, tmp_c->T2); - fe_cswap(tmp_c->T2, tmp_a , high ^ 1); - fe_cswap(tmp_c->Yp, tmp_c->Ym, high ^ 1); - ge_madd(p, p, tmp_c, tmp_a, tmp_b); + u8 teeth = (u8)((scalar_bit(scalar, i) ) + + (scalar_bit(scalar, i + 32) << 1) + + (scalar_bit(scalar, i + 64) << 2) + + (scalar_bit(scalar, i + 96) << 3)); + u8 high = teeth >> 3; + u8 index = (teeth ^ (high - 1)) & 7; + FOR (j, 0, 8) { + i32 select = 1 & (((j ^ index) - 1) >> 8); + fe_ccopy(tmp_c->Yp, comb[j].Yp, select); + fe_ccopy(tmp_c->Ym, comb[j].Ym, select); + fe_ccopy(tmp_c->T2, comb[j].T2, select); + } + fe_neg(tmp_a, tmp_c->T2); + fe_cswap(tmp_c->T2, tmp_a , high ^ 1); + fe_cswap(tmp_c->Yp, tmp_c->Ym, high ^ 1); + ge_madd(p, p, tmp_c, tmp_a, tmp_b); } // p = [scalar]B, where B is the base point static void ge_scalarmult_base(ge *p, const u8 scalar[32]) { - // twin 4-bits signed combs, from Mike Hamburg's - // Fast and compact elliptic-curve cryptography (2012) - // 1 / 2 modulo L - static const u8 half_mod_L[32] = { - 247,233,122,46,141,49,9,44,107,206,123,81,239,124,111,10, - 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8, }; - // (2^256 - 1) / 2 modulo L - static const u8 half_ones[32] = { - 142,74,204,70,186,24,118,107,184,231,190,57,250,173,119,99, - 255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,7, }; - - // All bits set form: 1 means 1, 0 means -1 - u8 s_scalar[32]; - mul_add(s_scalar, scalar, half_mod_L, half_ones); - - // Double and add ladder - fe tmp_a, tmp_b; // temporaries for addition - ge_precomp tmp_c; // temporary for comb lookup - ge tmp_d; // temporary for doubling - fe_1(tmp_c.Yp); - fe_1(tmp_c.Ym); - fe_0(tmp_c.T2); - - // Save a double on the first iteration - ge_zero(p); - lookup_add(p, &tmp_c, tmp_a, tmp_b, b_comb_low , s_scalar, 31); - lookup_add(p, &tmp_c, tmp_a, tmp_b, b_comb_high, s_scalar, 31+128); - // Regular double & add for the rest - for (int i = 30; i >= 0; i--) { - ge_double(p, p, &tmp_d); - lookup_add(p, &tmp_c, tmp_a, tmp_b, b_comb_low , s_scalar, i); - lookup_add(p, &tmp_c, tmp_a, tmp_b, b_comb_high, s_scalar, i+128); - } - // Note: we could save one addition at the end if we assumed the - // scalar fit in 252 bits. Which it does in practice if it is - // selected at random. However, non-random, non-hashed scalars - // *can* overflow 252 bits in practice. Better account for that - // than leaving that kind of subtle corner case. - - WIPE_BUFFER(tmp_a); WIPE_CTX(&tmp_d); - WIPE_BUFFER(tmp_b); WIPE_CTX(&tmp_c); - WIPE_BUFFER(s_scalar); + // twin 4-bits signed combs, from Mike Hamburg's + // Fast and compact elliptic-curve cryptography (2012) + // 1 / 2 modulo L + static const u8 half_mod_L[32] = { + 247,233,122,46,141,49,9,44,107,206,123,81,239,124,111,10, + 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8, + }; + // (2^256 - 1) / 2 modulo L + static const u8 half_ones[32] = { + 142,74,204,70,186,24,118,107,184,231,190,57,250,173,119,99, + 255,255,255,255,255,255,255,255,255,255,255,255,255,255,255,7, + }; + + // All bits set form: 1 means 1, 0 means -1 + u8 s_scalar[32]; + mul_add(s_scalar, scalar, half_mod_L, half_ones); + + // Double and add ladder + fe tmp_a, tmp_b; // temporaries for addition + ge_precomp tmp_c; // temporary for comb lookup + ge tmp_d; // temporary for doubling + fe_1(tmp_c.Yp); + fe_1(tmp_c.Ym); + fe_0(tmp_c.T2); + + // Save a double on the first iteration + ge_zero(p); + lookup_add(p, &tmp_c, tmp_a, tmp_b, b_comb_low , s_scalar, 31); + lookup_add(p, &tmp_c, tmp_a, tmp_b, b_comb_high, s_scalar, 31+128); + // Regular double & add for the rest + for (int i = 30; i >= 0; i--) { + ge_double(p, p, &tmp_d); + lookup_add(p, &tmp_c, tmp_a, tmp_b, b_comb_low , s_scalar, i); + lookup_add(p, &tmp_c, tmp_a, tmp_b, b_comb_high, s_scalar, i+128); + } + // Note: we could save one addition at the end if we assumed the + // scalar fit in 252 bits. Which it does in practice if it is + // selected at random. However, non-random, non-hashed scalars + // *can* overflow 252 bits in practice. Better account for that + // than leaving that kind of subtle corner case. + + WIPE_BUFFER(tmp_a); WIPE_CTX(&tmp_d); + WIPE_BUFFER(tmp_b); WIPE_CTX(&tmp_c); + WIPE_BUFFER(s_scalar); } void crypto_sign_public_key_custom_hash(u8 public_key[32], const u8 secret_key[32], const crypto_sign_vtable *hash) { - u8 a[64]; - hash->hash(a, secret_key, 32); - trim_scalar(a); - ge A; - ge_scalarmult_base(&A, a); - ge_tobytes(public_key, &A); - WIPE_BUFFER(a); - WIPE_CTX(&A); + u8 a[64]; + hash->hash(a, secret_key, 32); + trim_scalar(a); + ge A; + ge_scalarmult_base(&A, a); + ge_tobytes(public_key, &A); + WIPE_BUFFER(a); + WIPE_CTX(&A); } void crypto_sign_public_key(u8 public_key[32], const u8 secret_key[32]) { - crypto_sign_public_key_custom_hash(public_key, secret_key, - &crypto_blake2b_vtable); + crypto_sign_public_key_custom_hash(public_key, secret_key, + &crypto_blake2b_vtable); } void crypto_sign_init_first_pass_custom_hash(crypto_sign_ctx_abstract *ctx, @@ -2228,73 +2251,73 @@ void crypto_sign_init_first_pass_custom_hash(crypto_sign_ctx_abstract *ctx, const u8 public_key[32], const crypto_sign_vtable *hash) { - ctx->hash = hash; // set vtable - u8 *a = ctx->buf; - u8 *prefix = ctx->buf + 32; - ctx->hash->hash(a, secret_key, 32); - trim_scalar(a); + ctx->hash = hash; // set vtable + u8 *a = ctx->buf; + u8 *prefix = ctx->buf + 32; + ctx->hash->hash(a, secret_key, 32); + trim_scalar(a); - if (public_key == 0) { - crypto_sign_public_key_custom_hash(ctx->pk, secret_key, ctx->hash); - } else { - COPY(ctx->pk, public_key, 32); - } + if (public_key == 0) { + crypto_sign_public_key_custom_hash(ctx->pk, secret_key, ctx->hash); + } else { + COPY(ctx->pk, public_key, 32); + } - // Deterministic part of EdDSA: Construct a nonce by hashing the message - // instead of generating a random number. - // An actual random number would work just fine, and would save us - // the trouble of hashing the message twice. If we did that - // however, the user could fuck it up and reuse the nonce. - ctx->hash->init (ctx); - ctx->hash->update(ctx, prefix , 32); + // Deterministic part of EdDSA: Construct a nonce by hashing the message + // instead of generating a random number. + // An actual random number would work just fine, and would save us + // the trouble of hashing the message twice. If we did that + // however, the user could fuck it up and reuse the nonce. + ctx->hash->init (ctx); + ctx->hash->update(ctx, prefix , 32); } void crypto_sign_init_first_pass(crypto_sign_ctx_abstract *ctx, const u8 secret_key[32], const u8 public_key[32]) { - crypto_sign_init_first_pass_custom_hash(ctx, secret_key, public_key, - &crypto_blake2b_vtable); + crypto_sign_init_first_pass_custom_hash(ctx, secret_key, public_key, + &crypto_blake2b_vtable); } void crypto_sign_update(crypto_sign_ctx_abstract *ctx, const u8 *msg, size_t msg_size) { - ctx->hash->update(ctx, msg, msg_size); + ctx->hash->update(ctx, msg, msg_size); } void crypto_sign_init_second_pass(crypto_sign_ctx_abstract *ctx) { - u8 *r = ctx->buf + 32; - u8 *half_sig = ctx->buf + 64; - ctx->hash->final(ctx, r); - reduce(r); + u8 *r = ctx->buf + 32; + u8 *half_sig = ctx->buf + 64; + ctx->hash->final(ctx, r); + reduce(r); - // first half of the signature = "random" nonce times the base point - ge R; - ge_scalarmult_base(&R, r); - ge_tobytes(half_sig, &R); - WIPE_CTX(&R); + // first half of the signature = "random" nonce times the base point + ge R; + ge_scalarmult_base(&R, r); + ge_tobytes(half_sig, &R); + WIPE_CTX(&R); - // Hash R, the public key, and the message together. - // It cannot be done in parallel with the first hash. - ctx->hash->init (ctx); - ctx->hash->update(ctx, half_sig, 32); - ctx->hash->update(ctx, ctx->pk , 32); + // Hash R, the public key, and the message together. + // It cannot be done in parallel with the first hash. + ctx->hash->init (ctx); + ctx->hash->update(ctx, half_sig, 32); + ctx->hash->update(ctx, ctx->pk , 32); } void crypto_sign_final(crypto_sign_ctx_abstract *ctx, u8 signature[64]) { - u8 *a = ctx->buf; - u8 *r = ctx->buf + 32; - u8 *half_sig = ctx->buf + 64; - u8 h_ram[64]; - ctx->hash->final(ctx, h_ram); - reduce(h_ram); - COPY(signature, half_sig, 32); - mul_add(signature + 32, h_ram, a, r); // s = h_ram * a + r - WIPE_BUFFER(h_ram); - crypto_wipe(ctx, ctx->hash->ctx_size); + u8 *a = ctx->buf; + u8 *r = ctx->buf + 32; + u8 *half_sig = ctx->buf + 64; + u8 h_ram[64]; + ctx->hash->final(ctx, h_ram); + reduce(h_ram); + COPY(signature, half_sig, 32); + mul_add(signature + 32, h_ram, a, r); // s = h_ram * a + r + WIPE_BUFFER(h_ram); + crypto_wipe(ctx, ctx->hash->ctx_size); } void crypto_sign(u8 signature[64], @@ -2302,13 +2325,13 @@ void crypto_sign(u8 signature[64], const u8 public_key[32], const u8 *message, size_t message_size) { - crypto_sign_ctx ctx; - crypto_sign_ctx_abstract *actx = (crypto_sign_ctx_abstract*)&ctx; - crypto_sign_init_first_pass (actx, secret_key, public_key); - crypto_sign_update (actx, message, message_size); - crypto_sign_init_second_pass(actx); - crypto_sign_update (actx, message, message_size); - crypto_sign_final (actx, signature); + crypto_sign_ctx ctx; + crypto_sign_ctx_abstract *actx = (crypto_sign_ctx_abstract*)&ctx; + crypto_sign_init_first_pass (actx, secret_key, public_key); + crypto_sign_update (actx, message, message_size); + crypto_sign_init_second_pass(actx); + crypto_sign_update (actx, message, message_size); + crypto_sign_final (actx, signature); } void crypto_check_init_custom_hash(crypto_check_ctx_abstract *ctx, @@ -2316,54 +2339,54 @@ void crypto_check_init_custom_hash(crypto_check_ctx_abstract *ctx, const u8 public_key[32], const crypto_sign_vtable *hash) { - ctx->hash = hash; // set vtable - COPY(ctx->buf, signature , 64); - COPY(ctx->pk , public_key, 32); - ctx->hash->init (ctx); - ctx->hash->update(ctx, signature , 32); - ctx->hash->update(ctx, public_key, 32); + ctx->hash = hash; // set vtable + COPY(ctx->buf, signature , 64); + COPY(ctx->pk , public_key, 32); + ctx->hash->init (ctx); + ctx->hash->update(ctx, signature , 32); + ctx->hash->update(ctx, public_key, 32); } void crypto_check_init(crypto_check_ctx_abstract *ctx, const u8 signature[64], const u8 public_key[32]) { - crypto_check_init_custom_hash(ctx, signature, public_key, - &crypto_blake2b_vtable); + crypto_check_init_custom_hash(ctx, signature, public_key, + &crypto_blake2b_vtable); } void crypto_check_update(crypto_check_ctx_abstract *ctx, const u8 *msg, size_t msg_size) { - ctx->hash->update(ctx, msg, msg_size); + ctx->hash->update(ctx, msg, msg_size); } int crypto_check_final(crypto_check_ctx_abstract *ctx) { - u8 *s = ctx->buf + 32; // s - u8 h_ram[64]; - u32 s32[8]; // s (different encoding) - ge A; + u8 *s = ctx->buf + 32; // s + u8 h_ram[64]; + u32 s32[8]; // s (different encoding) + ge A; - ctx->hash->final(ctx, h_ram); - reduce(h_ram); - load32_le_buf(s32, s, 8); - if (ge_frombytes_neg_vartime(&A, ctx->pk) || // A = -pk - is_above_l(s32)) { // prevent s malleability - return -1; - } - ge_double_scalarmult_vartime(&A, h_ram, s); // A = [s]B - [h_ram]pk - ge_tobytes(ctx->pk, &A); // R_check = A - return crypto_verify32(ctx->buf, ctx->pk); // R == R_check ? OK : fail + ctx->hash->final(ctx, h_ram); + reduce(h_ram); + load32_le_buf(s32, s, 8); + if (ge_frombytes_neg_vartime(&A, ctx->pk) || // A = -pk + is_above_l(s32)) { // prevent s malleability + return -1; + } + ge_double_scalarmult_vartime(&A, h_ram, s); // A = [s]B - [h_ram]pk + ge_tobytes(ctx->pk, &A); // R_check = A + return crypto_verify32(ctx->buf, ctx->pk); // R == R_check ? OK : fail } int crypto_check(const u8 signature[64], const u8 public_key[32], const u8 *message, size_t message_size) { - crypto_check_ctx ctx; - crypto_check_ctx_abstract *actx = (crypto_check_ctx_abstract*)&ctx; - crypto_check_init (actx, signature, public_key); - crypto_check_update(actx, message, message_size); - return crypto_check_final(actx); + crypto_check_ctx ctx; + crypto_check_ctx_abstract *actx = (crypto_check_ctx_abstract*)&ctx; + crypto_check_init (actx, signature, public_key); + crypto_check_update(actx, message, message_size); + return crypto_check_final(actx); } /////////////////////// @@ -2371,23 +2394,23 @@ int crypto_check(const u8 signature[64], const u8 public_key[32], /////////////////////// void crypto_from_eddsa_private(u8 x25519[32], const u8 eddsa[32]) { - u8 a[64]; - crypto_blake2b(a, eddsa, 32); - COPY(x25519, a, 32); - WIPE_BUFFER(a); + u8 a[64]; + crypto_blake2b(a, eddsa, 32); + COPY(x25519, a, 32); + WIPE_BUFFER(a); } void crypto_from_eddsa_public(u8 x25519[32], const u8 eddsa[32]) { - fe t1, t2; - fe_frombytes(t2, eddsa); - fe_add(t1, fe_one, t2); - fe_sub(t2, fe_one, t2); - fe_invert(t2, t2); - fe_mul(t1, t1, t2); - fe_tobytes(x25519, t1); - WIPE_BUFFER(t1); - WIPE_BUFFER(t2); + fe t1, t2; + fe_frombytes(t2, eddsa); + fe_add(t1, fe_one, t2); + fe_sub(t2, fe_one, t2); + fe_invert(t2, t2); + fe_mul(t1, t1, t2); + fe_tobytes(x25519, t1); + WIPE_BUFFER(t1); + WIPE_BUFFER(t2); } ///////////////////////////////////////////// @@ -2441,13 +2464,13 @@ void crypto_from_eddsa_public(u8 x25519[32], const u8 eddsa[32]) // s + L * (x%8) < 2^256 static void add_xl(u8 s[32], u8 x) { - u64 mod8 = x & 7; - u64 carry = 0; - FOR (i , 0, 8) { - carry = carry + load32_le(s + 4*i) + L[i] * mod8; - store32_le(s + 4*i, (u32)carry); - carry >>= 32; - } + u64 mod8 = x & 7; + u64 carry = 0; + FOR (i , 0, 8) { + carry = carry + load32_le(s + 4*i) + L[i] * mod8; + store32_le(s + 4*i, (u32)carry); + carry >>= 32; + } } // "Small" dirty ephemeral key. @@ -2465,33 +2488,33 @@ static void add_xl(u8 s[32], u8 x) // regular base point (9), and a point of order 8. void crypto_x25519_dirty_small(u8 public_key[32], const u8 secret_key[32]) { - // Base point of order 8*L - // Raw scalar multiplication with it does not clear the cofactor, - // and the resulting public key will reveal 3 bits of the scalar. - // - // The low order component of this base point has been chosen - // to yield the same results as crypto_x25519_dirty_fast(). - static const u8 dirty_base_point[32] = { - 0xd8, 0x86, 0x1a, 0xa2, 0x78, 0x7a, 0xd9, 0x26, 0x8b, 0x74, 0x74, 0xb6, - 0x82, 0xe3, 0xbe, 0xc3, 0xce, 0x36, 0x9a, 0x1e, 0x5e, 0x31, 0x47, 0xa2, - 0x6d, 0x37, 0x7c, 0xfd, 0x20, 0xb5, 0xdf, 0x75, - }; - // separate the main factor & the cofactor of the scalar - u8 scalar[32]; - COPY(scalar, secret_key, 32); - trim_scalar(scalar); - - // Separate the main factor and the cofactor - // - // The scalar is trimmed, so its cofactor is cleared. The three - // least significant bits however still have a main factor. We must - // remove it for X25519 compatibility. - // - // cofactor = lsb * L (modulo 8*L) - // combined = scalar + cofactor (modulo 8*L) - add_xl(scalar, secret_key[0]); - scalarmult(public_key, scalar, dirty_base_point, 256); - WIPE_BUFFER(scalar); + // Base point of order 8*L + // Raw scalar multiplication with it does not clear the cofactor, + // and the resulting public key will reveal 3 bits of the scalar. + // + // The low order component of this base point has been chosen + // to yield the same results as crypto_x25519_dirty_fast(). + static const u8 dirty_base_point[32] = { + 0xd8, 0x86, 0x1a, 0xa2, 0x78, 0x7a, 0xd9, 0x26, 0x8b, 0x74, 0x74, 0xb6, + 0x82, 0xe3, 0xbe, 0xc3, 0xce, 0x36, 0x9a, 0x1e, 0x5e, 0x31, 0x47, 0xa2, + 0x6d, 0x37, 0x7c, 0xfd, 0x20, 0xb5, 0xdf, 0x75, + }; + // separate the main factor & the cofactor of the scalar + u8 scalar[32]; + COPY(scalar, secret_key, 32); + trim_scalar(scalar); + + // Separate the main factor and the cofactor + // + // The scalar is trimmed, so its cofactor is cleared. The three + // least significant bits however still have a main factor. We must + // remove it for X25519 compatibility. + // + // cofactor = lsb * L (modulo 8*L) + // combined = scalar + cofactor (modulo 8*L) + add_xl(scalar, secret_key[0]); + scalarmult(public_key, scalar, dirty_base_point, 256); + WIPE_BUFFER(scalar); } // Select low order point @@ -2528,13 +2551,13 @@ void crypto_x25519_dirty_small(u8 public_key[32], const u8 secret_key[32]) // and requires less code than naive constant time look up. static void select_lop(fe out, const fe x, const fe k, u8 cofactor) { - fe tmp; - fe_0(out); - fe_ccopy(out, k , (cofactor >> 1) & 1); // bit 1 - fe_ccopy(out, x , (cofactor >> 0) & 1); // bit 0 - fe_neg (tmp, out); - fe_ccopy(out, tmp, (cofactor >> 2) & 1); // bit 2 - WIPE_BUFFER(tmp); + fe tmp; + fe_0(out); + fe_ccopy(out, k , (cofactor >> 1) & 1); // bit 1 + fe_ccopy(out, x , (cofactor >> 0) & 1); // bit 0 + fe_neg (tmp, out); + fe_ccopy(out, tmp, (cofactor >> 2) & 1); // bit 2 + WIPE_BUFFER(tmp); } // "Fast" dirty ephemeral key @@ -2546,37 +2569,37 @@ static void select_lop(fe out, const fe x, const fe k, u8 cofactor) // The cost is a bigger binary for programs that don't also sign messages. void crypto_x25519_dirty_fast(u8 public_key[32], const u8 secret_key[32]) { - // Compute clean scalar multiplication - u8 scalar[32]; - ge pk; - COPY(scalar, secret_key, 32); - trim_scalar(scalar); - ge_scalarmult_base(&pk, scalar); + // Compute clean scalar multiplication + u8 scalar[32]; + ge pk; + COPY(scalar, secret_key, 32); + trim_scalar(scalar); + ge_scalarmult_base(&pk, scalar); - // Compute low order point - fe t1, t2; - select_lop(t1, lop_x, sqrtm1, secret_key[0]); - select_lop(t2, lop_y, fe_one, secret_key[0] + 2); - ge_precomp low_order_point; - fe_add(low_order_point.Yp, t2, t1); - fe_sub(low_order_point.Ym, t2, t1); - fe_mul(low_order_point.T2, t2, t1); - fe_mul(low_order_point.T2, low_order_point.T2, D2); + // Compute low order point + fe t1, t2; + select_lop(t1, lop_x, sqrtm1, secret_key[0]); + select_lop(t2, lop_y, fe_one, secret_key[0] + 2); + ge_precomp low_order_point; + fe_add(low_order_point.Yp, t2, t1); + fe_sub(low_order_point.Ym, t2, t1); + fe_mul(low_order_point.T2, t2, t1); + fe_mul(low_order_point.T2, low_order_point.T2, D2); - // Add low order point to the public key - ge_madd(&pk, &pk, &low_order_point, t1, t2); + // Add low order point to the public key + ge_madd(&pk, &pk, &low_order_point, t1, t2); - // Convert to Montgomery u coordinate (we ignore the sign) - fe_add(t1, pk.Z, pk.Y); - fe_sub(t2, pk.Z, pk.Y); - fe_invert(t2, t2); - fe_mul(t1, t1, t2); + // Convert to Montgomery u coordinate (we ignore the sign) + fe_add(t1, pk.Z, pk.Y); + fe_sub(t2, pk.Z, pk.Y); + fe_invert(t2, t2); + fe_mul(t1, t1, t2); - fe_tobytes(public_key, t1); + fe_tobytes(public_key, t1); - WIPE_BUFFER(t1); WIPE_CTX(&pk); - WIPE_BUFFER(t2); WIPE_CTX(&low_order_point); - WIPE_BUFFER(scalar); + WIPE_BUFFER(t1); WIPE_CTX(&pk); + WIPE_BUFFER(t2); WIPE_CTX(&low_order_point); + WIPE_BUFFER(scalar); } /////////////////// @@ -2644,31 +2667,31 @@ static const fe A = {486662}; // u2 = u void crypto_hidden_to_curve(uint8_t curve[32], const uint8_t hidden[32]) { - fe r, u, t1, t2, t3; - fe_frombytes_mask(r, hidden, 2); // r is encoded in 254 bits. - fe_sq(r, r); - fe_add(t1, r, r); - fe_add(u, t1, fe_one); - fe_sq (t2, u); - fe_mul(t3, A2, t1); - fe_sub(t3, t3, t2); - fe_mul(t3, t3, A); - fe_mul(t1, t2, u); - fe_mul(t1, t3, t1); - int is_square = invsqrt(t1, t1); - fe_mul(u, r, ufactor); - fe_ccopy(u, fe_one, is_square); - fe_sq (t1, t1); - fe_mul(u, u, A); - fe_mul(u, u, t3); - fe_mul(u, u, t2); - fe_mul(u, u, t1); - fe_neg(u, u); - fe_tobytes(curve, u); - - WIPE_BUFFER(t1); WIPE_BUFFER(r); - WIPE_BUFFER(t2); WIPE_BUFFER(u); - WIPE_BUFFER(t3); + fe r, u, t1, t2, t3; + fe_frombytes_mask(r, hidden, 2); // r is encoded in 254 bits. + fe_sq(r, r); + fe_add(t1, r, r); + fe_add(u, t1, fe_one); + fe_sq (t2, u); + fe_mul(t3, A2, t1); + fe_sub(t3, t3, t2); + fe_mul(t3, t3, A); + fe_mul(t1, t2, u); + fe_mul(t1, t3, t1); + int is_square = invsqrt(t1, t1); + fe_mul(u, r, ufactor); + fe_ccopy(u, fe_one, is_square); + fe_sq (t1, t1); + fe_mul(u, u, A); + fe_mul(u, u, t3); + fe_mul(u, u, t2); + fe_mul(u, u, t1); + fe_neg(u, u); + fe_tobytes(curve, u); + + WIPE_BUFFER(t1); WIPE_BUFFER(r); + WIPE_BUFFER(t2); WIPE_BUFFER(u); + WIPE_BUFFER(t3); } // Elligator inverse map @@ -2704,55 +2727,55 @@ void crypto_hidden_to_curve(uint8_t curve[32], const uint8_t hidden[32]) // isr * (u+A) = sqrt(-(u+A) / (non_square * u) int crypto_curve_to_hidden(u8 hidden[32], const u8 public_key[32], u8 tweak) { - fe t1, t2, t3; - fe_frombytes(t1, public_key); // t1 = u + fe t1, t2, t3; + fe_frombytes(t1, public_key); // t1 = u - fe_add(t2, t1, A); // t2 = u + A - fe_mul(t3, t1, t2); - fe_mul_small(t3, t3, -2); - int is_square = invsqrt(t3, t3); // t3 = sqrt(-1 / non_square * u * (u+A)) - if (is_square) { - // The only variable time bit. This ultimately reveals how many - // tries it took us to find a representable key. - // This does not affect security as long as we try keys at random. + fe_add(t2, t1, A); // t2 = u + A + fe_mul(t3, t1, t2); + fe_mul_small(t3, t3, -2); + int is_square = invsqrt(t3, t3); // t3 = sqrt(-1 / non_square * u * (u+A)) + if (is_square) { + // The only variable time bit. This ultimately reveals how many + // tries it took us to find a representable key. + // This does not affect security as long as we try keys at random. - fe_ccopy (t1, t2, tweak & 1); // multiply by u if v is positive, - fe_mul (t3, t1, t3); // multiply by u+A otherwise - fe_mul_small(t1, t3, 2); - fe_neg (t2, t3); - fe_ccopy (t3, t2, fe_isodd(t1)); - fe_tobytes(hidden, t3); + fe_ccopy (t1, t2, tweak & 1); // multiply by u if v is positive, + fe_mul (t3, t1, t3); // multiply by u+A otherwise + fe_mul_small(t1, t3, 2); + fe_neg (t2, t3); + fe_ccopy (t3, t2, fe_isodd(t1)); + fe_tobytes(hidden, t3); - // Pad with two random bits - hidden[31] |= tweak & 0xc0; - } + // Pad with two random bits + hidden[31] |= tweak & 0xc0; + } - WIPE_BUFFER(t1); - WIPE_BUFFER(t2); - WIPE_BUFFER(t3); - return is_square - 1; + WIPE_BUFFER(t1); + WIPE_BUFFER(t2); + WIPE_BUFFER(t3); + return is_square - 1; } void crypto_hidden_key_pair(u8 hidden[32], u8 secret_key[32], u8 seed[32]) { - u8 pk [32]; // public key - u8 buf[64]; // seed + representative - COPY(buf + 32, seed, 32); - do { - crypto_chacha20(buf, 0, 64, buf+32, zero); - crypto_x25519_dirty_fast(pk, buf); // or the "small" version - } while(crypto_curve_to_hidden(buf+32, pk, buf[32])); - // Note that the return value of crypto_curve_to_hidden() is - // independent from its tweak parameter. - // Therefore, buf[32] is not actually reused. Either we loop one - // more time and buf[32] is used for the new seed, or we succeeded, - // and buf[32] becomes the tweak parameter. - - crypto_wipe(seed, 32); - COPY(hidden , buf + 32, 32); - COPY(secret_key, buf , 32); - WIPE_BUFFER(buf); - WIPE_BUFFER(pk); + u8 pk [32]; // public key + u8 buf[64]; // seed + representative + COPY(buf + 32, seed, 32); + do { + crypto_chacha20(buf, 0, 64, buf+32, zero); + crypto_x25519_dirty_fast(pk, buf); // or the "small" version + } while(crypto_curve_to_hidden(buf+32, pk, buf[32])); + // Note that the return value of crypto_curve_to_hidden() is + // independent from its tweak parameter. + // Therefore, buf[32] is not actually reused. Either we loop one + // more time and buf[32] is used for the new seed, or we succeeded, + // and buf[32] becomes the tweak parameter. + + crypto_wipe(seed, 32); + COPY(hidden , buf + 32, 32); + COPY(secret_key, buf , 32); + WIPE_BUFFER(buf); + WIPE_BUFFER(pk); } //////////////////// @@ -2762,8 +2785,8 @@ void crypto_key_exchange(u8 shared_key[32], const u8 your_secret_key [32], const u8 their_public_key[32]) { - crypto_x25519(shared_key, your_secret_key, their_public_key); - crypto_hchacha20(shared_key, shared_key, zero); + crypto_x25519(shared_key, your_secret_key, their_public_key); + crypto_hchacha20(shared_key, shared_key, zero); } /////////////////////// @@ -2784,100 +2807,103 @@ void crypto_key_exchange(u8 shared_key[32], // u = (t/r) % L (u is always below 2*L, conditional subtraction is enough) static void redc(u32 u[8], u32 x[16]) { - static const u32 k[8] = { 0x12547e1b, 0xd2b51da3, 0xfdba84ff, 0xb1a206f2, - 0xffa36bea, 0x14e75438, 0x6fe91836, 0x9db6c6f2, }; - - // s = x * k (modulo 2^256) - // This is cheaper than the full multiplication. - u32 s[8] = {0}; - FOR (i, 0, 8) { - u64 carry = 0; - FOR (j, 0, 8-i) { - carry += s[i+j] + (u64)x[i] * k[j]; - s[i+j] = (u32)carry; - carry >>= 32; - } - } - u32 t[16] = {0}; - multiply(t, s, L); - - // t = t + x - u64 carry = 0; - FOR (i, 0, 16) { - carry += (u64)t[i] + x[i]; - t[i] = (u32)carry; - carry >>= 32; - } - - // u = (t / 2^256) % L - // Note that t / 2^256 is always below 2*L, - // So a constant time conditional subtraction is enough - remove_l(u, t+8); - - WIPE_BUFFER(s); - WIPE_BUFFER(t); + static const u32 k[8] = { + 0x12547e1b, 0xd2b51da3, 0xfdba84ff, 0xb1a206f2, + 0xffa36bea, 0x14e75438, 0x6fe91836, 0x9db6c6f2, + }; + + // s = x * k (modulo 2^256) + // This is cheaper than the full multiplication. + u32 s[8] = {0}; + FOR (i, 0, 8) { + u64 carry = 0; + FOR (j, 0, 8-i) { + carry += s[i+j] + (u64)x[i] * k[j]; + s[i+j] = (u32)carry; + carry >>= 32; + } + } + u32 t[16] = {0}; + multiply(t, s, L); + + // t = t + x + u64 carry = 0; + FOR (i, 0, 16) { + carry += (u64)t[i] + x[i]; + t[i] = (u32)carry; + carry >>= 32; + } + + // u = (t / 2^256) % L + // Note that t / 2^256 is always below 2*L, + // So a constant time conditional subtraction is enough + remove_l(u, t+8); + + WIPE_BUFFER(s); + WIPE_BUFFER(t); } void crypto_x25519_inverse(u8 blind_salt [32], const u8 private_key[32], const u8 curve_point[32]) { - static const u8 Lm2[32] = { // L - 2 - 0xeb, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, - 0xde, 0xf9, 0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, }; - // 1 in Montgomery form - u32 m_inv [8] = {0x8d98951d, 0xd6ec3174, 0x737dcf70, 0xc6ef5bf4, - 0xfffffffe, 0xffffffff, 0xffffffff, 0x0fffffff,}; - - u8 scalar[32]; - COPY(scalar, private_key, 32); - trim_scalar(scalar); - - // Convert the scalar in Montgomery form - // m_scl = scalar * 2^256 (modulo L) - u32 m_scl[8]; - { - u32 tmp[16]; - ZERO(tmp, 8); - load32_le_buf(tmp+8, scalar, 8); - mod_l(scalar, tmp); - load32_le_buf(m_scl, scalar, 8); - WIPE_BUFFER(tmp); // Wipe ASAP to save stack space - } - - // Compute the inverse - u32 product[16]; - for (int i = 252; i >= 0; i--) { - ZERO(product, 16); - multiply(product, m_inv, m_inv); - redc(m_inv, product); - if (scalar_bit(Lm2, i)) { - ZERO(product, 16); - multiply(product, m_inv, m_scl); - redc(m_inv, product); - } - } - // Convert the inverse *out* of Montgomery form - // scalar = m_inv / 2^256 (modulo L) - COPY(product, m_inv, 8); - ZERO(product + 8, 8); - redc(m_inv, product); - store32_le_buf(scalar, m_inv, 8); // the *inverse* of the scalar - - // Clear the cofactor of scalar: - // cleared = scalar * (3*L + 1) (modulo 8*L) - // cleared = scalar + scalar * 3 * L (modulo 8*L) - // Note that (scalar * 3) is reduced modulo 8, so we only need the - // first byte. - add_xl(scalar, scalar[0] * 3); - - // Recall that 8*L < 2^256. However it is also very close to - // 2^255. If we spanned the ladder over 255 bits, random tests - // wouldn't catch the off-by-one error. - scalarmult(blind_salt, scalar, curve_point, 256); - - WIPE_BUFFER(scalar); WIPE_BUFFER(m_scl); - WIPE_BUFFER(product); WIPE_BUFFER(m_inv); + static const u8 Lm2[32] = { // L - 2 + 0xeb, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, + 0xde, 0xf9, 0xde, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, + }; + // 1 in Montgomery form + u32 m_inv [8] = {0x8d98951d, 0xd6ec3174, 0x737dcf70, 0xc6ef5bf4, + 0xfffffffe, 0xffffffff, 0xffffffff, 0x0fffffff,}; + + u8 scalar[32]; + COPY(scalar, private_key, 32); + trim_scalar(scalar); + + // Convert the scalar in Montgomery form + // m_scl = scalar * 2^256 (modulo L) + u32 m_scl[8]; + { + u32 tmp[16]; + ZERO(tmp, 8); + load32_le_buf(tmp+8, scalar, 8); + mod_l(scalar, tmp); + load32_le_buf(m_scl, scalar, 8); + WIPE_BUFFER(tmp); // Wipe ASAP to save stack space + } + + // Compute the inverse + u32 product[16]; + for (int i = 252; i >= 0; i--) { + ZERO(product, 16); + multiply(product, m_inv, m_inv); + redc(m_inv, product); + if (scalar_bit(Lm2, i)) { + ZERO(product, 16); + multiply(product, m_inv, m_scl); + redc(m_inv, product); + } + } + // Convert the inverse *out* of Montgomery form + // scalar = m_inv / 2^256 (modulo L) + COPY(product, m_inv, 8); + ZERO(product + 8, 8); + redc(m_inv, product); + store32_le_buf(scalar, m_inv, 8); // the *inverse* of the scalar + + // Clear the cofactor of scalar: + // cleared = scalar * (3*L + 1) (modulo 8*L) + // cleared = scalar + scalar * 3 * L (modulo 8*L) + // Note that (scalar * 3) is reduced modulo 8, so we only need the + // first byte. + add_xl(scalar, scalar[0] * 3); + + // Recall that 8*L < 2^256. However it is also very close to + // 2^255. If we spanned the ladder over 255 bits, random tests + // wouldn't catch the off-by-one error. + scalarmult(blind_salt, scalar, curve_point, 256); + + WIPE_BUFFER(scalar); WIPE_BUFFER(m_scl); + WIPE_BUFFER(product); WIPE_BUFFER(m_inv); } //////////////////////////////// @@ -2887,17 +2913,17 @@ static void lock_auth(u8 mac[16], const u8 auth_key[32], const u8 *ad , size_t ad_size, const u8 *cipher_text, size_t text_size) { - u8 sizes[16]; // Not secret, not wiped - store64_le(sizes + 0, ad_size); - store64_le(sizes + 8, text_size); - crypto_poly1305_ctx poly_ctx; // auto wiped... - crypto_poly1305_init (&poly_ctx, auth_key); - crypto_poly1305_update(&poly_ctx, ad , ad_size); - crypto_poly1305_update(&poly_ctx, zero , align(ad_size, 16)); - crypto_poly1305_update(&poly_ctx, cipher_text, text_size); - crypto_poly1305_update(&poly_ctx, zero , align(text_size, 16)); - crypto_poly1305_update(&poly_ctx, sizes , 16); - crypto_poly1305_final (&poly_ctx, mac); // ...here + u8 sizes[16]; // Not secret, not wiped + store64_le(sizes + 0, ad_size); + store64_le(sizes + 8, text_size); + crypto_poly1305_ctx poly_ctx; // auto wiped... + crypto_poly1305_init (&poly_ctx, auth_key); + crypto_poly1305_update(&poly_ctx, ad , ad_size); + crypto_poly1305_update(&poly_ctx, zero , align(ad_size, 16)); + crypto_poly1305_update(&poly_ctx, cipher_text, text_size); + crypto_poly1305_update(&poly_ctx, zero , align(text_size, 16)); + crypto_poly1305_update(&poly_ctx, sizes , 16); + crypto_poly1305_final (&poly_ctx, mac); // ...here } void crypto_lock_aead(u8 mac[16], u8 *cipher_text, @@ -2905,15 +2931,15 @@ void crypto_lock_aead(u8 mac[16], u8 *cipher_text, const u8 *ad , size_t ad_size, const u8 *plain_text, size_t text_size) { - u8 sub_key[32]; - u8 auth_key[64]; // "Wasting" the whole Chacha block is faster - crypto_hchacha20(sub_key, key, nonce); - crypto_chacha20(auth_key, 0, 64, sub_key, nonce + 16); - crypto_chacha20_ctr(cipher_text, plain_text, text_size, - sub_key, nonce + 16, 1); - lock_auth(mac, auth_key, ad, ad_size, cipher_text, text_size); - WIPE_BUFFER(sub_key); - WIPE_BUFFER(auth_key); + u8 sub_key[32]; + u8 auth_key[64]; // "Wasting" the whole Chacha block is faster + crypto_hchacha20(sub_key, key, nonce); + crypto_chacha20(auth_key, 0, 64, sub_key, nonce + 16); + crypto_chacha20_ctr(cipher_text, plain_text, text_size, + sub_key, nonce + 16, 1); + lock_auth(mac, auth_key, ad, ad_size, cipher_text, text_size); + WIPE_BUFFER(sub_key); + WIPE_BUFFER(auth_key); } int crypto_unlock_aead(u8 *plain_text, const u8 key[32], const u8 nonce[24], @@ -2921,36 +2947,36 @@ int crypto_unlock_aead(u8 *plain_text, const u8 key[32], const u8 nonce[24], const u8 *ad , size_t ad_size, const u8 *cipher_text, size_t text_size) { - u8 sub_key[32]; - u8 auth_key[64]; // "Wasting" the whole Chacha block is faster - crypto_hchacha20(sub_key, key, nonce); - crypto_chacha20(auth_key, 0, 64, sub_key, nonce + 16); - u8 real_mac[16]; - lock_auth(real_mac, auth_key, ad, ad_size, cipher_text, text_size); - WIPE_BUFFER(auth_key); - int mismatch = crypto_verify16(mac, real_mac); - if (!mismatch) { - crypto_chacha20_ctr(plain_text, cipher_text, text_size, - sub_key, nonce + 16, 1); - } - WIPE_BUFFER(sub_key); - WIPE_BUFFER(real_mac); - return mismatch; + u8 sub_key[32]; + u8 auth_key[64]; // "Wasting" the whole Chacha block is faster + crypto_hchacha20(sub_key, key, nonce); + crypto_chacha20(auth_key, 0, 64, sub_key, nonce + 16); + u8 real_mac[16]; + lock_auth(real_mac, auth_key, ad, ad_size, cipher_text, text_size); + WIPE_BUFFER(auth_key); + int mismatch = crypto_verify16(mac, real_mac); + if (!mismatch) { + crypto_chacha20_ctr(plain_text, cipher_text, text_size, + sub_key, nonce + 16, 1); + } + WIPE_BUFFER(sub_key); + WIPE_BUFFER(real_mac); + return mismatch; } void crypto_lock(u8 mac[16], u8 *cipher_text, const u8 key[32], const u8 nonce[24], const u8 *plain_text, size_t text_size) { - crypto_lock_aead(mac, cipher_text, key, nonce, 0, 0, plain_text, text_size); + crypto_lock_aead(mac, cipher_text, key, nonce, 0, 0, plain_text, text_size); } int crypto_unlock(u8 *plain_text, const u8 key[32], const u8 nonce[24], const u8 mac[16], const u8 *cipher_text, size_t text_size) { - return crypto_unlock_aead(plain_text, key, nonce, mac, 0, 0, - cipher_text, text_size); + return crypto_unlock_aead(plain_text, key, nonce, mac, 0, 0, + cipher_text, text_size); } #ifdef MONOCYPHER_CPP_NAMESPACE diff --git a/src/monocypher.h b/src/monocypher.h index 54b3af2..f8fd070 100644 --- a/src/monocypher.h +++ b/src/monocypher.h @@ -71,11 +71,11 @@ extern "C" { // Instantiate it to define a custom hash. // Its size, contents, and layout, are part of the public API. typedef struct { - void (*hash)(uint8_t hash[64], const uint8_t *message, size_t message_size); - void (*init )(void *ctx); - void (*update)(void *ctx, const uint8_t *message, size_t message_size); - void (*final )(void *ctx, uint8_t hash[64]); - size_t ctx_size; + void (*hash)(uint8_t hash[64], const uint8_t *message, size_t message_size); + void (*init )(void *ctx); + void (*update)(void *ctx, const uint8_t *message, size_t message_size); + void (*final )(void *ctx, uint8_t hash[64]); + size_t ctx_size; } crypto_sign_vtable; // Do not rely on the size or contents of any of the types below, @@ -83,33 +83,33 @@ typedef struct { // Poly1305 typedef struct { - uint32_t r[4]; // constant multiplier (from the secret key) - uint32_t h[5]; // accumulated hash - uint8_t c[16]; // chunk of the message - uint32_t pad[4]; // random number added at the end (from the secret key) - size_t c_idx; // How many bytes are there in the chunk. + uint32_t r[4]; // constant multiplier (from the secret key) + uint32_t h[5]; // accumulated hash + uint8_t c[16]; // chunk of the message + uint32_t pad[4]; // random number added at the end (from the secret key) + size_t c_idx; // How many bytes are there in the chunk. } crypto_poly1305_ctx; // Hash (BLAKE2b) typedef struct { - uint64_t hash[8]; - uint64_t input_offset[2]; - uint64_t input[16]; - size_t input_idx; - size_t hash_size; + uint64_t hash[8]; + uint64_t input_offset[2]; + uint64_t input[16]; + size_t input_idx; + size_t hash_size; } crypto_blake2b_ctx; // Signatures (EdDSA) typedef struct { - const crypto_sign_vtable *hash; - uint8_t buf[96]; - uint8_t pk [32]; + const crypto_sign_vtable *hash; + uint8_t buf[96]; + uint8_t pk [32]; } crypto_sign_ctx_abstract; typedef crypto_sign_ctx_abstract crypto_check_ctx_abstract; typedef struct { - crypto_sign_ctx_abstract ctx; - crypto_blake2b_ctx hash; + crypto_sign_ctx_abstract ctx; + crypto_blake2b_ctx hash; } crypto_sign_ctx; typedef crypto_sign_ctx crypto_check_ctx; diff --git a/src/optional/monocypher-ed25519.c b/src/optional/monocypher-ed25519.c index d5f4cfa..446553b 100644 --- a/src/optional/monocypher-ed25519.c +++ b/src/optional/monocypher-ed25519.c @@ -76,31 +76,31 @@ typedef uint64_t u64; // Note: we use ~x+1 instead of -x to avoid compiler warnings static size_t align(size_t x, size_t pow_2) { - return (~x + 1) & (pow_2 - 1); + return (~x + 1) & (pow_2 - 1); } static u64 load64_be(const u8 s[8]) { - return((u64)s[0] << 56) - | ((u64)s[1] << 48) - | ((u64)s[2] << 40) - | ((u64)s[3] << 32) - | ((u64)s[4] << 24) - | ((u64)s[5] << 16) - | ((u64)s[6] << 8) - | (u64)s[7]; + return((u64)s[0] << 56) + | ((u64)s[1] << 48) + | ((u64)s[2] << 40) + | ((u64)s[3] << 32) + | ((u64)s[4] << 24) + | ((u64)s[5] << 16) + | ((u64)s[6] << 8) + | (u64)s[7]; } static void store64_be(u8 out[8], u64 in) { - out[0] = (in >> 56) & 0xff; - out[1] = (in >> 48) & 0xff; - out[2] = (in >> 40) & 0xff; - out[3] = (in >> 32) & 0xff; - out[4] = (in >> 24) & 0xff; - out[5] = (in >> 16) & 0xff; - out[6] = (in >> 8) & 0xff; - out[7] = in & 0xff; + out[0] = (in >> 56) & 0xff; + out[1] = (in >> 48) & 0xff; + out[2] = (in >> 40) & 0xff; + out[3] = (in >> 32) & 0xff; + out[4] = (in >> 24) & 0xff; + out[5] = (in >> 16) & 0xff; + out[6] = (in >> 8) & 0xff; + out[7] = in & 0xff; } /////////////// @@ -115,189 +115,189 @@ static u64 lit_sigma0(u64 x) { return rot(x, 1) ^ rot(x, 8) ^ (x >> 7); } static u64 lit_sigma1(u64 x) { return rot(x, 19) ^ rot(x, 61) ^ (x >> 6); } static const u64 K[80] = { - 0x428a2f98d728ae22,0x7137449123ef65cd,0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc, - 0x3956c25bf348b538,0x59f111f1b605d019,0x923f82a4af194f9b,0xab1c5ed5da6d8118, - 0xd807aa98a3030242,0x12835b0145706fbe,0x243185be4ee4b28c,0x550c7dc3d5ffb4e2, - 0x72be5d74f27b896f,0x80deb1fe3b1696b1,0x9bdc06a725c71235,0xc19bf174cf692694, - 0xe49b69c19ef14ad2,0xefbe4786384f25e3,0x0fc19dc68b8cd5b5,0x240ca1cc77ac9c65, - 0x2de92c6f592b0275,0x4a7484aa6ea6e483,0x5cb0a9dcbd41fbd4,0x76f988da831153b5, - 0x983e5152ee66dfab,0xa831c66d2db43210,0xb00327c898fb213f,0xbf597fc7beef0ee4, - 0xc6e00bf33da88fc2,0xd5a79147930aa725,0x06ca6351e003826f,0x142929670a0e6e70, - 0x27b70a8546d22ffc,0x2e1b21385c26c926,0x4d2c6dfc5ac42aed,0x53380d139d95b3df, - 0x650a73548baf63de,0x766a0abb3c77b2a8,0x81c2c92e47edaee6,0x92722c851482353b, - 0xa2bfe8a14cf10364,0xa81a664bbc423001,0xc24b8b70d0f89791,0xc76c51a30654be30, - 0xd192e819d6ef5218,0xd69906245565a910,0xf40e35855771202a,0x106aa07032bbd1b8, - 0x19a4c116b8d2d0c8,0x1e376c085141ab53,0x2748774cdf8eeb99,0x34b0bcb5e19b48a8, - 0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb,0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3, - 0x748f82ee5defb2fc,0x78a5636f43172f60,0x84c87814a1f0ab72,0x8cc702081a6439ec, - 0x90befffa23631e28,0xa4506cebde82bde9,0xbef9a3f7b2c67915,0xc67178f2e372532b, - 0xca273eceea26619c,0xd186b8c721c0c207,0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178, - 0x06f067aa72176fba,0x0a637dc5a2c898a6,0x113f9804bef90dae,0x1b710b35131c471b, - 0x28db77f523047d84,0x32caab7b40c72493,0x3c9ebe0a15c9bebc,0x431d67c49c100d4c, - 0x4cc5d4becb3e42b6,0x597f299cfc657e2a,0x5fcb6fab3ad6faec,0x6c44198c4a475817 + 0x428a2f98d728ae22,0x7137449123ef65cd,0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc, + 0x3956c25bf348b538,0x59f111f1b605d019,0x923f82a4af194f9b,0xab1c5ed5da6d8118, + 0xd807aa98a3030242,0x12835b0145706fbe,0x243185be4ee4b28c,0x550c7dc3d5ffb4e2, + 0x72be5d74f27b896f,0x80deb1fe3b1696b1,0x9bdc06a725c71235,0xc19bf174cf692694, + 0xe49b69c19ef14ad2,0xefbe4786384f25e3,0x0fc19dc68b8cd5b5,0x240ca1cc77ac9c65, + 0x2de92c6f592b0275,0x4a7484aa6ea6e483,0x5cb0a9dcbd41fbd4,0x76f988da831153b5, + 0x983e5152ee66dfab,0xa831c66d2db43210,0xb00327c898fb213f,0xbf597fc7beef0ee4, + 0xc6e00bf33da88fc2,0xd5a79147930aa725,0x06ca6351e003826f,0x142929670a0e6e70, + 0x27b70a8546d22ffc,0x2e1b21385c26c926,0x4d2c6dfc5ac42aed,0x53380d139d95b3df, + 0x650a73548baf63de,0x766a0abb3c77b2a8,0x81c2c92e47edaee6,0x92722c851482353b, + 0xa2bfe8a14cf10364,0xa81a664bbc423001,0xc24b8b70d0f89791,0xc76c51a30654be30, + 0xd192e819d6ef5218,0xd69906245565a910,0xf40e35855771202a,0x106aa07032bbd1b8, + 0x19a4c116b8d2d0c8,0x1e376c085141ab53,0x2748774cdf8eeb99,0x34b0bcb5e19b48a8, + 0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb,0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3, + 0x748f82ee5defb2fc,0x78a5636f43172f60,0x84c87814a1f0ab72,0x8cc702081a6439ec, + 0x90befffa23631e28,0xa4506cebde82bde9,0xbef9a3f7b2c67915,0xc67178f2e372532b, + 0xca273eceea26619c,0xd186b8c721c0c207,0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178, + 0x06f067aa72176fba,0x0a637dc5a2c898a6,0x113f9804bef90dae,0x1b710b35131c471b, + 0x28db77f523047d84,0x32caab7b40c72493,0x3c9ebe0a15c9bebc,0x431d67c49c100d4c, + 0x4cc5d4becb3e42b6,0x597f299cfc657e2a,0x5fcb6fab3ad6faec,0x6c44198c4a475817 }; static void sha512_compress(crypto_sha512_ctx *ctx) { - u64 a = ctx->hash[0]; u64 b = ctx->hash[1]; - u64 c = ctx->hash[2]; u64 d = ctx->hash[3]; - u64 e = ctx->hash[4]; u64 f = ctx->hash[5]; - u64 g = ctx->hash[6]; u64 h = ctx->hash[7]; - - FOR (j, 0, 16) { - u64 in = K[j] + ctx->input[j]; - u64 t1 = big_sigma1(e) + ch (e, f, g) + h + in; - u64 t2 = big_sigma0(a) + maj(a, b, c); - h = g; g = f; f = e; e = d + t1; - d = c; c = b; b = a; a = t1 + t2; - } - size_t i16 = 0; - FOR(i, 1, 5) { - i16 += 16; - FOR (j, 0, 16) { - ctx->input[j] += lit_sigma1(ctx->input[(j- 2) & 15]); - ctx->input[j] += lit_sigma0(ctx->input[(j-15) & 15]); - ctx->input[j] += ctx->input[(j- 7) & 15]; - u64 in = K[i16 + j] + ctx->input[j]; - u64 t1 = big_sigma1(e) + ch (e, f, g) + h + in; - u64 t2 = big_sigma0(a) + maj(a, b, c); - h = g; g = f; f = e; e = d + t1; - d = c; c = b; b = a; a = t1 + t2; - } - } - - ctx->hash[0] += a; ctx->hash[1] += b; - ctx->hash[2] += c; ctx->hash[3] += d; - ctx->hash[4] += e; ctx->hash[5] += f; - ctx->hash[6] += g; ctx->hash[7] += h; + u64 a = ctx->hash[0]; u64 b = ctx->hash[1]; + u64 c = ctx->hash[2]; u64 d = ctx->hash[3]; + u64 e = ctx->hash[4]; u64 f = ctx->hash[5]; + u64 g = ctx->hash[6]; u64 h = ctx->hash[7]; + + FOR (j, 0, 16) { + u64 in = K[j] + ctx->input[j]; + u64 t1 = big_sigma1(e) + ch (e, f, g) + h + in; + u64 t2 = big_sigma0(a) + maj(a, b, c); + h = g; g = f; f = e; e = d + t1; + d = c; c = b; b = a; a = t1 + t2; + } + size_t i16 = 0; + FOR(i, 1, 5) { + i16 += 16; + FOR (j, 0, 16) { + ctx->input[j] += lit_sigma1(ctx->input[(j- 2) & 15]); + ctx->input[j] += lit_sigma0(ctx->input[(j-15) & 15]); + ctx->input[j] += ctx->input[(j- 7) & 15]; + u64 in = K[i16 + j] + ctx->input[j]; + u64 t1 = big_sigma1(e) + ch (e, f, g) + h + in; + u64 t2 = big_sigma0(a) + maj(a, b, c); + h = g; g = f; f = e; e = d + t1; + d = c; c = b; b = a; a = t1 + t2; + } + } + + ctx->hash[0] += a; ctx->hash[1] += b; + ctx->hash[2] += c; ctx->hash[3] += d; + ctx->hash[4] += e; ctx->hash[5] += f; + ctx->hash[6] += g; ctx->hash[7] += h; } static void sha512_set_input(crypto_sha512_ctx *ctx, u8 input) { - if (ctx->input_idx == 0) { - ZERO(ctx->input, 16); - } - size_t word = ctx->input_idx >> 3; - size_t byte = ctx->input_idx & 7; - ctx->input[word] |= (u64)input << (8 * (7 - byte)); + if (ctx->input_idx == 0) { + ZERO(ctx->input, 16); + } + size_t word = ctx->input_idx >> 3; + size_t byte = ctx->input_idx & 7; + ctx->input[word] |= (u64)input << (8 * (7 - byte)); } // increment a 128-bit "word". static void sha512_incr(u64 x[2], u64 y) { - x[1] += y; - if (x[1] < y) { - x[0]++; - } + x[1] += y; + if (x[1] < y) { + x[0]++; + } } static void sha512_end_block(crypto_sha512_ctx *ctx) { - if (ctx->input_idx == 128) { - sha512_incr(ctx->input_size, 1024); // size is in bits - sha512_compress(ctx); - ctx->input_idx = 0; - } + if (ctx->input_idx == 128) { + sha512_incr(ctx->input_size, 1024); // size is in bits + sha512_compress(ctx); + ctx->input_idx = 0; + } } static void sha512_update(crypto_sha512_ctx *ctx, const u8 *message, size_t message_size) { - FOR (i, 0, message_size) { - sha512_set_input(ctx, message[i]); - ctx->input_idx++; - sha512_end_block(ctx); - } + FOR (i, 0, message_size) { + sha512_set_input(ctx, message[i]); + ctx->input_idx++; + sha512_end_block(ctx); + } } void crypto_sha512_init(crypto_sha512_ctx *ctx) { - ctx->hash[0] = 0x6a09e667f3bcc908; - ctx->hash[1] = 0xbb67ae8584caa73b; - ctx->hash[2] = 0x3c6ef372fe94f82b; - ctx->hash[3] = 0xa54ff53a5f1d36f1; - ctx->hash[4] = 0x510e527fade682d1; - ctx->hash[5] = 0x9b05688c2b3e6c1f; - ctx->hash[6] = 0x1f83d9abfb41bd6b; - ctx->hash[7] = 0x5be0cd19137e2179; - ctx->input_size[0] = 0; - ctx->input_size[1] = 0; - ctx->input_idx = 0; + ctx->hash[0] = 0x6a09e667f3bcc908; + ctx->hash[1] = 0xbb67ae8584caa73b; + ctx->hash[2] = 0x3c6ef372fe94f82b; + ctx->hash[3] = 0xa54ff53a5f1d36f1; + ctx->hash[4] = 0x510e527fade682d1; + ctx->hash[5] = 0x9b05688c2b3e6c1f; + ctx->hash[6] = 0x1f83d9abfb41bd6b; + ctx->hash[7] = 0x5be0cd19137e2179; + ctx->input_size[0] = 0; + ctx->input_size[1] = 0; + ctx->input_idx = 0; } void crypto_sha512_update(crypto_sha512_ctx *ctx, const u8 *message, size_t message_size) { - if (message_size == 0) { - return; - } - // Align ourselves with block boundaries - size_t aligned = MIN(align(ctx->input_idx, 128), message_size); - sha512_update(ctx, message, aligned); - message += aligned; - message_size -= aligned; - - // Process the message block by block - FOR (i, 0, message_size / 128) { // number of blocks - FOR (j, 0, 16) { - ctx->input[j] = load64_be(message + j*8); - } - message += 128; - ctx->input_idx += 128; - sha512_end_block(ctx); - } - message_size &= 127; - - // remaining bytes - sha512_update(ctx, message, message_size); + if (message_size == 0) { + return; + } + // Align ourselves with block boundaries + size_t aligned = MIN(align(ctx->input_idx, 128), message_size); + sha512_update(ctx, message, aligned); + message += aligned; + message_size -= aligned; + + // Process the message block by block + FOR (i, 0, message_size / 128) { // number of blocks + FOR (j, 0, 16) { + ctx->input[j] = load64_be(message + j*8); + } + message += 128; + ctx->input_idx += 128; + sha512_end_block(ctx); + } + message_size &= 127; + + // remaining bytes + sha512_update(ctx, message, message_size); } void crypto_sha512_final(crypto_sha512_ctx *ctx, u8 hash[64]) { - sha512_incr(ctx->input_size, ctx->input_idx * 8); // size is in bits - sha512_set_input(ctx, 128); // padding - - // compress penultimate block (if any) - if (ctx->input_idx > 111) { - sha512_compress(ctx); - ZERO(ctx->input, 14); - } - // compress last block - ctx->input[14] = ctx->input_size[0]; - ctx->input[15] = ctx->input_size[1]; - sha512_compress(ctx); - - // copy hash to output (big endian) - FOR (i, 0, 8) { - store64_be(hash + i*8, ctx->hash[i]); - } - - WIPE_CTX(ctx); + sha512_incr(ctx->input_size, ctx->input_idx * 8); // size is in bits + sha512_set_input(ctx, 128); // padding + + // compress penultimate block (if any) + if (ctx->input_idx > 111) { + sha512_compress(ctx); + ZERO(ctx->input, 14); + } + // compress last block + ctx->input[14] = ctx->input_size[0]; + ctx->input[15] = ctx->input_size[1]; + sha512_compress(ctx); + + // copy hash to output (big endian) + FOR (i, 0, 8) { + store64_be(hash + i*8, ctx->hash[i]); + } + + WIPE_CTX(ctx); } void crypto_sha512(u8 hash[64], const u8 *message, size_t message_size) { - crypto_sha512_ctx ctx; - crypto_sha512_init (&ctx); - crypto_sha512_update(&ctx, message, message_size); - crypto_sha512_final (&ctx, hash); + crypto_sha512_ctx ctx; + crypto_sha512_init (&ctx); + crypto_sha512_update(&ctx, message, message_size); + crypto_sha512_final (&ctx, hash); } static void sha512_vtable_init(void *ctx) { - crypto_sha512_init(&((crypto_sign_ed25519_ctx*)ctx)->hash); + crypto_sha512_init(&((crypto_sign_ed25519_ctx*)ctx)->hash); } static void sha512_vtable_update(void *ctx, const u8 *m, size_t s) { - crypto_sha512_update(&((crypto_sign_ed25519_ctx*)ctx)->hash, m, s); + crypto_sha512_update(&((crypto_sign_ed25519_ctx*)ctx)->hash, m, s); } static void sha512_vtable_final(void *ctx, u8 *h) { - crypto_sha512_final(&((crypto_sign_ed25519_ctx*)ctx)->hash, h); + crypto_sha512_final(&((crypto_sign_ed25519_ctx*)ctx)->hash, h); } const crypto_sign_vtable crypto_sha512_vtable = { - crypto_sha512, - sha512_vtable_init, - sha512_vtable_update, - sha512_vtable_final, - sizeof(crypto_sign_ed25519_ctx), + crypto_sha512, + sha512_vtable_init, + sha512_vtable_update, + sha512_vtable_final, + sizeof(crypto_sign_ed25519_ctx), }; //////////////////// @@ -306,49 +306,49 @@ const crypto_sign_vtable crypto_sha512_vtable = { void crypto_hmac_sha512_init(crypto_hmac_sha512_ctx *ctx, const u8 *key, size_t key_size) { - // hash key if it is too long - if (key_size > 128) { - crypto_sha512(ctx->key, key, key_size); - key = ctx->key; - key_size = 64; - } - // Compute inner key: padded key XOR 0x36 - FOR (i, 0, key_size) { ctx->key[i] = key[i] ^ 0x36; } - FOR (i, key_size, 128) { ctx->key[i] = 0x36; } - // Start computing inner hash - crypto_sha512_init (&ctx->ctx); - crypto_sha512_update(&ctx->ctx, ctx->key, 128); + // hash key if it is too long + if (key_size > 128) { + crypto_sha512(ctx->key, key, key_size); + key = ctx->key; + key_size = 64; + } + // Compute inner key: padded key XOR 0x36 + FOR (i, 0, key_size) { ctx->key[i] = key[i] ^ 0x36; } + FOR (i, key_size, 128) { ctx->key[i] = 0x36; } + // Start computing inner hash + crypto_sha512_init (&ctx->ctx); + crypto_sha512_update(&ctx->ctx, ctx->key, 128); } void crypto_hmac_sha512_update(crypto_hmac_sha512_ctx *ctx, const u8 *message, size_t message_size) { - crypto_sha512_update(&ctx->ctx, message, message_size); + crypto_sha512_update(&ctx->ctx, message, message_size); } void crypto_hmac_sha512_final(crypto_hmac_sha512_ctx *ctx, u8 hmac[64]) { - // Finish computing inner hash - crypto_sha512_final(&ctx->ctx, hmac); - // Compute outer key: padded key XOR 0x5c - FOR (i, 0, 128) { - ctx->key[i] ^= 0x36 ^ 0x5c; - } - // Compute outer hash - crypto_sha512_init (&ctx->ctx); - crypto_sha512_update(&ctx->ctx, ctx->key , 128); - crypto_sha512_update(&ctx->ctx, hmac, 64); - crypto_sha512_final (&ctx->ctx, hmac); // outer hash - WIPE_CTX(ctx); + // Finish computing inner hash + crypto_sha512_final(&ctx->ctx, hmac); + // Compute outer key: padded key XOR 0x5c + FOR (i, 0, 128) { + ctx->key[i] ^= 0x36 ^ 0x5c; + } + // Compute outer hash + crypto_sha512_init (&ctx->ctx); + crypto_sha512_update(&ctx->ctx, ctx->key , 128); + crypto_sha512_update(&ctx->ctx, hmac, 64); + crypto_sha512_final (&ctx->ctx, hmac); // outer hash + WIPE_CTX(ctx); } void crypto_hmac_sha512(u8 hmac[64], const u8 *key, size_t key_size, const u8 *message, size_t message_size) { - crypto_hmac_sha512_ctx ctx; - crypto_hmac_sha512_init (&ctx, key, key_size); - crypto_hmac_sha512_update(&ctx, message, message_size); - crypto_hmac_sha512_final (&ctx, hmac); + crypto_hmac_sha512_ctx ctx; + crypto_hmac_sha512_init (&ctx, key, key_size); + crypto_hmac_sha512_update(&ctx, message, message_size); + crypto_hmac_sha512_final (&ctx, hmac); } @@ -359,24 +359,24 @@ void crypto_hmac_sha512(u8 hmac[64], const u8 *key, size_t key_size, void crypto_ed25519_public_key(u8 public_key[32], const u8 secret_key[32]) { - crypto_sign_public_key_custom_hash(public_key, secret_key, - &crypto_sha512_vtable); + crypto_sign_public_key_custom_hash(public_key, secret_key, + &crypto_sha512_vtable); } void crypto_ed25519_sign_init_first_pass(crypto_sign_ctx_abstract *ctx, const u8 secret_key[32], const u8 public_key[32]) { - crypto_sign_init_first_pass_custom_hash(ctx, secret_key, public_key, - &crypto_sha512_vtable); + crypto_sign_init_first_pass_custom_hash(ctx, secret_key, public_key, + &crypto_sha512_vtable); } void crypto_ed25519_check_init(crypto_check_ctx_abstract *ctx, const u8 signature[64], const u8 public_key[32]) { - crypto_check_init_custom_hash(ctx, signature, public_key, - &crypto_sha512_vtable); + crypto_check_init_custom_hash(ctx, signature, public_key, + &crypto_sha512_vtable); } void crypto_ed25519_sign(u8 signature [64], @@ -384,32 +384,32 @@ void crypto_ed25519_sign(u8 signature [64], const u8 public_key[32], const u8 *message, size_t message_size) { - crypto_sign_ed25519_ctx ctx; - crypto_sign_ctx_abstract *actx = (crypto_sign_ctx_abstract*)&ctx; - crypto_ed25519_sign_init_first_pass (actx, secret_key, public_key); - crypto_ed25519_sign_update (actx, message, message_size); - crypto_ed25519_sign_init_second_pass(actx); - crypto_ed25519_sign_update (actx, message, message_size); - crypto_ed25519_sign_final (actx, signature); + crypto_sign_ed25519_ctx ctx; + crypto_sign_ctx_abstract *actx = (crypto_sign_ctx_abstract*)&ctx; + crypto_ed25519_sign_init_first_pass (actx, secret_key, public_key); + crypto_ed25519_sign_update (actx, message, message_size); + crypto_ed25519_sign_init_second_pass(actx); + crypto_ed25519_sign_update (actx, message, message_size); + crypto_ed25519_sign_final (actx, signature); } int crypto_ed25519_check(const u8 signature [64], const u8 public_key[32], const u8 *message, size_t message_size) { - crypto_check_ed25519_ctx ctx; - crypto_check_ctx_abstract *actx = (crypto_check_ctx_abstract*)&ctx; - crypto_ed25519_check_init (actx, signature, public_key); - crypto_ed25519_check_update(actx, message, message_size); - return crypto_ed25519_check_final(actx); + crypto_check_ed25519_ctx ctx; + crypto_check_ctx_abstract *actx = (crypto_check_ctx_abstract*)&ctx; + crypto_ed25519_check_init (actx, signature, public_key); + crypto_ed25519_check_update(actx, message, message_size); + return crypto_ed25519_check_final(actx); } void crypto_from_ed25519_private(u8 x25519[32], const u8 eddsa[32]) { - u8 a[64]; - crypto_sha512(a, eddsa, 32); - COPY(x25519, a, 32); - WIPE_BUFFER(a); + u8 a[64]; + crypto_sha512(a, eddsa, 32); + COPY(x25519, a, 32); + WIPE_BUFFER(a); } #ifdef MONOCYPHER_CPP_NAMESPACE diff --git a/src/optional/monocypher-ed25519.h b/src/optional/monocypher-ed25519.h index 98ffbd1..07ef9be 100644 --- a/src/optional/monocypher-ed25519.h +++ b/src/optional/monocypher-ed25519.h @@ -69,20 +69,20 @@ extern "C" { // Do not rely on the size or content on any of those types, // they may change without notice. typedef struct { - uint64_t hash[8]; - uint64_t input[16]; - uint64_t input_size[2]; - size_t input_idx; + uint64_t hash[8]; + uint64_t input[16]; + uint64_t input_size[2]; + size_t input_idx; } crypto_sha512_ctx; typedef struct { - uint8_t key[128]; - crypto_sha512_ctx ctx; + uint8_t key[128]; + crypto_sha512_ctx ctx; } crypto_hmac_sha512_ctx; typedef struct { - crypto_sign_ctx_abstract ctx; - crypto_sha512_ctx hash; + crypto_sign_ctx_abstract ctx; + crypto_sha512_ctx hash; } crypto_sign_ed25519_ctx; typedef crypto_sign_ed25519_ctx crypto_check_ed25519_ctx; @@ -92,7 +92,8 @@ void crypto_sha512_init (crypto_sha512_ctx *ctx); void crypto_sha512_update(crypto_sha512_ctx *ctx, const uint8_t *message, size_t message_size); void crypto_sha512_final (crypto_sha512_ctx *ctx, uint8_t hash[64]); -void crypto_sha512(uint8_t hash[64], const uint8_t *message, size_t message_size); +void crypto_sha512(uint8_t hash[64], + const uint8_t *message, size_t message_size); // vtable for signatures extern const crypto_sign_vtable crypto_sha512_vtable; diff --git a/tests/ctgrind.c b/tests/ctgrind.c index 9d954f4..35e963a 100644 --- a/tests/ctgrind.c +++ b/tests/ctgrind.c @@ -58,220 +58,220 @@ static void verify16() { - u8 a[16]; - u8 b[16]; - crypto_verify16(a, b); + u8 a[16]; + u8 b[16]; + crypto_verify16(a, b); } static void verify32() { - u8 a[32]; - u8 b[32]; - crypto_verify32(a, b); + u8 a[32]; + u8 b[32]; + crypto_verify32(a, b); } static void verify64() { - u8 a[64]; - u8 b[64]; - crypto_verify64(a, b); + u8 a[64]; + u8 b[64]; + crypto_verify64(a, b); } static void wipe() { - FOR (i, 0, 128) { - u8 secret[128]; - crypto_wipe(secret, i); - } + FOR (i, 0, 128) { + u8 secret[128]; + crypto_wipe(secret, i); + } } static void lock_aead() { - FOR(i, 0, 128) { - u8 mac [ 16]; - u8 cipher_text[128]; - u8 key [ 32]; - u8 nonce [ 24]; - u8 ad [128]; - u8 plain_text [128]; - crypto_lock_aead(mac, cipher_text, key, nonce, ad, i, plain_text, i); - } + FOR(i, 0, 128) { + u8 mac [ 16]; + u8 cipher_text[128]; + u8 key [ 32]; + u8 nonce [ 24]; + u8 ad [128]; + u8 plain_text [128]; + crypto_lock_aead(mac, cipher_text, key, nonce, ad, i, plain_text, i); + } } static void unlock_aead() { - FOR(i, 0, 128) { - u8 plain_text [128]; - u8 key [ 32]; - u8 nonce [ 24]; - u8 mac [ 16]; - u8 ad [128]; - u8 cipher_text[128]; - crypto_unlock_aead(plain_text, key, nonce, mac, ad, i, cipher_text, i); - } + FOR(i, 0, 128) { + u8 plain_text [128]; + u8 key [ 32]; + u8 nonce [ 24]; + u8 mac [ 16]; + u8 ad [128]; + u8 cipher_text[128]; + crypto_unlock_aead(plain_text, key, nonce, mac, ad, i, cipher_text, i); + } } static void blake2b_general() { - FOR (i, 0, 256) { - u8 hash [ 64]; - u8 key [ 64]; - u8 message[256]; - crypto_blake2b_general(hash, 64, key, 0, message, i); - } - FOR (i, 0, 64) { - u8 hash [ 64]; - u8 key [ 64]; - u8 message[256]; - crypto_blake2b_general(hash, 64, key, i, message, 128); - } - FOR (i, 0, 64) { - u8 hash [ 64]; - u8 key [ 64]; - u8 message[256]; - crypto_blake2b_general(hash, i, key, 0, message, 0); - } + FOR (i, 0, 256) { + u8 hash [ 64]; + u8 key [ 64]; + u8 message[256]; + crypto_blake2b_general(hash, 64, key, 0, message, i); + } + FOR (i, 0, 64) { + u8 hash [ 64]; + u8 key [ 64]; + u8 message[256]; + crypto_blake2b_general(hash, 64, key, i, message, 128); + } + FOR (i, 0, 64) { + u8 hash [ 64]; + u8 key [ 64]; + u8 message[256]; + crypto_blake2b_general(hash, i, key, 0, message, 0); + } } static void argon2i_general() { - void *work_area = alloc(1024 * 600); - u8 hash [ 32]; - u8 password[ 16]; - u8 salt [ 16]; - u8 key [ 32]; - u8 ad [128]; - crypto_argon2i_general(hash, 32, work_area, 600, 3, - password, 16, salt, 16, key, 32, ad, 128); - free(work_area); + void *work_area = alloc(1024 * 600); + u8 hash [ 32]; + u8 password[ 16]; + u8 salt [ 16]; + u8 key [ 32]; + u8 ad [128]; + crypto_argon2i_general(hash, 32, work_area, 600, 3, + password, 16, salt, 16, key, 32, ad, 128); + free(work_area); } static void key_exchange() { - u8 shared_key [32]; - u8 your_secret_key [32]; - u8 their_public_key[32]; - crypto_key_exchange(shared_key, your_secret_key, their_public_key); + u8 shared_key [32]; + u8 your_secret_key [32]; + u8 their_public_key[32]; + crypto_key_exchange(shared_key, your_secret_key, their_public_key); } static void sign_public_key() { - u8 public_key[32]; - u8 secret_key[32]; - crypto_sign_public_key(public_key, secret_key); + u8 public_key[32]; + u8 secret_key[32]; + crypto_sign_public_key(public_key, secret_key); } static void sign() { - u8 signature [64]; - u8 secret_key[32]; - u8 public_key[32]; - u8 message [64]; - crypto_sign(signature, secret_key, public_key, message, 64); + u8 signature [64]; + u8 secret_key[32]; + u8 public_key[32]; + u8 message [64]; + crypto_sign(signature, secret_key, public_key, message, 64); } static void from_eddsa_private() { - u8 x25519[32]; - u8 eddsa [32]; - crypto_from_eddsa_private(x25519, eddsa); + u8 x25519[32]; + u8 eddsa [32]; + crypto_from_eddsa_private(x25519, eddsa); } static void from_eddsa_public() { - u8 x25519[32]; - u8 eddsa [32]; - crypto_from_eddsa_public(x25519, eddsa); + u8 x25519[32]; + u8 eddsa [32]; + crypto_from_eddsa_public(x25519, eddsa); } static void hidden_to_curve() { - u8 curve [32]; - u8 hidden[32]; - crypto_hidden_to_curve(curve, hidden); + u8 curve [32]; + u8 hidden[32]; + crypto_hidden_to_curve(curve, hidden); } static void curve_to_hidden() { - u8 hidden[32]; - u8 curve [32]; - u8 tweak; // The compiler notices this one is used uninitialised - crypto_curve_to_hidden(hidden, curve, tweak); + u8 hidden[32]; + u8 curve [32]; + u8 tweak; // The compiler notices this one is used uninitialised + crypto_curve_to_hidden(hidden, curve, tweak); } static void hidden_key_pair() { - u8 hidden [32]; - u8 secret_key[32]; - u8 seed [32]; - crypto_hidden_key_pair(hidden, secret_key,seed); + u8 hidden [32]; + u8 secret_key[32]; + u8 seed [32]; + crypto_hidden_key_pair(hidden, secret_key,seed); } static void h_chacha20() { - u8 out[32], key[32], in[16]; - crypto_hchacha20(out, key, in); + u8 out[32], key[32], in[16]; + crypto_hchacha20(out, key, in); } static void chacha20() { - FOR (i, 0, 128) { - u8 cipher_text[128]; - u8 plain_text [128]; - u8 key [ 32]; - u8 nonce [ 8]; - crypto_chacha20(cipher_text, plain_text, i, key, nonce); - } + FOR (i, 0, 128) { + u8 cipher_text[128]; + u8 plain_text [128]; + u8 key [ 32]; + u8 nonce [ 8]; + crypto_chacha20(cipher_text, plain_text, i, key, nonce); + } } static void xchacha20() { - FOR (i, 0, 128) { - u8 cipher_text[128]; - u8 plain_text [128]; - u8 key [ 32]; - u8 nonce [ 24]; - crypto_xchacha20(cipher_text, plain_text, i, key, nonce); - } + FOR (i, 0, 128) { + u8 cipher_text[128]; + u8 plain_text [128]; + u8 key [ 32]; + u8 nonce [ 24]; + crypto_xchacha20(cipher_text, plain_text, i, key, nonce); + } } static void ietf_chacha20() { - FOR (i, 0, 128) { - u8 cipher_text[128]; - u8 plain_text [128]; - u8 key [ 32]; - u8 nonce [ 12]; - crypto_ietf_chacha20(cipher_text, plain_text, i, key, nonce); - } + FOR (i, 0, 128) { + u8 cipher_text[128]; + u8 plain_text [128]; + u8 key [ 32]; + u8 nonce [ 12]; + crypto_ietf_chacha20(cipher_text, plain_text, i, key, nonce); + } } static void poly1305() { - FOR (i, 0, 32) { - u8 mac [16]; - u8 message [32]; - u8 key [32]; - crypto_poly1305(mac, message, i, key); - } + FOR (i, 0, 32) { + u8 mac [16]; + u8 message [32]; + u8 key [32]; + crypto_poly1305(mac, message, i, key); + } } static void x25519_dirty_small() { - u8 pk[32]; - u8 sk[32]; - crypto_x25519_dirty_small(pk, sk); + u8 pk[32]; + u8 sk[32]; + crypto_x25519_dirty_small(pk, sk); } static void x25519_dirty_fast() { - u8 pk[32]; - u8 sk[32]; - crypto_x25519_dirty_fast(pk, sk); + u8 pk[32]; + u8 sk[32]; + crypto_x25519_dirty_fast(pk, sk); } static void x25519_inverse() { - u8 blind_salt [32]; - u8 private_key[32]; - u8 curve_point[32]; - crypto_x25519_inverse(blind_salt, private_key, curve_point); + u8 blind_salt [32]; + u8 private_key[32]; + u8 curve_point[32]; + crypto_x25519_inverse(blind_salt, private_key, curve_point); } @@ -279,31 +279,31 @@ static void x25519_inverse() int main() { - RUN(verify16 , "constant time"); - RUN(verify32 , "constant time"); - RUN(verify64 , "constant time"); - RUN(wipe , "constant time"); - RUN(lock_aead , "constant time"); - RUN(unlock_aead , "1 conditional"); - RUN(blake2b_general , "constant time"); - RUN(argon2i_general , "constant time"); - RUN(key_exchange , "constant time"); - RUN(sign_public_key , "constant time"); - RUN(sign , "constant time"); - printf( "skipped : crypto_check.\n"); - RUN(from_eddsa_private, "constant time"); - RUN(from_eddsa_public , "constant time"); - RUN(hidden_to_curve , "constant time"); - RUN(curve_to_hidden , "1 conditional"); - RUN(hidden_key_pair , "1 conditional"); // shouldn't that be 2? - RUN(h_chacha20 , "constant time"); - RUN(chacha20 , "constant time"); - RUN(xchacha20 , "constant time"); - RUN(ietf_chacha20 , "constant time"); - RUN(poly1305 , "constant time"); - RUN(x25519_dirty_small, "constant time"); - RUN(x25519_dirty_fast , "constant time"); - RUN(x25519_inverse , "constant time"); + RUN(verify16 , "constant time"); + RUN(verify32 , "constant time"); + RUN(verify64 , "constant time"); + RUN(wipe , "constant time"); + RUN(lock_aead , "constant time"); + RUN(unlock_aead , "1 conditional"); + RUN(blake2b_general , "constant time"); + RUN(argon2i_general , "constant time"); + RUN(key_exchange , "constant time"); + RUN(sign_public_key , "constant time"); + RUN(sign , "constant time"); + printf( "skipped : crypto_check.\n"); + RUN(from_eddsa_private, "constant time"); + RUN(from_eddsa_public , "constant time"); + RUN(hidden_to_curve , "constant time"); + RUN(curve_to_hidden , "1 conditional"); + RUN(hidden_key_pair , "1 conditional"); // shouldn't that be 2? + RUN(h_chacha20 , "constant time"); + RUN(chacha20 , "constant time"); + RUN(xchacha20 , "constant time"); + RUN(ietf_chacha20 , "constant time"); + RUN(poly1305 , "constant time"); + RUN(x25519_dirty_small, "constant time"); + RUN(x25519_dirty_fast , "constant time"); + RUN(x25519_inverse , "constant time"); - return 0; + return 0; } diff --git a/tests/gen/aead_ietf.c b/tests/gen/aead_ietf.c index b0dd13e..a45547e 100644 --- a/tests/gen/aead_ietf.c +++ b/tests/gen/aead_ietf.c @@ -54,30 +54,30 @@ static void test(size_t text_size, size_t ad_size) { - RANDOM_INPUT(key , 32); - RANDOM_INPUT(nonce, 24); - RANDOM_INPUT(ad , 32); // ad size <= 32 - RANDOM_INPUT(text , 128); // text_size <= 128 - u8 out[16 + 128]; // text_size <= 128 + RANDOM_INPUT(key , 32); + RANDOM_INPUT(nonce, 24); + RANDOM_INPUT(ad , 32); // ad size <= 32 + RANDOM_INPUT(text , 128); // text_size <= 128 + u8 out[16 + 128]; // text_size <= 128 - crypto_aead_xchacha20poly1305_ietf_encrypt_detached( - out + 16, out, 0, text, text_size, ad, ad_size, 0, nonce, key); + crypto_aead_xchacha20poly1305_ietf_encrypt_detached( + out + 16, out, 0, text, text_size, ad, ad_size, 0, nonce, key); - print_vector(key , 32); - print_vector(nonce , 24); - print_vector(ad , ad_size); - print_vector(text , text_size); - print_vector(out , text_size + 16); - printf("\n"); + print_vector(key , 32); + print_vector(nonce , 24); + print_vector(ad , ad_size); + print_vector(text , text_size); + print_vector(out , text_size + 16); + printf("\n"); } int main(void) { - SODIUM_INIT; - // regular tests - FOR (text_size, 0, 128) { test(text_size, 0); } - FOR (text_size, 0, 128) { test(text_size, 4); } - FOR ( ad_size, 0, 32) { test(0, ad_size); } - FOR ( ad_size, 0, 32) { test(16, ad_size); } - return 0; + SODIUM_INIT; + // regular tests + FOR (text_size, 0, 128) { test(text_size, 0); } + FOR (text_size, 0, 128) { test(text_size, 4); } + FOR ( ad_size, 0, 32) { test(0, ad_size); } + FOR ( ad_size, 0, 32) { test(16, ad_size); } + return 0; } diff --git a/tests/gen/argon2i.c b/tests/gen/argon2i.c index 34b79c2..d22e7a5 100644 --- a/tests/gen/argon2i.c +++ b/tests/gen/argon2i.c @@ -54,35 +54,35 @@ static void test(size_t nb_blocks, size_t hash_size, size_t nb_iterations) { - RANDOM_INPUT(password, 16 ); - RANDOM_INPUT(salt , crypto_pwhash_SALTBYTES); - u8 hash[256]; + RANDOM_INPUT(password, 16 ); + RANDOM_INPUT(salt , crypto_pwhash_SALTBYTES); + u8 hash[256]; - if (crypto_pwhash(hash, hash_size, (char*)password, 16, salt, - nb_iterations, nb_blocks * 1024, - crypto_pwhash_ALG_ARGON2I13)) { - fprintf(stderr, "Argon2i failed. " - "nb_blocks = %lu, " - "hash_size = %lu " - "nb_iterations = %lu\n", - nb_blocks, hash_size, nb_iterations); - printf(":deadbeef:\n"); // prints a canary to fail subsequent tests - } + if (crypto_pwhash(hash, hash_size, (char*)password, 16, salt, + nb_iterations, nb_blocks * 1024, + crypto_pwhash_ALG_ARGON2I13)) { + fprintf(stderr, "Argon2i failed. " + "nb_blocks = %lu, " + "hash_size = %lu " + "nb_iterations = %lu\n", + nb_blocks, hash_size, nb_iterations); + printf(":deadbeef:\n"); // prints a canary to fail subsequent tests + } - print_number(nb_blocks ); - print_number(nb_iterations ); - print_vector(password, 16 ); - print_vector(salt , crypto_pwhash_SALTBYTES); - printf(":\n:\n"); // no key, no additionnal data - print_vector(hash , hash_size ); - printf("\n"); + print_number(nb_blocks ); + print_number(nb_iterations ); + print_vector(password, 16 ); + print_vector(salt , crypto_pwhash_SALTBYTES); + printf(":\n:\n"); // no key, no additionnal data + print_vector(hash , hash_size ); + printf("\n"); } int main(void) { - SODIUM_INIT; - FOR (nb_blocks , 508, 516) { test(nb_blocks, 32 , 3 ); } - FOR (hash_size , 63, 65) { test(8 , hash_size, 3 ); } - FOR (nb_iterations, 3, 6) { test(8 , 32 , nb_iterations); } - return 0; + SODIUM_INIT; + FOR (nb_blocks , 508, 516) { test(nb_blocks, 32 , 3 ); } + FOR (hash_size , 63, 65) { test(8 , hash_size, 3 ); } + FOR (nb_iterations, 3, 6) { test(8 , 32 , nb_iterations); } + return 0; } diff --git a/tests/gen/blake2b.c b/tests/gen/blake2b.c index ec961b6..97b629b 100644 --- a/tests/gen/blake2b.c +++ b/tests/gen/blake2b.c @@ -54,30 +54,30 @@ static void test(size_t size, size_t key_size, size_t hash_size) { - RANDOM_INPUT(in , 256); - RANDOM_INPUT(key , 64); - u8 hash[64]; + RANDOM_INPUT(in , 256); + RANDOM_INPUT(key , 64); + u8 hash[64]; - crypto_generichash(hash, hash_size, in, size, key, key_size); + crypto_generichash(hash, hash_size, in, size, key, key_size); - print_vector(in , size); - print_vector(key , key_size); - print_vector(hash, hash_size); - printf("\n"); + print_vector(in , size); + print_vector(key , key_size); + print_vector(hash, hash_size); + printf("\n"); } int main(void) { - SODIUM_INIT; - // Official test vectors test for all message sizes, so no need to - // repeat ourselves here. However they only test keys and hashes of size 64. - // Here we're testing many possible key and hash sizes. - for (size_t key_size = 0; key_size <= 64; key_size += 16) { - for (size_t hash_size = 0; hash_size <= 64; hash_size += 16) { - for (size_t input_size = 0; input_size <= 256; input_size += 16) { - test(input_size, key_size, hash_size); - } - } - } - return 0; + SODIUM_INIT; + // Official test vectors test for all message sizes, so no need to + // repeat ourselves here. However they only test keys and hashes of size 64. + // Here we're testing many possible key and hash sizes. + for (size_t key_size = 0; key_size <= 64; key_size += 16) { + for (size_t hash_size = 0; hash_size <= 64; hash_size += 16) { + for (size_t input_size = 0; input_size <= 256; input_size += 16) { + test(input_size, key_size, hash_size); + } + } + } + return 0; } diff --git a/tests/gen/chacha20.c b/tests/gen/chacha20.c index b8caceb..1ebdc6d 100644 --- a/tests/gen/chacha20.c +++ b/tests/gen/chacha20.c @@ -54,29 +54,29 @@ static void test(size_t size, u64 ctr) { - RANDOM_INPUT(key , 32); - RANDOM_INPUT(nonce, 8); - RANDOM_INPUT(in , 128); // size <= 128 - u8 out [128]; // size <= 128 + RANDOM_INPUT(key , 32); + RANDOM_INPUT(nonce, 8); + RANDOM_INPUT(in , 128); // size <= 128 + u8 out [128]; // size <= 128 - crypto_stream_chacha20_xor_ic(out, in, size, nonce, ctr, key); + crypto_stream_chacha20_xor_ic(out, in, size, nonce, ctr, key); - print_vector(key , 32); - print_vector(nonce , 8); - print_vector(in , size); - print_number(ctr ); - print_vector(out, size); - printf("\n"); + print_vector(key , 32); + print_vector(nonce , 8); + print_vector(in , size); + print_number(ctr ); + print_vector(out, size); + printf("\n"); } int main(void) { - SODIUM_INIT; - // regular tests - FOR (size, 0, 128) { test(size, rand64()); } - // counter overflow (should wrap around) - test(128, -1); - test(128, -2); - test(128, -3); - return 0; + SODIUM_INIT; + // regular tests + FOR (size, 0, 128) { test(size, rand64()); } + // counter overflow (should wrap around) + test(128, -1); + test(128, -2); + test(128, -3); + return 0; } diff --git a/tests/gen/edDSA.c b/tests/gen/edDSA.c index 6e61abe..835344d 100644 --- a/tests/gen/edDSA.c +++ b/tests/gen/edDSA.c @@ -54,21 +54,21 @@ static void test(size_t msg_size) { - RANDOM_INPUT(sk , 32); - RANDOM_INPUT(msg, 256); - u8 pk[32], sig[64]; + RANDOM_INPUT(sk , 32); + RANDOM_INPUT(msg, 256); + u8 pk[32], sig[64]; - ed25519_publickey(sk, pk); - ed25519_sign(msg, msg_size, sk, pk, sig); + ed25519_publickey(sk, pk); + ed25519_sign(msg, msg_size, sk, pk, sig); - print_vector(sk , 32 ); - print_vector(pk , 32 ); - print_vector(msg, msg_size); - print_vector(sig, 64 ); + print_vector(sk , 32 ); + print_vector(pk , 32 ); + print_vector(msg, msg_size); + print_vector(sig, 64 ); } int main(void) { - FOR (msg_size, 0, 256) { test(msg_size); } - return 0; + FOR (msg_size, 0, 256) { test(msg_size); } + return 0; } diff --git a/tests/gen/edDSA_pk.c b/tests/gen/edDSA_pk.c index 3794336..420bb2e 100644 --- a/tests/gen/edDSA_pk.c +++ b/tests/gen/edDSA_pk.c @@ -54,23 +54,23 @@ static void test(u8 sk[32]) { - u8 pk[32]; - ed25519_publickey(sk, pk); + u8 pk[32]; + ed25519_publickey(sk, pk); - print_vector(sk, 32); - print_vector(pk, 32); + print_vector(sk, 32); + print_vector(pk, 32); } int main(void) { - // random secret keys - FOR (msg_size, 0, 256) { - RANDOM_INPUT(sk, 32); - test(sk); - } - // zero secret key - u8 sk[32] = {0}; - test(sk); + // random secret keys + FOR (msg_size, 0, 256) { + RANDOM_INPUT(sk, 32); + test(sk); + } + // zero secret key + u8 sk[32] = {0}; + test(sk); - return 0; + return 0; } diff --git a/tests/gen/ed_25519.c b/tests/gen/ed_25519.c index 5626b1e..47a1c5a 100644 --- a/tests/gen/ed_25519.c +++ b/tests/gen/ed_25519.c @@ -54,22 +54,22 @@ static void test(size_t msg_size) { - RANDOM_INPUT(seed, 32); - RANDOM_INPUT(msg , 256); - u8 pk[32], sk[64], sig[64]; + RANDOM_INPUT(seed, 32); + RANDOM_INPUT(msg , 256); + u8 pk[32], sk[64], sig[64]; - crypto_sign_seed_keypair(pk, sk, seed); - crypto_sign_detached(sig, 0, msg, msg_size, sk); + crypto_sign_seed_keypair(pk, sk, seed); + crypto_sign_detached(sig, 0, msg, msg_size, sk); - print_vector(sk , 32 ); - print_vector(pk , 32 ); - print_vector(msg, msg_size); - print_vector(sig, 64 ); + print_vector(sk , 32 ); + print_vector(pk , 32 ); + print_vector(msg, msg_size); + print_vector(sig, 64 ); } int main(void) { - SODIUM_INIT; - FOR (msg_size, 0, 256) { test(msg_size); } - return 0; + SODIUM_INIT; + FOR (msg_size, 0, 256) { test(msg_size); } + return 0; } diff --git a/tests/gen/ed_25519_pk.c b/tests/gen/ed_25519_pk.c index d064f87..dc5db7e 100644 --- a/tests/gen/ed_25519_pk.c +++ b/tests/gen/ed_25519_pk.c @@ -54,24 +54,24 @@ static void test(u8 seed[32]) { - u8 pk[32]; - u8 sk[64]; - crypto_sign_seed_keypair(pk, sk, seed); - print_vector(sk, 32); - print_vector(pk, 32); + u8 pk[32]; + u8 sk[64]; + crypto_sign_seed_keypair(pk, sk, seed); + print_vector(sk, 32); + print_vector(pk, 32); } int main(void) { - SODIUM_INIT; - // random secret keys - FOR (msg_size, 0, 256) { - RANDOM_INPUT(sk, 32); - test(sk); - } - // zero secret key - u8 sk[32] = {0}; - test(sk); + SODIUM_INIT; + // random secret keys + FOR (msg_size, 0, 256) { + RANDOM_INPUT(sk, 32); + test(sk); + } + // zero secret key + u8 sk[32] = {0}; + test(sk); - return 0; + return 0; } diff --git a/tests/gen/hchacha20.c b/tests/gen/hchacha20.c index 754e3ec..55b5369 100644 --- a/tests/gen/hchacha20.c +++ b/tests/gen/hchacha20.c @@ -54,20 +54,20 @@ int main(void) { - SODIUM_INIT; + SODIUM_INIT; - FOR (size, 0, 50) { - RANDOM_INPUT(key , 32); - RANDOM_INPUT(in , 16); - u8 out[32]; + FOR (size, 0, 50) { + RANDOM_INPUT(key , 32); + RANDOM_INPUT(in , 16); + u8 out[32]; - crypto_core_hchacha20(out, in, key, 0); + crypto_core_hchacha20(out, in, key, 0); - print_vector(key , 32); - print_vector(in , 16); - print_vector(out , 32); - printf("\n"); - } + print_vector(key , 32); + print_vector(in , 16); + print_vector(out , 32); + printf("\n"); + } - return 0; + return 0; } diff --git a/tests/gen/hmac_sha512.c b/tests/gen/hmac_sha512.c index a4865ab..8d53a2f 100644 --- a/tests/gen/hmac_sha512.c +++ b/tests/gen/hmac_sha512.c @@ -54,26 +54,26 @@ static void test(size_t key_size, size_t msg_size) { - RANDOM_INPUT(key, 256); - RANDOM_INPUT(msg, 256); - u8 tag[64]; + RANDOM_INPUT(key, 256); + RANDOM_INPUT(msg, 256); + u8 tag[64]; - crypto_auth_hmacsha512_state ctx; - crypto_auth_hmacsha512_init (&ctx, key, key_size); - crypto_auth_hmacsha512_update(&ctx, msg, msg_size); - crypto_auth_hmacsha512_final (&ctx, tag); + crypto_auth_hmacsha512_state ctx; + crypto_auth_hmacsha512_init (&ctx, key, key_size); + crypto_auth_hmacsha512_update(&ctx, msg, msg_size); + crypto_auth_hmacsha512_final (&ctx, tag); - print_vector(key, key_size); - print_vector(msg, msg_size); - print_vector(tag, 64); - printf("\n"); + print_vector(key, key_size); + print_vector(msg, msg_size); + print_vector(tag, 64); + printf("\n"); } int main(void) { - SODIUM_INIT; - FOR (key_size, 0, 32) { test(key_size, 32); } - FOR (key_size, 120, 136) { test(key_size, 32); } - FOR (msg_size, 0, 256) { test(32, msg_size); } - return 0; + SODIUM_INIT; + FOR (key_size, 0, 32) { test(key_size, 32); } + FOR (key_size, 120, 136) { test(key_size, 32); } + FOR (msg_size, 0, 256) { test(32, msg_size); } + return 0; } diff --git a/tests/gen/ietf_chacha20.c b/tests/gen/ietf_chacha20.c index 784e2f2..21e01e9 100644 --- a/tests/gen/ietf_chacha20.c +++ b/tests/gen/ietf_chacha20.c @@ -54,24 +54,24 @@ static void test(size_t size, u32 ctr) { - RANDOM_INPUT(key , 32); - RANDOM_INPUT(nonce, 12); - RANDOM_INPUT(in , 128); // size <= 128 - u8 out[128]; // size <= 128 + RANDOM_INPUT(key , 32); + RANDOM_INPUT(nonce, 12); + RANDOM_INPUT(in , 128); // size <= 128 + u8 out[128]; // size <= 128 - crypto_stream_chacha20_ietf_xor_ic(out, in, size, nonce, ctr, key); + crypto_stream_chacha20_ietf_xor_ic(out, in, size, nonce, ctr, key); - print_vector(key , 32); - print_vector(nonce, 12); - print_vector(in , size); - print_number(ctr ); - print_vector(out , size); - printf("\n"); + print_vector(key , 32); + print_vector(nonce, 12); + print_vector(in , size); + print_number(ctr ); + print_vector(out , size); + printf("\n"); } int main(void) { - SODIUM_INIT; - FOR (size, 0, 128) { test(size, (u32)rand64()); } - return 0; + SODIUM_INIT; + FOR (size, 0, 128) { test(size, (u32)rand64()); } + return 0; } diff --git a/tests/gen/poly1305.c b/tests/gen/poly1305.c index 2291e4a..32ca1c3 100644 --- a/tests/gen/poly1305.c +++ b/tests/gen/poly1305.c @@ -54,21 +54,21 @@ static void test(size_t size) { - RANDOM_INPUT(key, 32); - RANDOM_INPUT(in , 32); - u8 tag[ 16]; + RANDOM_INPUT(key, 32); + RANDOM_INPUT(in , 32); + u8 tag[ 16]; - crypto_onetimeauth(tag, in, size, key); + crypto_onetimeauth(tag, in, size, key); - print_vector(key, 32); - print_vector(in , size); - print_vector(tag, 16); - printf("\n"); + print_vector(key, 32); + print_vector(in , size); + print_vector(tag, 16); + printf("\n"); } int main(void) { - SODIUM_INIT; - FOR (size, 0, 32) { test(size); } - return 0; + SODIUM_INIT; + FOR (size, 0, 32) { test(size); } + return 0; } diff --git a/tests/gen/sha512.c b/tests/gen/sha512.c index 629eda2..a9befea 100644 --- a/tests/gen/sha512.c +++ b/tests/gen/sha512.c @@ -54,21 +54,21 @@ static void test(size_t size) { - RANDOM_INPUT(in , 256); - u8 hash[64]; + RANDOM_INPUT(in , 256); + u8 hash[64]; - crypto_hash_sha512(hash, in, size); + crypto_hash_sha512(hash, in, size); - print_vector(in , size); - print_vector(hash, 64); - printf("\n"); + print_vector(in , size); + print_vector(hash, 64); + printf("\n"); } int main(void) { - SODIUM_INIT; - FOR(size, 0, 256) { - test(size); - } - return 0; + SODIUM_INIT; + FOR(size, 0, 256) { + test(size); + } + return 0; } diff --git a/tests/gen/vector_to_header.c b/tests/gen/vector_to_header.c index 46317e1..0c784a5 100644 --- a/tests/gen/vector_to_header.c +++ b/tests/gen/vector_to_header.c @@ -61,46 +61,47 @@ static int is_digit(int c) { - return (c >= '0' && c <= '9') - || (c >= 'a' && c <= 'f') - || (c >= 'A' && c <= 'F'); + return + (c >= '0' && c <= '9') || + (c >= 'a' && c <= 'f') || + (c >= 'A' && c <= 'F'); } int main(int argc, char** argv) { - if (argc != 2) { - fprintf(stderr, "Wrong use of vector transformer. Give one argument\n"); - return 1; - } + if (argc != 2) { + fprintf(stderr, "Wrong use of vector transformer. Give one argument\n"); + return 1; + } - char *prefix = argv[1]; - int c = getchar(); - size_t nb_vec = 0; + char *prefix = argv[1]; + int c = getchar(); + size_t nb_vec = 0; - printf("static const char *%s_vectors[]={\n", prefix); + printf("static const char *%s_vectors[]={\n", prefix); - // seek first line - while (!is_digit(c) && c != ':' && c != EOF) { - c = getchar(); - } + // seek first line + while (!is_digit(c) && c != ':' && c != EOF) { + c = getchar(); + } - while (c != EOF) { - printf(" \""); - while (c != ':' && c != EOF) { - printf("%c", (char)c); - c = getchar(); - } - printf("\",\n"); - c = getchar(); + while (c != EOF) { + printf(" \""); + while (c != ':' && c != EOF) { + printf("%c", (char)c); + c = getchar(); + } + printf("\",\n"); + c = getchar(); - // seek next line - while (!is_digit(c) && c != ':' && c != EOF) { - c = getchar(); - } - nb_vec++; - } - printf("};\n"); - printf("static size_t nb_%s_vectors=%zu;\n", prefix, nb_vec); + // seek next line + while (!is_digit(c) && c != ':' && c != EOF) { + c = getchar(); + } + nb_vec++; + } + printf("};\n"); + printf("static size_t nb_%s_vectors=%zu;\n", prefix, nb_vec); - return 0; + return 0; } diff --git a/tests/gen/x25519.c b/tests/gen/x25519.c index c0fb779..4ab1f8c 100644 --- a/tests/gen/x25519.c +++ b/tests/gen/x25519.c @@ -54,30 +54,30 @@ static void test() { - RANDOM_INPUT(sk1, 32); - RANDOM_INPUT(sk2, 32); - u8 pk1[32], pk2[32], shared[32]; + RANDOM_INPUT(sk1, 32); + RANDOM_INPUT(sk2, 32); + u8 pk1[32], pk2[32], shared[32]; - crypto_scalarmult_base(pk1, sk1); - crypto_scalarmult_base(pk2, sk2); - if (crypto_scalarmult(shared, sk1, pk2)) { - fprintf(stderr, "libsodium rejected the public key\n"); - printf(":deadbeef:\n"); // prints a canary to fail subsequent tests - } + crypto_scalarmult_base(pk1, sk1); + crypto_scalarmult_base(pk2, sk2); + if (crypto_scalarmult(shared, sk1, pk2)) { + fprintf(stderr, "libsodium rejected the public key\n"); + printf(":deadbeef:\n"); // prints a canary to fail subsequent tests + } - print_vector(sk1 , 32); - print_vector(pk2 , 32); - print_vector(shared, 32); - printf("\n"); - print_vector(sk2 , 32); - print_vector(pk1 , 32); - print_vector(shared, 32); - printf("\n"); + print_vector(sk1 , 32); + print_vector(pk2 , 32); + print_vector(shared, 32); + printf("\n"); + print_vector(sk2 , 32); + print_vector(pk1 , 32); + print_vector(shared, 32); + printf("\n"); } int main(void) { - SODIUM_INIT; - FOR (i, 0, 50) { test(); } - return 0; + SODIUM_INIT; + FOR (i, 0, 50) { test(); } + return 0; } diff --git a/tests/gen/x25519_pk.c b/tests/gen/x25519_pk.c index 8db55c4..231a90f 100644 --- a/tests/gen/x25519_pk.c +++ b/tests/gen/x25519_pk.c @@ -54,26 +54,26 @@ static void test(u8 sk[32]) { - u8 pk[32]; - crypto_scalarmult_base(pk, sk); + u8 pk[32]; + crypto_scalarmult_base(pk, sk); - print_vector(sk, 32); - print_vector(pk, 32); - printf("\n"); + print_vector(sk, 32); + print_vector(pk, 32); + printf("\n"); } int main(void) { - SODIUM_INIT; + SODIUM_INIT; - // random secret keys - FOR (i, 0, 50) { - RANDOM_INPUT(sk, 32); - test(sk); - } - // zero secret key - u8 sk[32] = {0}; - test(sk); + // random secret keys + FOR (i, 0, 50) { + RANDOM_INPUT(sk, 32); + test(sk); + } + // zero secret key + u8 sk[32] = {0}; + test(sk); - return 0; + return 0; } diff --git a/tests/gen/xchacha20.c b/tests/gen/xchacha20.c index d919a0b..e088153 100644 --- a/tests/gen/xchacha20.c +++ b/tests/gen/xchacha20.c @@ -54,29 +54,29 @@ static void test(size_t size, u64 ctr) { - RANDOM_INPUT(key , 32); - RANDOM_INPUT(nonce, 24); - RANDOM_INPUT(in , 128); // size <= 128 - u8 out [128]; // size <= 128 + RANDOM_INPUT(key , 32); + RANDOM_INPUT(nonce, 24); + RANDOM_INPUT(in , 128); // size <= 128 + u8 out [128]; // size <= 128 - crypto_stream_xchacha20_xor_ic(out, in, size, nonce, ctr, key); + crypto_stream_xchacha20_xor_ic(out, in, size, nonce, ctr, key); - print_vector(key , 32); - print_vector(nonce , 24); - print_vector(in , size); - print_number(ctr ); - print_vector(out, size); - printf("\n"); + print_vector(key , 32); + print_vector(nonce , 24); + print_vector(in , size); + print_number(ctr ); + print_vector(out, size); + printf("\n"); } int main(void) { - SODIUM_INIT; - // regular tests - FOR (size, 0, 128) { test(size, rand64()); } - // counter overflow (should wrap around) - test(128, -1); - test(128, -2); - test(128, -3); - return 0; + SODIUM_INIT; + // regular tests + FOR (size, 0, 128) { test(size, rand64()); } + // counter overflow (should wrap around) + test(128, -1); + test(128, -2); + test(128, -3); + return 0; } diff --git a/tests/speed/speed-c25519.c b/tests/speed/speed-c25519.c index 32165bf..534ba49 100644 --- a/tests/speed/speed-c25519.c +++ b/tests/speed/speed-c25519.c @@ -56,17 +56,17 @@ static u64 x25519(void) { - u8 in [32] = {9}; - u8 out[F25519_SIZE]; - FOR (i, 0, F25519_SIZE) { - out[i] = c25519_base_x[i]; - } + u8 in [32] = {9}; + u8 out[F25519_SIZE]; + FOR (i, 0, F25519_SIZE) { + out[i] = c25519_base_x[i]; + } - TIMING_START { - c25519_prepare(in); - c25519_smult(out, out, in); - } - TIMING_END; + TIMING_START { + c25519_prepare(in); + c25519_smult(out, out, in); + } + TIMING_END; } void edsign_sec_to_pub(uint8_t *pub, const uint8_t *secret); @@ -75,49 +75,49 @@ void edsign_sec_to_pub(uint8_t *pub, const uint8_t *secret); #define EDSIGN_SIGNATURE_SIZE 64 void edsign_sign(uint8_t *signature, const uint8_t *pub, - const uint8_t *secret, - const uint8_t *message, size_t len); + const uint8_t *secret, + const uint8_t *message, size_t len); /* Verify a message signature. Returns non-zero if ok. */ uint8_t edsign_verify(const uint8_t *signature, const uint8_t *pub, - const uint8_t *message, size_t len); + const uint8_t *message, size_t len); static u64 edDSA_sign(void) { - RANDOM_INPUT(sk , 32); - RANDOM_INPUT(message, 64); - u8 pk [32]; - u8 sig[64]; - edsign_sec_to_pub(pk, sk); + RANDOM_INPUT(sk , 32); + RANDOM_INPUT(message, 64); + u8 pk [32]; + u8 sig[64]; + edsign_sec_to_pub(pk, sk); - TIMING_START { - edsign_sign(sig, pk, sk, message, 64); - } - TIMING_END; + TIMING_START { + edsign_sign(sig, pk, sk, message, 64); + } + TIMING_END; } static u64 edDSA_check(void) { - RANDOM_INPUT(sk , 32); - RANDOM_INPUT(message, 64); - u8 pk [32]; - u8 sig[64]; - edsign_sec_to_pub(pk, sk); - edsign_sign(sig, pk, sk, message, 64); + RANDOM_INPUT(sk , 32); + RANDOM_INPUT(message, 64); + u8 pk [32]; + u8 sig[64]; + edsign_sec_to_pub(pk, sk); + edsign_sign(sig, pk, sk, message, 64); - TIMING_START { - if (!edsign_verify(sig, pk, message, 64)) { - printf("c25519 verification failed\n"); - } - } - TIMING_END; + TIMING_START { + if (!edsign_verify(sig, pk, message, 64)) { + printf("c25519 verification failed\n"); + } + } + TIMING_END; } int main() { - print("x25519 ", x25519() , "exchanges per second"); - print("EdDSA(sign) ", edDSA_sign() , "signatures per second"); - print("EdDSA(check)", edDSA_check(), "checks per second"); - printf("\n"); - return 0; + print("x25519 ", x25519() , "exchanges per second"); + print("EdDSA(sign) ", edDSA_sign() , "signatures per second"); + print("EdDSA(check)", edDSA_check(), "checks per second"); + printf("\n"); + return 0; } diff --git a/tests/speed/speed-donna.c b/tests/speed/speed-donna.c index 6a2abb7..f089780 100644 --- a/tests/speed/speed-donna.c +++ b/tests/speed/speed-donna.c @@ -54,39 +54,39 @@ static u64 edDSA_sign(void) { - u8 pk [32]; - u8 signature[64]; - RANDOM_INPUT(sk , 32); - RANDOM_INPUT(message, 64); - ed25519_publickey(sk, pk); + u8 pk [32]; + u8 signature[64]; + RANDOM_INPUT(sk , 32); + RANDOM_INPUT(message, 64); + ed25519_publickey(sk, pk); - TIMING_START { - ed25519_sign(message, 64, sk, pk, signature); - } - TIMING_END; + TIMING_START { + ed25519_sign(message, 64, sk, pk, signature); + } + TIMING_END; } static u64 edDSA_check(void) { - u8 pk [32]; - u8 signature[64]; - RANDOM_INPUT(sk , 32); - RANDOM_INPUT(message, 64); - ed25519_publickey(sk, pk); - ed25519_sign(message, 64, sk, pk, signature); + u8 pk [32]; + u8 signature[64]; + RANDOM_INPUT(sk , 32); + RANDOM_INPUT(message, 64); + ed25519_publickey(sk, pk); + ed25519_sign(message, 64, sk, pk, signature); - TIMING_START { - if (ed25519_sign_open(message, 64, pk, signature)) { - printf("Donna verification failed\n"); - } - } - TIMING_END; + TIMING_START { + if (ed25519_sign_open(message, 64, pk, signature)) { + printf("Donna verification failed\n"); + } + } + TIMING_END; } int main() { - print("EdDSA(sign) ",edDSA_sign() , "signatures per second"); - print("EdDSA(check)",edDSA_check(), "checks per second"); - printf("\n"); - return 0; + print("EdDSA(sign) ",edDSA_sign() , "signatures per second"); + print("EdDSA(check)",edDSA_check(), "checks per second"); + printf("\n"); + return 0; } diff --git a/tests/speed/speed-hydrogen.c b/tests/speed/speed-hydrogen.c index d49ae29..e11c4e2 100644 --- a/tests/speed/speed-hydrogen.c +++ b/tests/speed/speed-hydrogen.c @@ -55,75 +55,75 @@ static u64 hydro_random(void) { - u8 out[SIZE]; - RANDOM_INPUT(key , 32); - RANDOM_INPUT(nonce, 8); + u8 out[SIZE]; + RANDOM_INPUT(key , 32); + RANDOM_INPUT(nonce, 8); - TIMING_START { - hydro_random_buf_deterministic(out, SIZE, key); - } - TIMING_END; + TIMING_START { + hydro_random_buf_deterministic(out, SIZE, key); + } + TIMING_END; } static u64 authenticated(void) { - u8 out[SIZE + hydro_secretbox_HEADERBYTES]; - RANDOM_INPUT(in , SIZE + 32); - RANDOM_INPUT(key, 32); - TIMING_START { - hydro_secretbox_encrypt(out, in, SIZE, 0, "Benchmark", key); - } - TIMING_END; + u8 out[SIZE + hydro_secretbox_HEADERBYTES]; + RANDOM_INPUT(in , SIZE + 32); + RANDOM_INPUT(key, 32); + TIMING_START { + hydro_secretbox_encrypt(out, in, SIZE, 0, "Benchmark", key); + } + TIMING_END; } static u64 hash(void) { - u8 hash[32]; - RANDOM_INPUT(in, SIZE); + u8 hash[32]; + RANDOM_INPUT(in, SIZE); - TIMING_START { - hydro_hash_hash(hash, 32, in, SIZE, "Benchmark", 0); - } - TIMING_END; + TIMING_START { + hydro_hash_hash(hash, 32, in, SIZE, "Benchmark", 0); + } + TIMING_END; } static u64 sign(void) { - RANDOM_INPUT(message, 64); - hydro_sign_keypair key_pair; - hydro_sign_keygen(&key_pair); - uint8_t sig[hydro_sign_BYTES]; + RANDOM_INPUT(message, 64); + hydro_sign_keypair key_pair; + hydro_sign_keygen(&key_pair); + uint8_t sig[hydro_sign_BYTES]; - TIMING_START { - hydro_sign_create(sig, message, 64, "Benchmark", key_pair.sk); - } - TIMING_END; + TIMING_START { + hydro_sign_create(sig, message, 64, "Benchmark", key_pair.sk); + } + TIMING_END; } static u64 check(void) { - RANDOM_INPUT(message, 64); - hydro_sign_keypair key_pair; - hydro_sign_keygen(&key_pair); - uint8_t sig[hydro_sign_BYTES]; - hydro_sign_create(sig, message, 64, "Benchmark", key_pair.sk); + RANDOM_INPUT(message, 64); + hydro_sign_keypair key_pair; + hydro_sign_keygen(&key_pair); + uint8_t sig[hydro_sign_BYTES]; + hydro_sign_create(sig, message, 64, "Benchmark", key_pair.sk); - TIMING_START { - if (hydro_sign_verify(sig, message, 64, "Benchmark", key_pair.pk)) { - printf("LibHydrogen verification failed\n"); - } - } - TIMING_END; + TIMING_START { + if (hydro_sign_verify(sig, message, 64, "Benchmark", key_pair.pk)) { + printf("LibHydrogen verification failed\n"); + } + } + TIMING_END; } int main() { - hydro_init(); - print("Random ",hydro_random() *MUL,"megabytes per second"); - print("Auth'd encryption",authenticated()*MUL,"megabytes per second"); - print("Hash ",hash() *MUL,"megabytes per second"); - print("sign ",sign() ,"signatures per second"); - print("check ",check() ,"checks per second"); - printf("\n"); - return 0; + hydro_init(); + print("Random ",hydro_random() *MUL,"megabytes per second"); + print("Auth'd encryption",authenticated()*MUL,"megabytes per second"); + print("Hash ",hash() *MUL,"megabytes per second"); + print("sign ",sign() ,"signatures per second"); + print("check ",check() ,"checks per second"); + printf("\n"); + return 0; } diff --git a/tests/speed/speed-sodium.c b/tests/speed/speed-sodium.c index 2161a8f..25bf61e 100644 --- a/tests/speed/speed-sodium.c +++ b/tests/speed/speed-sodium.c @@ -54,138 +54,138 @@ static u64 chacha20(void) { - u8 out[SIZE]; - RANDOM_INPUT(in , SIZE); - RANDOM_INPUT(key , 32); - RANDOM_INPUT(nonce, 8); - - TIMING_START { - crypto_stream_chacha20_xor(out, in, SIZE, nonce, key); - } - TIMING_END; + u8 out[SIZE]; + RANDOM_INPUT(in , SIZE); + RANDOM_INPUT(key , 32); + RANDOM_INPUT(nonce, 8); + + TIMING_START { + crypto_stream_chacha20_xor(out, in, SIZE, nonce, key); + } + TIMING_END; } static u64 poly1305(void) { - u8 out[16]; - RANDOM_INPUT(in , SIZE); - RANDOM_INPUT(key, 32); - - TIMING_START { - crypto_onetimeauth(out, in, SIZE, key); - } - TIMING_END; + u8 out[16]; + RANDOM_INPUT(in , SIZE); + RANDOM_INPUT(key, 32); + + TIMING_START { + crypto_onetimeauth(out, in, SIZE, key); + } + TIMING_END; } static u64 authenticated(void) { - u8 out[SIZE]; - u8 mac[crypto_aead_xchacha20poly1305_ietf_ABYTES]; - RANDOM_INPUT(in , SIZE); - RANDOM_INPUT(key , 32); - RANDOM_INPUT(nonce, 24); - - TIMING_START { - crypto_aead_xchacha20poly1305_ietf_encrypt_detached( - out, mac, 0, in, SIZE, 0, 0, 0, nonce, key); - } - TIMING_END; + u8 out[SIZE]; + u8 mac[crypto_aead_xchacha20poly1305_ietf_ABYTES]; + RANDOM_INPUT(in , SIZE); + RANDOM_INPUT(key , 32); + RANDOM_INPUT(nonce, 24); + + TIMING_START { + crypto_aead_xchacha20poly1305_ietf_encrypt_detached( + out, mac, 0, in, SIZE, 0, 0, 0, nonce, key); + } + TIMING_END; } static u64 blake2b(void) { - u8 hash[64]; - RANDOM_INPUT(in , SIZE); - RANDOM_INPUT(key, 32); - - TIMING_START { - crypto_generichash(hash, 64, in, SIZE, key, 32); - } - TIMING_END; + u8 hash[64]; + RANDOM_INPUT(in , SIZE); + RANDOM_INPUT(key, 32); + + TIMING_START { + crypto_generichash(hash, 64, in, SIZE, key, 32); + } + TIMING_END; } static u64 sha512(void) { - u8 hash[64]; - RANDOM_INPUT(in, SIZE); + u8 hash[64]; + RANDOM_INPUT(in, SIZE); - TIMING_START { - crypto_hash_sha512(hash, in, SIZE); - } - TIMING_END; + TIMING_START { + crypto_hash_sha512(hash, in, SIZE); + } + TIMING_END; } static u64 argon2i(void) { - u8 hash [32]; - RANDOM_INPUT(password, 16); - RANDOM_INPUT(salt , 16); - - TIMING_START { - if (crypto_pwhash(hash, 32, (char*)password, 16, salt, - 3, SIZE, crypto_pwhash_ALG_ARGON2I13)) { - fprintf(stderr, "Argon2i failed.\n"); - } - } - TIMING_END; + u8 hash [32]; + RANDOM_INPUT(password, 16); + RANDOM_INPUT(salt , 16); + + TIMING_START { + if (crypto_pwhash(hash, 32, (char*)password, 16, salt, + 3, SIZE, crypto_pwhash_ALG_ARGON2I13)) { + fprintf(stderr, "Argon2i failed.\n"); + } + } + TIMING_END; } static u64 x25519(void) { - u8 in [32] = {9}; - u8 out[32] = {9}; - - TIMING_START { - if (crypto_scalarmult(out, out, in)) { - fprintf(stderr, "libsodium rejected the public key\n"); - } - } - TIMING_END; + u8 in [32] = {9}; + u8 out[32] = {9}; + + TIMING_START { + if (crypto_scalarmult(out, out, in)) { + fprintf(stderr, "libsodium rejected the public key\n"); + } + } + TIMING_END; } static u64 edDSA_sign(void) { - u8 sk [64]; - u8 pk [32]; - u8 signature[64]; - RANDOM_INPUT(message, 64); - crypto_sign_keypair(pk, sk); - - TIMING_START { - crypto_sign_detached(signature, 0, message, 64, sk); - } - TIMING_END; + u8 sk [64]; + u8 pk [32]; + u8 signature[64]; + RANDOM_INPUT(message, 64); + crypto_sign_keypair(pk, sk); + + TIMING_START { + crypto_sign_detached(signature, 0, message, 64, sk); + } + TIMING_END; } static u64 edDSA_check(void) { - u8 sk [64]; - u8 pk [32]; - u8 signature[64]; - RANDOM_INPUT(message, 64); - crypto_sign_keypair(pk, sk); - crypto_sign_detached(signature, 0, message, 64, sk); - - TIMING_START { - if (crypto_sign_verify_detached(signature, message, 64, pk)) { - printf("libsodium verification failed\n"); - } - } - TIMING_END; + u8 sk [64]; + u8 pk [32]; + u8 signature[64]; + RANDOM_INPUT(message, 64); + crypto_sign_keypair(pk, sk); + crypto_sign_detached(signature, 0, message, 64, sk); + + TIMING_START { + if (crypto_sign_verify_detached(signature, message, 64, pk)) { + printf("libsodium verification failed\n"); + } + } + TIMING_END; } int main() { - SODIUM_INIT; - print("Chacha20 ",chacha20() *MUL,"megabytes per second"); - print("Poly1305 ",poly1305() *MUL,"megabytes per second"); - print("Auth'd encryption",authenticated()*MUL,"megabytes per second"); - print("BLAKE2b ",blake2b() *MUL,"megabytes per second"); - print("SHA-512 ",sha512() *MUL,"megabytes per second"); - print("Argon2i, 3 passes",argon2i() *MUL,"megabytes per second"); - print("x25519 ",x25519() ,"exchanges per second"); - print("EdDSA(sign) ",edDSA_sign() ,"signatures per second"); - print("EdDSA(check) ",edDSA_check() ,"checks per second"); - printf("\n"); - return 0; + SODIUM_INIT; + print("Chacha20 ",chacha20() *MUL,"megabytes per second"); + print("Poly1305 ",poly1305() *MUL,"megabytes per second"); + print("Auth'd encryption",authenticated()*MUL,"megabytes per second"); + print("BLAKE2b ",blake2b() *MUL,"megabytes per second"); + print("SHA-512 ",sha512() *MUL,"megabytes per second"); + print("Argon2i, 3 passes",argon2i() *MUL,"megabytes per second"); + print("x25519 ",x25519() ,"exchanges per second"); + print("EdDSA(sign) ",edDSA_sign() ,"signatures per second"); + print("EdDSA(check) ",edDSA_check() ,"checks per second"); + printf("\n"); + return 0; } diff --git a/tests/speed/speed-tweetnacl.c b/tests/speed/speed-tweetnacl.c index 5db83c4..6f2ea6f 100644 --- a/tests/speed/speed-tweetnacl.c +++ b/tests/speed/speed-tweetnacl.c @@ -57,113 +57,113 @@ // Not really random, but we don't care for those benchmarks. void randombytes(u8 *stream, u64 size) { - p_random(stream, (size_t)size); + p_random(stream, (size_t)size); } static u64 salsa20(void) { - u8 out[SIZE]; - RANDOM_INPUT(in , SIZE); - RANDOM_INPUT(key , 32); - RANDOM_INPUT(nonce, 8); - - TIMING_START { - crypto_stream_salsa20_xor(out, in, SIZE, nonce, key); - } - TIMING_END; + u8 out[SIZE]; + RANDOM_INPUT(in , SIZE); + RANDOM_INPUT(key , 32); + RANDOM_INPUT(nonce, 8); + + TIMING_START { + crypto_stream_salsa20_xor(out, in, SIZE, nonce, key); + } + TIMING_END; } static u64 poly1305(void) { - u8 out[16]; - RANDOM_INPUT(in , SIZE); - RANDOM_INPUT(key, 32); - - TIMING_START { - crypto_onetimeauth(out, in, SIZE, key); - } - TIMING_END; + u8 out[16]; + RANDOM_INPUT(in , SIZE); + RANDOM_INPUT(key, 32); + + TIMING_START { + crypto_onetimeauth(out, in, SIZE, key); + } + TIMING_END; } static u64 authenticated(void) { - u8 out[SIZE + 32]; - RANDOM_INPUT(in , SIZE + 32); - RANDOM_INPUT(key , 32); - RANDOM_INPUT(nonce, 24); - - TIMING_START { - crypto_secretbox(out, in, SIZE + 32, nonce, key); - } - TIMING_END; + u8 out[SIZE + 32]; + RANDOM_INPUT(in , SIZE + 32); + RANDOM_INPUT(key , 32); + RANDOM_INPUT(nonce, 24); + + TIMING_START { + crypto_secretbox(out, in, SIZE + 32, nonce, key); + } + TIMING_END; } static u64 sha512(void) { - u8 hash[64]; - RANDOM_INPUT(in, SIZE); + u8 hash[64]; + RANDOM_INPUT(in, SIZE); - TIMING_START { - crypto_hash(hash, in, SIZE); - } - TIMING_END; + TIMING_START { + crypto_hash(hash, in, SIZE); + } + TIMING_END; } static u64 x25519(void) { - u8 in [32] = {9}; - u8 out[32] = {9}; + u8 in [32] = {9}; + u8 out[32] = {9}; - TIMING_START { - crypto_scalarmult(out, out, in); - } - TIMING_END; + TIMING_START { + crypto_scalarmult(out, out, in); + } + TIMING_END; } static u64 edDSA_sign(void) { - u8 sk [ 64]; - u8 pk [ 32]; - u8 signed_msg[128]; - unsigned long long sig_size; - RANDOM_INPUT(message, 64); - crypto_sign_keypair(pk, sk); - - TIMING_START { - crypto_sign(signed_msg, &sig_size, message, 64, sk); - } - TIMING_END; + u8 sk [ 64]; + u8 pk [ 32]; + u8 signed_msg[128]; + unsigned long long sig_size; + RANDOM_INPUT(message, 64); + crypto_sign_keypair(pk, sk); + + TIMING_START { + crypto_sign(signed_msg, &sig_size, message, 64, sk); + } + TIMING_END; } static u64 edDSA_check(void) { - u8 sk [ 64]; - u8 pk [ 32]; - u8 signed_msg[128]; - u8 out_msg [128]; - unsigned long long sig_size; - unsigned long long msg_size; - RANDOM_INPUT(message, 64); - crypto_sign_keypair(pk, sk); - crypto_sign(signed_msg, &sig_size, message, 64, sk); - - TIMING_START { - if (crypto_sign_open(out_msg, &msg_size, signed_msg, sig_size, pk)) { - printf("TweetNaCl verification failed\n"); - } - } - TIMING_END; + u8 sk [ 64]; + u8 pk [ 32]; + u8 signed_msg[128]; + u8 out_msg [128]; + unsigned long long sig_size; + unsigned long long msg_size; + RANDOM_INPUT(message, 64); + crypto_sign_keypair(pk, sk); + crypto_sign(signed_msg, &sig_size, message, 64, sk); + + TIMING_START { + if (crypto_sign_open(out_msg, &msg_size, signed_msg, sig_size, pk)) { + printf("TweetNaCl verification failed\n"); + } + } + TIMING_END; } int main() { - print("Salsa20 ",salsa20() *MUL,"megabytes per second"); - print("Poly1305 ",poly1305() *MUL,"megabytes per second"); - print("Auth'd encryption",authenticated()*MUL,"megabytes per second"); - print("SHA-512 ",sha512() *MUL,"megabytes per second"); - print("x25519 ",x25519() ,"exchanges per second"); - print("EdDSA(sign) ",edDSA_sign() ,"signatures per second"); - print("EdDSA(check) ",edDSA_check() ,"checks per second"); - printf("\n"); - return 0; + print("Salsa20 ",salsa20() *MUL,"megabytes per second"); + print("Poly1305 ",poly1305() *MUL,"megabytes per second"); + print("Auth'd encryption",authenticated()*MUL,"megabytes per second"); + print("SHA-512 ",sha512() *MUL,"megabytes per second"); + print("x25519 ",x25519() ,"exchanges per second"); + print("EdDSA(sign) ",edDSA_sign() ,"signatures per second"); + print("EdDSA(check) ",edDSA_check() ,"checks per second"); + printf("\n"); + return 0; } diff --git a/tests/speed/speed.c b/tests/speed/speed.c index 60be9e2..d7618a4 100644 --- a/tests/speed/speed.c +++ b/tests/speed/speed.c @@ -56,166 +56,166 @@ static u64 chacha20(void) { - u8 out[SIZE]; - RANDOM_INPUT(in , SIZE); - RANDOM_INPUT(key , 32); - RANDOM_INPUT(nonce, 8); - - TIMING_START { - crypto_chacha20(out, in, SIZE, key, nonce); - } - TIMING_END; + u8 out[SIZE]; + RANDOM_INPUT(in , SIZE); + RANDOM_INPUT(key , 32); + RANDOM_INPUT(nonce, 8); + + TIMING_START { + crypto_chacha20(out, in, SIZE, key, nonce); + } + TIMING_END; } static u64 poly1305(void) { - u8 out[16]; - RANDOM_INPUT(in , SIZE); - RANDOM_INPUT(key, 32); - - TIMING_START { - crypto_poly1305(out, in, SIZE, key); - } - TIMING_END; + u8 out[16]; + RANDOM_INPUT(in , SIZE); + RANDOM_INPUT(key, 32); + + TIMING_START { + crypto_poly1305(out, in, SIZE, key); + } + TIMING_END; } static u64 authenticated(void) { - u8 out[SIZE]; - u8 mac[ 16]; - RANDOM_INPUT(in , SIZE); - RANDOM_INPUT(key , 32); - RANDOM_INPUT(nonce, 24); - - TIMING_START { - crypto_lock(mac, out, key, nonce, in, SIZE); - } - TIMING_END; + u8 out[SIZE]; + u8 mac[ 16]; + RANDOM_INPUT(in , SIZE); + RANDOM_INPUT(key , 32); + RANDOM_INPUT(nonce, 24); + + TIMING_START { + crypto_lock(mac, out, key, nonce, in, SIZE); + } + TIMING_END; } static u64 blake2b(void) { - u8 hash[64]; - RANDOM_INPUT(in , SIZE); - RANDOM_INPUT(key, 32); - - TIMING_START { - crypto_blake2b_general(hash, 64, key, 32, in, SIZE); - } - TIMING_END; + u8 hash[64]; + RANDOM_INPUT(in , SIZE); + RANDOM_INPUT(key, 32); + + TIMING_START { + crypto_blake2b_general(hash, 64, key, 32, in, SIZE); + } + TIMING_END; } static u64 sha512(void) { - u8 hash[64]; - RANDOM_INPUT(in, SIZE); + u8 hash[64]; + RANDOM_INPUT(in, SIZE); - TIMING_START { - crypto_sha512(hash, in, SIZE); - } - TIMING_END; + TIMING_START { + crypto_sha512(hash, in, SIZE); + } + TIMING_END; } static u64 argon2i(void) { - u64 work_area[SIZE / 8]; - u8 hash [32]; - u32 nb_blocks = (u32)(SIZE / 1024); - RANDOM_INPUT(password, 16); - RANDOM_INPUT(salt , 16); - - TIMING_START { - crypto_argon2i(hash, 32, work_area, nb_blocks, 3, - password, 16, salt, 16); - } - TIMING_END; + u64 work_area[SIZE / 8]; + u8 hash [32]; + u32 nb_blocks = (u32)(SIZE / 1024); + RANDOM_INPUT(password, 16); + RANDOM_INPUT(salt , 16); + + TIMING_START { + crypto_argon2i(hash, 32, work_area, nb_blocks, 3, + password, 16, salt, 16); + } + TIMING_END; } static u64 x25519(void) { - u8 in [32] = {9}; - u8 out[32] = {9}; + u8 in [32] = {9}; + u8 out[32] = {9}; - TIMING_START { - crypto_x25519(out, out, in); - } - TIMING_END; + TIMING_START { + crypto_x25519(out, out, in); + } + TIMING_END; } static u64 edDSA_sign(void) { - u8 pk [32]; - u8 signature[64]; - RANDOM_INPUT(sk , 32); - RANDOM_INPUT(message, 64); - crypto_sign_public_key(pk, sk); - - TIMING_START { - crypto_sign(signature, sk, pk, message, 64); - } - TIMING_END; + u8 pk [32]; + u8 signature[64]; + RANDOM_INPUT(sk , 32); + RANDOM_INPUT(message, 64); + crypto_sign_public_key(pk, sk); + + TIMING_START { + crypto_sign(signature, sk, pk, message, 64); + } + TIMING_END; } static u64 edDSA_check(void) { - u8 pk [32]; - u8 signature[64]; - RANDOM_INPUT(sk , 32); - RANDOM_INPUT(message, 64); - crypto_sign_public_key(pk, sk); - crypto_sign(signature, sk, pk, message, 64); - - TIMING_START { - if (crypto_check(signature, pk, message, 64)) { - printf("Monocypher verification failed\n"); - } - } - TIMING_END; + u8 pk [32]; + u8 signature[64]; + RANDOM_INPUT(sk , 32); + RANDOM_INPUT(message, 64); + crypto_sign_public_key(pk, sk); + crypto_sign(signature, sk, pk, message, 64); + + TIMING_START { + if (crypto_check(signature, pk, message, 64)) { + printf("Monocypher verification failed\n"); + } + } + TIMING_END; } static u64 x25519_inverse(void) { - u8 in [32] = {9}; - u8 out[32] = {9}; + u8 in [32] = {9}; + u8 out[32] = {9}; - TIMING_START { - crypto_x25519_inverse(out, out, in); - } - TIMING_END; + TIMING_START { + crypto_x25519_inverse(out, out, in); + } + TIMING_END; } static u64 x25519_sp_fast(void) { - RANDOM_INPUT(sk, 32); - TIMING_START { - crypto_x25519_dirty_fast(sk, sk); - } - TIMING_END; + RANDOM_INPUT(sk, 32); + TIMING_START { + crypto_x25519_dirty_fast(sk, sk); + } + TIMING_END; } static u64 x25519_sp_small(void) { - RANDOM_INPUT(sk, 32); - TIMING_START { - crypto_x25519_dirty_small(sk, sk); - } - TIMING_END; + RANDOM_INPUT(sk, 32); + TIMING_START { + crypto_x25519_dirty_small(sk, sk); + } + TIMING_END; } int main() { - print("Chacha20 ",chacha20() *MUL ,"megabytes per second"); - print("Poly1305 ",poly1305() *MUL ,"megabytes per second"); - print("Auth'd encryption ",authenticated()*MUL ,"megabytes per second"); - print("BLAKE2b ",blake2b() *MUL ,"megabytes per second"); - print("SHA-512 ",sha512() *MUL ,"megabytes per second"); - print("Argon2i, 3 passes ",argon2i() *MUL ,"megabytes per second"); - print("x25519 ",x25519() ,"exchanges per second"); - print("EdDSA(sign) ",edDSA_sign() ,"signatures per second"); - print("EdDSA(check) ",edDSA_check() ,"checks per second"); - print("x25519 inverse ",x25519_inverse() ,"scalar inv per second"); - print("x25519 dirty fast ",x25519_sp_fast() ,"scalar inv per second"); - print("x25519 dirty small ",x25519_sp_small() ,"scalar inv per second"); - printf("\n"); - return 0; + print("Chacha20 ",chacha20() *MUL ,"megabytes per second"); + print("Poly1305 ",poly1305() *MUL ,"megabytes per second"); + print("Auth'd encryption ",authenticated()*MUL ,"megabytes per second"); + print("BLAKE2b ",blake2b() *MUL ,"megabytes per second"); + print("SHA-512 ",sha512() *MUL ,"megabytes per second"); + print("Argon2i, 3 passes ",argon2i() *MUL ,"megabytes per second"); + print("x25519 ",x25519() ,"exchanges per second"); + print("EdDSA(sign) ",edDSA_sign() ,"signatures per second"); + print("EdDSA(check) ",edDSA_check() ,"checks per second"); + print("x25519 inverse ",x25519_inverse() ,"scalar inv per second"); + print("x25519 dirty fast ",x25519_sp_fast() ,"scalar inv per second"); + print("x25519 dirty small ",x25519_sp_small() ,"scalar inv per second"); + printf("\n"); + return 0; } diff --git a/tests/speed/speed.h b/tests/speed/speed.h index 9572d35..b5ac82f 100644 --- a/tests/speed/speed.h +++ b/tests/speed/speed.h @@ -67,39 +67,39 @@ typedef struct timespec timespec; // Difference in nanoseconds static u64 diff(timespec start, timespec end) { - return (u64)((end.tv_sec - start.tv_sec ) * BILLION + - (end.tv_nsec - start.tv_nsec)); + return (u64)((end.tv_sec - start.tv_sec ) * BILLION + + (end.tv_nsec - start.tv_nsec)); } static u64 min(u64 a, u64 b) { - return a < b ? a : b; + return a < b ? a : b; } static void print(const char *name, u64 duration, const char *unit) { - if (duration == 0) { - printf("%s: too fast to be measured\n", name); - } else { - u64 speed_hz = BILLION / duration; - printf("%s: %5" PRIu64 " %s\n", name, speed_hz, unit); - } + if (duration == 0) { + printf("%s: too fast to be measured\n", name); + } else { + u64 speed_hz = BILLION / duration; + printf("%s: %5" PRIu64 " %s\n", name, speed_hz, unit); + } } // Note: not all systems will work well with CLOCK_PROCESS_CPUTIME_ID. // If you get weird timings on your system, you may want to replace it // with another clock id. Perhaps even replace clock_gettime(). -#define TIMESTAMP(t) \ - timespec t; \ - clock_gettime(CLOCK_PROCESS_CPUTIME_ID, &t) +#define TIMESTAMP(t) \ + timespec t; \ + clock_gettime(CLOCK_PROCESS_CPUTIME_ID, &t) -#define TIMING_START \ - u64 duration = (u64)-1; \ - FOR (i, 0, 500) { \ - TIMESTAMP(start); +#define TIMING_START \ + u64 duration = (u64)-1; \ + FOR (i, 0, 500) { \ + TIMESTAMP(start); -#define TIMING_END \ - TIMESTAMP(end); \ - duration = min(duration, diff(start, end)); \ - } /* end FOR*/ \ - return duration +#define TIMING_END \ + TIMESTAMP(end); \ + duration = min(duration, diff(start, end)); \ + } /* end FOR*/ \ + return duration diff --git a/tests/test.c b/tests/test.c index 9a8aad5..3d4d7a1 100644 --- a/tests/test.c +++ b/tests/test.c @@ -67,267 +67,267 @@ //////////////////////////// static void chacha20(vector_reader *reader) { - vector key = next_input(reader); - vector nonce = next_input(reader); - vector plain = next_input(reader); - u64 ctr = load64_le(next_input(reader).buf); - vector out = next_output(reader); - u64 nb_blocks = plain.size / 64 + (plain.size % 64 != 0); - u64 new_ctr = crypto_chacha20_ctr(out.buf, plain.buf, plain.size, - key.buf, nonce.buf, ctr); - if (new_ctr - ctr != nb_blocks) { - printf("FAILURE: Chacha20 returned counter not correct: "); - exit(1); - } + vector key = next_input(reader); + vector nonce = next_input(reader); + vector plain = next_input(reader); + u64 ctr = load64_le(next_input(reader).buf); + vector out = next_output(reader); + u64 nb_blocks = plain.size / 64 + (plain.size % 64 != 0); + u64 new_ctr = crypto_chacha20_ctr(out.buf, plain.buf, plain.size, + key.buf, nonce.buf, ctr); + if (new_ctr - ctr != nb_blocks) { + printf("FAILURE: Chacha20 returned counter not correct: "); + exit(1); + } } static void ietf_chacha20(vector_reader *reader) { - vector key = next_input(reader); - vector nonce = next_input(reader); - vector plain = next_input(reader); - u32 ctr = load32_le(next_input(reader).buf); - vector out = next_output(reader); - u32 nb_blocks = (u32)(plain.size / 64 + (plain.size % 64 != 0)); - u32 new_ctr = crypto_ietf_chacha20_ctr(out.buf, plain.buf, plain.size, - key.buf, nonce.buf, ctr); - if (new_ctr - ctr != nb_blocks) { - printf("FAILURE: IETF Chacha20 returned counter not correct: "); - exit(1); - } + vector key = next_input(reader); + vector nonce = next_input(reader); + vector plain = next_input(reader); + u32 ctr = load32_le(next_input(reader).buf); + vector out = next_output(reader); + u32 nb_blocks = (u32)(plain.size / 64 + (plain.size % 64 != 0)); + u32 new_ctr = crypto_ietf_chacha20_ctr(out.buf, plain.buf, plain.size, + key.buf, nonce.buf, ctr); + if (new_ctr - ctr != nb_blocks) { + printf("FAILURE: IETF Chacha20 returned counter not correct: "); + exit(1); + } } static void hchacha20(vector_reader *reader) { - vector key = next_input(reader); - vector nonce = next_input(reader); - vector out = next_output(reader); - crypto_hchacha20(out.buf, key.buf, nonce.buf); + vector key = next_input(reader); + vector nonce = next_input(reader); + vector out = next_output(reader); + crypto_hchacha20(out.buf, key.buf, nonce.buf); } static void xchacha20(vector_reader *reader) { - vector key = next_input(reader); - vector nonce = next_input(reader); - vector plain = next_input(reader); - u64 ctr = load64_le(next_input(reader).buf); - vector out = next_output(reader); - u64 nb_blocks = plain.size / 64 + (plain.size % 64 != 0); - u64 new_ctr = crypto_xchacha20_ctr(out.buf, plain.buf, plain.size, - key.buf, nonce.buf, ctr); - if (new_ctr - ctr != nb_blocks) { - printf("FAILURE: XChacha20 returned counter not correct: "); - exit(1); - } + vector key = next_input(reader); + vector nonce = next_input(reader); + vector plain = next_input(reader); + u64 ctr = load64_le(next_input(reader).buf); + vector out = next_output(reader); + u64 nb_blocks = plain.size / 64 + (plain.size % 64 != 0); + u64 new_ctr = crypto_xchacha20_ctr(out.buf, plain.buf, plain.size, + key.buf, nonce.buf, ctr); + if (new_ctr - ctr != nb_blocks) { + printf("FAILURE: XChacha20 returned counter not correct: "); + exit(1); + } } static void poly1305(vector_reader *reader) { - vector key = next_input(reader); - vector msg = next_input(reader); - vector out = next_output(reader); - crypto_poly1305(out.buf, msg.buf, msg.size, key.buf); + vector key = next_input(reader); + vector msg = next_input(reader); + vector out = next_output(reader); + crypto_poly1305(out.buf, msg.buf, msg.size, key.buf); } static void aead_ietf(vector_reader *reader) { - vector key = next_input(reader); - vector nonce = next_input(reader); - vector ad = next_input(reader); - vector text = next_input(reader); - vector out = next_output(reader); - crypto_lock_aead(out.buf, out.buf + 16, key.buf, nonce.buf, - ad.buf, ad.size, text.buf, text.size); + vector key = next_input(reader); + vector nonce = next_input(reader); + vector ad = next_input(reader); + vector text = next_input(reader); + vector out = next_output(reader); + crypto_lock_aead(out.buf, out.buf + 16, key.buf, nonce.buf, + ad.buf, ad.size, text.buf, text.size); } static void blake2b(vector_reader *reader) { - vector msg = next_input(reader); - vector key = next_input(reader); - vector out = next_output(reader); - crypto_blake2b_general(out.buf, out.size, - key.buf, key.size, - msg.buf, msg.size); + vector msg = next_input(reader); + vector key = next_input(reader); + vector out = next_output(reader); + crypto_blake2b_general(out.buf, out.size, + key.buf, key.size, + msg.buf, msg.size); } static void sha512(vector_reader *reader) { - vector in = next_input(reader); - vector out = next_output(reader); - crypto_sha512(out.buf, in.buf, in.size); + vector in = next_input(reader); + vector out = next_output(reader); + crypto_sha512(out.buf, in.buf, in.size); } static void hmac_sha512(vector_reader *reader) { - vector key = next_input(reader); - vector msg = next_input(reader); - vector out = next_output(reader); - crypto_hmac_sha512(out.buf, key.buf, key.size, msg.buf, msg.size); + vector key = next_input(reader); + vector msg = next_input(reader); + vector out = next_output(reader); + crypto_hmac_sha512(out.buf, key.buf, key.size, msg.buf, msg.size); } static void argon2i(vector_reader *reader) { - u64 nb_blocks = load64_le(next_input(reader).buf); - u64 nb_iterations = load64_le(next_input(reader).buf); - vector password = next_input(reader); - vector salt = next_input(reader); - vector key = next_input(reader); - vector ad = next_input(reader); - vector out = next_output(reader); - void *work_area = alloc(nb_blocks * 1024); - crypto_argon2i_general(out.buf, (u32)out.size, - work_area, (u32)nb_blocks, (u32)nb_iterations, - password.buf, (u32)password.size, - salt .buf, (u32)salt .size, - key .buf, (u32)key .size, - ad .buf, (u32)ad .size); - free(work_area); + u64 nb_blocks = load64_le(next_input(reader).buf); + u64 nb_iterations = load64_le(next_input(reader).buf); + vector password = next_input(reader); + vector salt = next_input(reader); + vector key = next_input(reader); + vector ad = next_input(reader); + vector out = next_output(reader); + void *work_area = alloc(nb_blocks * 1024); + crypto_argon2i_general(out.buf, (u32)out.size, + work_area, (u32)nb_blocks, (u32)nb_iterations, + password.buf, (u32)password.size, + salt .buf, (u32)salt .size, + key .buf, (u32)key .size, + ad .buf, (u32)ad .size); + free(work_area); } static void x25519(vector_reader *reader) { - vector scalar = next_input(reader); - vector point = next_input(reader); - vector out = next_output(reader); - crypto_x25519(out.buf, scalar.buf, point.buf); + vector scalar = next_input(reader); + vector point = next_input(reader); + vector out = next_output(reader); + crypto_x25519(out.buf, scalar.buf, point.buf); } static void x25519_pk(vector_reader *reader) { - vector in = next_input(reader); - vector out = next_output(reader); - crypto_x25519_public_key(out.buf, in.buf); + vector in = next_input(reader); + vector out = next_output(reader); + crypto_x25519_public_key(out.buf, in.buf); } static void key_exchange(vector_reader *reader) { - vector secret_key = next_input(reader); - vector public_key = next_input(reader); - vector out = next_output(reader); - crypto_key_exchange(out.buf, secret_key.buf, public_key.buf); + vector secret_key = next_input(reader); + vector public_key = next_input(reader); + vector out = next_output(reader); + crypto_key_exchange(out.buf, secret_key.buf, public_key.buf); } static void edDSA(vector_reader *reader) { - vector secret_k = next_input(reader); - vector public_k = next_input(reader); - vector msg = next_input(reader); - vector out = next_output(reader); - u8 out2[64]; - - // Sign with cached public key, then by reconstructing the key - crypto_sign(out.buf, secret_k.buf, public_k.buf, msg.buf, msg.size); - crypto_sign(out2 , secret_k.buf, 0 , msg.buf, msg.size); - // Compare signatures (must be the same) - if (memcmp(out.buf, out2, out.size)) { - printf("FAILURE: reconstructing public key" - " yields different signature\n"); - exit(1); - } + vector secret_k = next_input(reader); + vector public_k = next_input(reader); + vector msg = next_input(reader); + vector out = next_output(reader); + u8 out2[64]; + + // Sign with cached public key, then by reconstructing the key + crypto_sign(out.buf, secret_k.buf, public_k.buf, msg.buf, msg.size); + crypto_sign(out2 , secret_k.buf, 0 , msg.buf, msg.size); + // Compare signatures (must be the same) + if (memcmp(out.buf, out2, out.size)) { + printf("FAILURE: reconstructing public key" + " yields different signature\n"); + exit(1); + } } static void edDSA_pk(vector_reader *reader) { - vector in = next_input(reader); - vector out = next_output(reader); - crypto_sign_public_key(out.buf, in.buf); + vector in = next_input(reader); + vector out = next_output(reader); + crypto_sign_public_key(out.buf, in.buf); } static void ed_25519(vector_reader *reader) { - vector secret_k = next_input(reader); - vector public_k = next_input(reader); - vector msg = next_input(reader); - vector out = next_output(reader); - u8 out2[64]; - - // Sign with cached public key, then by reconstructing the key - crypto_ed25519_sign(out.buf, secret_k.buf, public_k.buf, msg.buf, msg.size); - crypto_ed25519_sign(out2 , secret_k.buf, 0 , msg.buf, msg.size); - // Compare signatures (must be the same) - if (memcmp(out.buf, out2, out.size)) { - printf("FAILURE: reconstructing public key" - " yields different signature\n"); - exit(1); - } + vector secret_k = next_input(reader); + vector public_k = next_input(reader); + vector msg = next_input(reader); + vector out = next_output(reader); + u8 out2[64]; + + // Sign with cached public key, then by reconstructing the key + crypto_ed25519_sign(out.buf, secret_k.buf, public_k.buf, msg.buf, msg.size); + crypto_ed25519_sign(out2 , secret_k.buf, 0 , msg.buf, msg.size); + // Compare signatures (must be the same) + if (memcmp(out.buf, out2, out.size)) { + printf("FAILURE: reconstructing public key" + " yields different signature\n"); + exit(1); + } } static void ed_25519_pk(vector_reader *reader) { - vector in = next_input(reader); - vector out = next_output(reader); - crypto_ed25519_public_key(out.buf, in.buf); + vector in = next_input(reader); + vector out = next_output(reader); + crypto_ed25519_public_key(out.buf, in.buf); } static void ed_25519_check(vector_reader *reader) { - vector public_k = next_input(reader); - vector msg = next_input(reader); - vector sig = next_input(reader); - vector out = next_output(reader); - out.buf[0] = (u8)crypto_ed25519_check(sig.buf, public_k.buf, - msg.buf, msg.size); + vector public_k = next_input(reader); + vector msg = next_input(reader); + vector sig = next_input(reader); + vector out = next_output(reader); + out.buf[0] = (u8)crypto_ed25519_check(sig.buf, public_k.buf, + msg.buf, msg.size); } static void iterate_x25519(u8 k[32], u8 u[32]) { - u8 tmp[32]; - crypto_x25519(tmp , k, u); - memcpy(u, k , 32); - memcpy(k, tmp, 32); + u8 tmp[32]; + crypto_x25519(tmp , k, u); + memcpy(u, k , 32); + memcpy(k, tmp, 32); } static int test_x25519() { - u8 _1 [32] = {0x42, 0x2c, 0x8e, 0x7a, 0x62, 0x27, 0xd7, 0xbc, - 0xa1, 0x35, 0x0b, 0x3e, 0x2b, 0xb7, 0x27, 0x9f, - 0x78, 0x97, 0xb8, 0x7b, 0xb6, 0x85, 0x4b, 0x78, - 0x3c, 0x60, 0xe8, 0x03, 0x11, 0xae, 0x30, 0x79}; - u8 k[32] = {9}; - u8 u[32] = {9}; - - crypto_x25519_public_key(k, u); - int status = memcmp(k, _1, 32); - printf("%s: x25519 1\n", status != 0 ? "FAILED" : "OK"); - - u8 _1k [32] = {0x68, 0x4c, 0xf5, 0x9b, 0xa8, 0x33, 0x09, 0x55, - 0x28, 0x00, 0xef, 0x56, 0x6f, 0x2f, 0x4d, 0x3c, - 0x1c, 0x38, 0x87, 0xc4, 0x93, 0x60, 0xe3, 0x87, - 0x5f, 0x2e, 0xb9, 0x4d, 0x99, 0x53, 0x2c, 0x51}; - FOR (i, 1, 1000) { iterate_x25519(k, u); } - status |= memcmp(k, _1k, 32); - printf("%s: x25519 1K\n", status != 0 ? "FAILED" : "OK"); - - // too long; didn't run - //u8 _1M[32] = {0x7c, 0x39, 0x11, 0xe0, 0xab, 0x25, 0x86, 0xfd, - // 0x86, 0x44, 0x97, 0x29, 0x7e, 0x57, 0x5e, 0x6f, - // 0x3b, 0xc6, 0x01, 0xc0, 0x88, 0x3c, 0x30, 0xdf, - // 0x5f, 0x4d, 0xd2, 0xd2, 0x4f, 0x66, 0x54, 0x24}; - //FOR (i, 1000, 1000000) { iterate_x25519(k, u); } - //status |= memcmp(k, _1M, 32); - //printf("%s: x25519 1M\n", status != 0 ? "FAILED" : "OK"); - return status; + u8 _1 [32] = {0x42, 0x2c, 0x8e, 0x7a, 0x62, 0x27, 0xd7, 0xbc, + 0xa1, 0x35, 0x0b, 0x3e, 0x2b, 0xb7, 0x27, 0x9f, + 0x78, 0x97, 0xb8, 0x7b, 0xb6, 0x85, 0x4b, 0x78, + 0x3c, 0x60, 0xe8, 0x03, 0x11, 0xae, 0x30, 0x79}; + u8 k[32] = {9}; + u8 u[32] = {9}; + + crypto_x25519_public_key(k, u); + int status = memcmp(k, _1, 32); + printf("%s: x25519 1\n", status != 0 ? "FAILED" : "OK"); + + u8 _1k [32] = {0x68, 0x4c, 0xf5, 0x9b, 0xa8, 0x33, 0x09, 0x55, + 0x28, 0x00, 0xef, 0x56, 0x6f, 0x2f, 0x4d, 0x3c, + 0x1c, 0x38, 0x87, 0xc4, 0x93, 0x60, 0xe3, 0x87, + 0x5f, 0x2e, 0xb9, 0x4d, 0x99, 0x53, 0x2c, 0x51}; + FOR (i, 1, 1000) { iterate_x25519(k, u); } + status |= memcmp(k, _1k, 32); + printf("%s: x25519 1K\n", status != 0 ? "FAILED" : "OK"); + + // too long; didn't run + //u8 _1M[32] = {0x7c, 0x39, 0x11, 0xe0, 0xab, 0x25, 0x86, 0xfd, + // 0x86, 0x44, 0x97, 0x29, 0x7e, 0x57, 0x5e, 0x6f, + // 0x3b, 0xc6, 0x01, 0xc0, 0x88, 0x3c, 0x30, 0xdf, + // 0x5f, 0x4d, 0xd2, 0xd2, 0x4f, 0x66, 0x54, 0x24}; + //FOR (i, 1000, 1000000) { iterate_x25519(k, u); } + //status |= memcmp(k, _1M, 32); + //printf("%s: x25519 1M\n", status != 0 ? "FAILED" : "OK"); + return status; } static void elligator_dir(vector_reader *reader) { - vector in = next_input(reader); - vector out = next_output(reader); - crypto_hidden_to_curve(out.buf, in.buf); + vector in = next_input(reader); + vector out = next_output(reader); + crypto_hidden_to_curve(out.buf, in.buf); } static void elligator_inv(vector_reader *reader) { - vector point = next_input(reader); - u8 tweak = next_input(reader).buf[0]; - u8 failure = next_input(reader).buf[0]; - vector out = next_output(reader); - int check = crypto_curve_to_hidden(out.buf, point.buf, tweak); - if ((u8)check != failure) { - printf("Elligator inverse map: failure mismatch\n"); - exit(1); - } + vector point = next_input(reader); + u8 tweak = next_input(reader).buf[0]; + u8 failure = next_input(reader).buf[0]; + vector out = next_output(reader); + int check = crypto_curve_to_hidden(out.buf, point.buf, tweak); + if ((u8)check != failure) { + printf("Elligator inverse map: failure mismatch\n"); + exit(1); + } } ////////////////////////////// @@ -335,33 +335,33 @@ static void elligator_inv(vector_reader *reader) ////////////////////////////// static int p_verify(size_t size, int (*compare)(const u8*, const u8*)) { - int status = 0; - u8 a[64]; // size <= 64 - u8 b[64]; // size <= 64 - FOR (i, 0, 2) { - FOR (j, 0, 2) { - // Set every byte to the chosen value, then compare - FOR (k, 0, size) { - a[k] = (u8)i; - b[k] = (u8)j; - } - int cmp = compare(a, b); - status |= (i == j ? cmp : ~cmp); - // Set only two bytes to the chosen value, then compare - FOR (k, 0, size / 2) { - FOR (l, 0, size) { - a[l] = 0; - b[l] = 0; - } - a[k] = (u8)i; a[k + size/2 - 1] = (u8)i; - b[k] = (u8)j; b[k + size/2 - 1] = (u8)j; - cmp = compare(a, b); - status |= (i == j ? cmp : ~cmp); - } - } - } - printf("%s: crypto_verify%zu\n", status != 0 ? "FAILED" : "OK", size); - return status; + int status = 0; + u8 a[64]; // size <= 64 + u8 b[64]; // size <= 64 + FOR (i, 0, 2) { + FOR (j, 0, 2) { + // Set every byte to the chosen value, then compare + FOR (k, 0, size) { + a[k] = (u8)i; + b[k] = (u8)j; + } + int cmp = compare(a, b); + status |= (i == j ? cmp : ~cmp); + // Set only two bytes to the chosen value, then compare + FOR (k, 0, size / 2) { + FOR (l, 0, size) { + a[l] = 0; + b[l] = 0; + } + a[k] = (u8)i; a[k + size/2 - 1] = (u8)i; + b[k] = (u8)j; b[k + size/2 - 1] = (u8)j; + cmp = compare(a, b); + status |= (i == j ? cmp : ~cmp); + } + } + } + printf("%s: crypto_verify%zu\n", status != 0 ? "FAILED" : "OK", size); + return status; } static int p_verify16(){ return p_verify(16, crypto_verify16); } static int p_verify32(){ return p_verify(32, crypto_verify32); } @@ -369,52 +369,52 @@ static int p_verify64(){ return p_verify(64, crypto_verify64); } static int p_chacha20_ctr() { - int status = 0; - RANDOM_INPUT(key , 32); - RANDOM_INPUT(nonce, 24); - RANDOM_INPUT(plain, 128); - u8 out_full[128]; - u8 out1 [64]; - u8 out2 [64]; - crypto_chacha20 (out_full, plain , 128, key, nonce); - crypto_chacha20_ctr(out1 , plain + 0, 64, key, nonce, 0); - crypto_chacha20_ctr(out2 , plain + 64, 64, key, nonce, 1); - status |= memcmp(out_full , out1, 64); - status |= memcmp(out_full + 64, out2, 64); - - crypto_ietf_chacha20 (out_full, plain , 128, key, nonce); - crypto_ietf_chacha20_ctr(out1 , plain + 0, 64, key, nonce, 0); - crypto_ietf_chacha20_ctr(out2 , plain + 64, 64, key, nonce, 1); - status |= memcmp(out_full , out1, 64); - status |= memcmp(out_full + 64, out2, 64); - - crypto_xchacha20 (out_full, plain , 128, key, nonce); - crypto_xchacha20_ctr(out1 , plain + 0, 64, key, nonce, 0); - crypto_xchacha20_ctr(out2 , plain + 64, 64, key, nonce, 1); - status |= memcmp(out_full , out1, 64); - status |= memcmp(out_full + 64, out2, 64); - - printf("%s: Chacha20 (ctr)\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + RANDOM_INPUT(key , 32); + RANDOM_INPUT(nonce, 24); + RANDOM_INPUT(plain, 128); + u8 out_full[128]; + u8 out1 [64]; + u8 out2 [64]; + crypto_chacha20 (out_full, plain , 128, key, nonce); + crypto_chacha20_ctr(out1 , plain + 0, 64, key, nonce, 0); + crypto_chacha20_ctr(out2 , plain + 64, 64, key, nonce, 1); + status |= memcmp(out_full , out1, 64); + status |= memcmp(out_full + 64, out2, 64); + + crypto_ietf_chacha20 (out_full, plain , 128, key, nonce); + crypto_ietf_chacha20_ctr(out1 , plain + 0, 64, key, nonce, 0); + crypto_ietf_chacha20_ctr(out2 , plain + 64, 64, key, nonce, 1); + status |= memcmp(out_full , out1, 64); + status |= memcmp(out_full + 64, out2, 64); + + crypto_xchacha20 (out_full, plain , 128, key, nonce); + crypto_xchacha20_ctr(out1 , plain + 0, 64, key, nonce, 0); + crypto_xchacha20_ctr(out2 , plain + 64, 64, key, nonce, 1); + status |= memcmp(out_full , out1, 64); + status |= memcmp(out_full + 64, out2, 64); + + printf("%s: Chacha20 (ctr)\n", status != 0 ? "FAILED" : "OK"); + return status; } // Tests that Chacha20(nullptr) == Chacha20(all-zeroes) static int p_chacha20_stream() { - int status = 0; + int status = 0; #define INPUT_SIZE (CHACHA_BLOCK_SIZE * 2 + 1) - FOR (i, 0, INPUT_SIZE) { - u8 output_normal[INPUT_SIZE]; - u8 output_stream[INPUT_SIZE]; - u8 zeroes [INPUT_SIZE] = {0}; - RANDOM_INPUT(key , 32); - RANDOM_INPUT(nonce, 8); - crypto_chacha20(output_normal, zeroes, i, key, nonce); - crypto_chacha20(output_stream, 0 , i, key, nonce); - status |= memcmp(output_normal, output_stream, i); - } - printf("%s: Chacha20 (nullptr == zeroes)\n", status != 0 ? "FAILED" : "OK"); - return status; + FOR (i, 0, INPUT_SIZE) { + u8 output_normal[INPUT_SIZE]; + u8 output_stream[INPUT_SIZE]; + u8 zeroes [INPUT_SIZE] = {0}; + RANDOM_INPUT(key , 32); + RANDOM_INPUT(nonce, 8); + crypto_chacha20(output_normal, zeroes, i, key, nonce); + crypto_chacha20(output_stream, 0 , i, key, nonce); + status |= memcmp(output_normal, output_stream, i); + } + printf("%s: Chacha20 (nullptr == zeroes)\n", status != 0 ? "FAILED" : "OK"); + return status; } // Tests that output and input can be the same pointer @@ -422,37 +422,37 @@ static int p_chacha20_same_ptr() { #undef INPUT_SIZE #define INPUT_SIZE (CHACHA_BLOCK_SIZE * 4) // total input size - int status = 0; - u8 output[INPUT_SIZE]; - RANDOM_INPUT(input, INPUT_SIZE); - RANDOM_INPUT(key , 32); - RANDOM_INPUT(nonce, 8); - crypto_chacha20(output, input, INPUT_SIZE, key, nonce); - crypto_chacha20(input , input, INPUT_SIZE, key, nonce); - status |= memcmp(output, input, INPUT_SIZE); - printf("%s: Chacha20 (output == input)\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + u8 output[INPUT_SIZE]; + RANDOM_INPUT(input, INPUT_SIZE); + RANDOM_INPUT(key , 32); + RANDOM_INPUT(nonce, 8); + crypto_chacha20(output, input, INPUT_SIZE, key, nonce); + crypto_chacha20(input , input, INPUT_SIZE, key, nonce); + status |= memcmp(output, input, INPUT_SIZE); + printf("%s: Chacha20 (output == input)\n", status != 0 ? "FAILED" : "OK"); + return status; } static int p_hchacha20() { - int status = 0; - FOR (i, 0, 100) { - RANDOM_INPUT(buffer, 80); - size_t out_idx = rand64() % 48; - size_t key_idx = rand64() % 48; - size_t in_idx = rand64() % 64; - u8 key[32]; FOR (j, 0, 32) { key[j] = buffer[j + key_idx]; } - u8 in [16]; FOR (j, 0, 16) { in [j] = buffer[j + in_idx]; } - - // Run with and without overlap, then compare - u8 out[32]; - crypto_hchacha20(out, key, in); - crypto_hchacha20(buffer + out_idx, buffer + key_idx, buffer + in_idx); - status |= memcmp(out, buffer + out_idx, 32); - } - printf("%s: HChacha20 (overlap)\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR (i, 0, 100) { + RANDOM_INPUT(buffer, 80); + size_t out_idx = rand64() % 48; + size_t key_idx = rand64() % 48; + size_t in_idx = rand64() % 64; + u8 key[32]; FOR (j, 0, 32) { key[j] = buffer[j + key_idx]; } + u8 in [16]; FOR (j, 0, 16) { in [j] = buffer[j + in_idx]; } + + // Run with and without overlap, then compare + u8 out[32]; + crypto_hchacha20(out, key, in); + crypto_hchacha20(buffer + out_idx, buffer + key_idx, buffer + in_idx); + status |= memcmp(out, buffer + out_idx, 32); + } + printf("%s: HChacha20 (overlap)\n", status != 0 ? "FAILED" : "OK"); + return status; } // Tests that authenticating bit by bit yields the same mac than @@ -461,30 +461,30 @@ static int p_poly1305() { #undef INPUT_SIZE #define INPUT_SIZE (POLY1305_BLOCK_SIZE * 4) // total input size - int status = 0; - FOR (i, 0, INPUT_SIZE) { - // outputs - u8 mac_chunk[16]; - u8 mac_whole[16]; - // inputs - RANDOM_INPUT(input, INPUT_SIZE); - RANDOM_INPUT(key , 32); - - // Authenticate bit by bit - crypto_poly1305_ctx ctx; - crypto_poly1305_init(&ctx, key); - crypto_poly1305_update(&ctx, input , i); - crypto_poly1305_update(&ctx, input + i, INPUT_SIZE - i); - crypto_poly1305_final(&ctx, mac_chunk); - - // Authenticate all at once - crypto_poly1305(mac_whole, input, INPUT_SIZE, key); - - // Compare the results (must be the same) - status |= memcmp(mac_chunk, mac_whole, 16); - } - printf("%s: Poly1305 (incremental)\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR (i, 0, INPUT_SIZE) { + // outputs + u8 mac_chunk[16]; + u8 mac_whole[16]; + // inputs + RANDOM_INPUT(input, INPUT_SIZE); + RANDOM_INPUT(key , 32); + + // Authenticate bit by bit + crypto_poly1305_ctx ctx; + crypto_poly1305_init(&ctx, key); + crypto_poly1305_update(&ctx, input , i); + crypto_poly1305_update(&ctx, input + i, INPUT_SIZE - i); + crypto_poly1305_final(&ctx, mac_chunk); + + // Authenticate all at once + crypto_poly1305(mac_whole, input, INPUT_SIZE, key); + + // Compare the results (must be the same) + status |= memcmp(mac_chunk, mac_whole, 16); + } + printf("%s: Poly1305 (incremental)\n", status != 0 ? "FAILED" : "OK"); + return status; } // Tests that the input and output buffers of poly1305 can overlap. @@ -492,17 +492,17 @@ static int p_poly1305_overlap() { #undef INPUT_SIZE #define INPUT_SIZE (POLY1305_BLOCK_SIZE + (2 * 16)) // total input size - int status = 0; - FOR (i, 0, POLY1305_BLOCK_SIZE + 16) { - RANDOM_INPUT(input, INPUT_SIZE); - RANDOM_INPUT(key , 32); - u8 mac [16]; - crypto_poly1305(mac , input + 16, POLY1305_BLOCK_SIZE, key); - crypto_poly1305(input+i, input + 16, POLY1305_BLOCK_SIZE, key); - status |= memcmp(mac, input + i, 16); - } - printf("%s: Poly1305 (overlapping i/o)\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR (i, 0, POLY1305_BLOCK_SIZE + 16) { + RANDOM_INPUT(input, INPUT_SIZE); + RANDOM_INPUT(key , 32); + u8 mac [16]; + crypto_poly1305(mac , input + 16, POLY1305_BLOCK_SIZE, key); + crypto_poly1305(input+i, input + 16, POLY1305_BLOCK_SIZE, key); + status |= memcmp(mac, input + i, 16); + } + printf("%s: Poly1305 (overlapping i/o)\n", status != 0 ? "FAILED" : "OK"); + return status; } // Tests that hashing bit by bit yields the same hash than hashing all @@ -513,29 +513,29 @@ static int p_blake2b() { #undef INPUT_SIZE #define INPUT_SIZE (BLAKE2B_BLOCK_SIZE * 4 - 32) // total input size - int status = 0; - FOR (i, 0, INPUT_SIZE) { - // outputs - u8 hash_chunk[64]; - u8 hash_whole[64]; - // inputs - RANDOM_INPUT(input, INPUT_SIZE); - - // Authenticate bit by bit - crypto_blake2b_ctx ctx; - crypto_blake2b_init(&ctx); - crypto_blake2b_update(&ctx, input , i); - crypto_blake2b_update(&ctx, input + i, INPUT_SIZE - i); - crypto_blake2b_final(&ctx, hash_chunk); - - // Authenticate all at once - crypto_blake2b(hash_whole, input, INPUT_SIZE); - - // Compare the results (must be the same) - status |= memcmp(hash_chunk, hash_whole, 64); - } - printf("%s: BLAKE2b (incremental)\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR (i, 0, INPUT_SIZE) { + // outputs + u8 hash_chunk[64]; + u8 hash_whole[64]; + // inputs + RANDOM_INPUT(input, INPUT_SIZE); + + // Authenticate bit by bit + crypto_blake2b_ctx ctx; + crypto_blake2b_init(&ctx); + crypto_blake2b_update(&ctx, input , i); + crypto_blake2b_update(&ctx, input + i, INPUT_SIZE - i); + crypto_blake2b_final(&ctx, hash_chunk); + + // Authenticate all at once + crypto_blake2b(hash_whole, input, INPUT_SIZE); + + // Compare the results (must be the same) + status |= memcmp(hash_chunk, hash_whole, 64); + } + printf("%s: BLAKE2b (incremental)\n", status != 0 ? "FAILED" : "OK"); + return status; } // Tests that the input and output buffers of BLAKE2b can overlap. @@ -543,16 +543,16 @@ static int p_blake2b_overlap() { #undef INPUT_SIZE #define INPUT_SIZE (BLAKE2B_BLOCK_SIZE + (2 * 64)) // total input size - int status = 0; - FOR (i, 0, BLAKE2B_BLOCK_SIZE + 64) { - u8 hash [64]; - RANDOM_INPUT(input, INPUT_SIZE); - crypto_blake2b(hash , input + 64, BLAKE2B_BLOCK_SIZE); - crypto_blake2b(input+i, input + 64, BLAKE2B_BLOCK_SIZE); - status |= memcmp(hash, input + i, 64); - } - printf("%s: BLAKE2b (overlapping i/o)\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR (i, 0, BLAKE2B_BLOCK_SIZE + 64) { + u8 hash [64]; + RANDOM_INPUT(input, INPUT_SIZE); + crypto_blake2b(hash , input + 64, BLAKE2B_BLOCK_SIZE); + crypto_blake2b(input+i, input + 64, BLAKE2B_BLOCK_SIZE); + status |= memcmp(hash, input + i, 64); + } + printf("%s: BLAKE2b (overlapping i/o)\n", status != 0 ? "FAILED" : "OK"); + return status; } // Tests that hashing bit by bit yields the same hash than hashing all @@ -561,29 +561,29 @@ static int p_sha512() { #undef INPUT_SIZE #define INPUT_SIZE (SHA_512_BLOCK_SIZE * 4 - 32) // total input size - int status = 0; - FOR (i, 0, INPUT_SIZE) { - // outputs - u8 hash_chunk[64]; - u8 hash_whole[64]; - // inputs - RANDOM_INPUT(input, INPUT_SIZE); - - // Authenticate bit by bit - crypto_sha512_ctx ctx; - crypto_sha512_init(&ctx); - crypto_sha512_update(&ctx, input , i); - crypto_sha512_update(&ctx, input + i, INPUT_SIZE - i); - crypto_sha512_final(&ctx, hash_chunk); - - // Authenticate all at once - crypto_sha512(hash_whole, input, INPUT_SIZE); - - // Compare the results (must be the same) - status |= memcmp(hash_chunk, hash_whole, 64); - } - printf("%s: SHA-512 (incremental)\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR (i, 0, INPUT_SIZE) { + // outputs + u8 hash_chunk[64]; + u8 hash_whole[64]; + // inputs + RANDOM_INPUT(input, INPUT_SIZE); + + // Authenticate bit by bit + crypto_sha512_ctx ctx; + crypto_sha512_init(&ctx); + crypto_sha512_update(&ctx, input , i); + crypto_sha512_update(&ctx, input + i, INPUT_SIZE - i); + crypto_sha512_final(&ctx, hash_chunk); + + // Authenticate all at once + crypto_sha512(hash_whole, input, INPUT_SIZE); + + // Compare the results (must be the same) + status |= memcmp(hash_chunk, hash_whole, 64); + } + printf("%s: SHA-512 (incremental)\n", status != 0 ? "FAILED" : "OK"); + return status; } // Tests that the input and output buffers of crypto_sha_512 can overlap. @@ -591,16 +591,16 @@ static int p_sha512_overlap() { #undef INPUT_SIZE #define INPUT_SIZE (SHA_512_BLOCK_SIZE + (2 * 64)) // total input size - int status = 0; - FOR (i, 0, SHA_512_BLOCK_SIZE + 64) { - u8 hash [64]; - RANDOM_INPUT(input, INPUT_SIZE); - crypto_sha512(hash , input + 64, SHA_512_BLOCK_SIZE); - crypto_sha512(input+i, input + 64, SHA_512_BLOCK_SIZE); - status |= memcmp(hash, input + i, 64); - } - printf("%s: SHA-512 (overlapping i/o)\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR (i, 0, SHA_512_BLOCK_SIZE + 64) { + u8 hash [64]; + RANDOM_INPUT(input, INPUT_SIZE); + crypto_sha512(hash , input + 64, SHA_512_BLOCK_SIZE); + crypto_sha512(input+i, input + 64, SHA_512_BLOCK_SIZE); + status |= memcmp(hash, input + i, 64); + } + printf("%s: SHA-512 (overlapping i/o)\n", status != 0 ? "FAILED" : "OK"); + return status; } // Tests that hashing bit by bit yields the same hash than hashing all @@ -609,30 +609,30 @@ static int p_hmac_sha512() { #undef INPUT_SIZE #define INPUT_SIZE (SHA_512_BLOCK_SIZE * 4 - 32) // total input size - int status = 0; - FOR (i, 0, INPUT_SIZE) { - // outputs - u8 hash_chunk[64]; - u8 hash_whole[64]; - // inputs - RANDOM_INPUT(key , 32); - RANDOM_INPUT(input, INPUT_SIZE); - - // Authenticate bit by bit - crypto_hmac_sha512_ctx ctx; - crypto_hmac_sha512_init(&ctx, key, 32); - crypto_hmac_sha512_update(&ctx, input , i); - crypto_hmac_sha512_update(&ctx, input + i, INPUT_SIZE - i); - crypto_hmac_sha512_final(&ctx, hash_chunk); - - // Authenticate all at once - crypto_hmac_sha512(hash_whole, key, 32, input, INPUT_SIZE); - - // Compare the results (must be the same) - status |= memcmp(hash_chunk, hash_whole, 64); - } - printf("%s: HMAC SHA-512 (incremental)\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR (i, 0, INPUT_SIZE) { + // outputs + u8 hash_chunk[64]; + u8 hash_whole[64]; + // inputs + RANDOM_INPUT(key , 32); + RANDOM_INPUT(input, INPUT_SIZE); + + // Authenticate bit by bit + crypto_hmac_sha512_ctx ctx; + crypto_hmac_sha512_init(&ctx, key, 32); + crypto_hmac_sha512_update(&ctx, input , i); + crypto_hmac_sha512_update(&ctx, input + i, INPUT_SIZE - i); + crypto_hmac_sha512_final(&ctx, hash_chunk); + + // Authenticate all at once + crypto_hmac_sha512(hash_whole, key, 32, input, INPUT_SIZE); + + // Compare the results (must be the same) + status |= memcmp(hash_chunk, hash_whole, 64); + } + printf("%s: HMAC SHA-512 (incremental)\n", status != 0 ? "FAILED" : "OK"); + return status; } // Tests that the input and output buffers of crypto_sha_512 can overlap. @@ -640,127 +640,127 @@ static int p_hmac_sha512_overlap() { #undef INPUT_SIZE #define INPUT_SIZE (SHA_512_BLOCK_SIZE + (2 * 64)) // total input size - int status = 0; - FOR (i, 0, SHA_512_BLOCK_SIZE + 64) { - u8 hash [64]; - RANDOM_INPUT(key , 32); - RANDOM_INPUT(input, INPUT_SIZE); - crypto_hmac_sha512(hash , key, 32, input + 64, SHA_512_BLOCK_SIZE); - crypto_hmac_sha512(input+i, key, 32, input + 64, SHA_512_BLOCK_SIZE); - status |= memcmp(hash, input + i, 64); - } - printf("%s: HMAC SHA-512 (overlapping i/o)\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR (i, 0, SHA_512_BLOCK_SIZE + 64) { + u8 hash [64]; + RANDOM_INPUT(key , 32); + RANDOM_INPUT(input, INPUT_SIZE); + crypto_hmac_sha512(hash , key, 32, input + 64, SHA_512_BLOCK_SIZE); + crypto_hmac_sha512(input+i, key, 32, input + 64, SHA_512_BLOCK_SIZE); + status |= memcmp(hash, input + i, 64); + } + printf("%s: HMAC SHA-512 (overlapping i/o)\n", status != 0 ? "FAILED":"OK"); + return status; } static int p_argon2i_easy() { - int status = 0; - void *work_area = alloc(8 * 1024); - RANDOM_INPUT(password , 32); - RANDOM_INPUT(salt , 16); - u8 hash_general[32]; - u8 hash_easy [32]; - crypto_argon2i_general(hash_general, 32, work_area, 8, 1, - password, 32, salt, 16, 0, 0, 0, 0); - crypto_argon2i(hash_easy, 32, work_area, 8, 1, password, 32, salt, 16); - status |= memcmp(hash_general, hash_easy, 32); - free(work_area); - printf("%s: Argon2i (easy interface)\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + void *work_area = alloc(8 * 1024); + RANDOM_INPUT(password , 32); + RANDOM_INPUT(salt , 16); + u8 hash_general[32]; + u8 hash_easy [32]; + crypto_argon2i_general(hash_general, 32, work_area, 8, 1, + password, 32, salt, 16, 0, 0, 0, 0); + crypto_argon2i(hash_easy, 32, work_area, 8, 1, password, 32, salt, 16); + status |= memcmp(hash_general, hash_easy, 32); + free(work_area); + printf("%s: Argon2i (easy interface)\n", status != 0 ? "FAILED" : "OK"); + return status; } static int p_argon2i_overlap() { - int status = 0; - u8 *work_area = (u8*)alloc(8 * 1024); - u8 *clean_work_area = (u8*)alloc(8 * 1024); - FOR (i, 0, 10) { - p_random(work_area, 8 * 1024); - u32 hash_offset = rand64() % 64; - u32 pass_offset = rand64() % 64; - u32 salt_offset = rand64() % 64; - u32 key_offset = rand64() % 64; - u32 ad_offset = rand64() % 64; - u8 hash1[32]; - u8 *hash2 = work_area + hash_offset; - u8 pass [16]; FOR (j, 0, 16) { pass[j] = work_area[j + pass_offset]; } - u8 salt [16]; FOR (j, 0, 16) { salt[j] = work_area[j + salt_offset]; } - u8 key [32]; FOR (j, 0, 32) { key [j] = work_area[j + key_offset]; } - u8 ad [32]; FOR (j, 0, 32) { ad [j] = work_area[j + ad_offset]; } - - crypto_argon2i_general(hash1, 32, clean_work_area, 8, 1, - pass, 16, salt, 16, key, 32, ad, 32); - crypto_argon2i_general(hash2, 32, work_area, 8, 1, - work_area + pass_offset, 16, - work_area + salt_offset, 16, - work_area + key_offset, 32, - work_area + ad_offset, 32); - status |= memcmp(hash1, hash2, 32); - } - free(work_area); - free(clean_work_area); - printf("%s: Argon2i (overlapping i/o)\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + u8 *work_area = (u8*)alloc(8 * 1024); + u8 *clean_work_area = (u8*)alloc(8 * 1024); + FOR (i, 0, 10) { + p_random(work_area, 8 * 1024); + u32 hash_offset = rand64() % 64; + u32 pass_offset = rand64() % 64; + u32 salt_offset = rand64() % 64; + u32 key_offset = rand64() % 64; + u32 ad_offset = rand64() % 64; + u8 hash1[32]; + u8 *hash2 = work_area + hash_offset; + u8 pass [16]; FOR (j, 0, 16) { pass[j] = work_area[j + pass_offset]; } + u8 salt [16]; FOR (j, 0, 16) { salt[j] = work_area[j + salt_offset]; } + u8 key [32]; FOR (j, 0, 32) { key [j] = work_area[j + key_offset]; } + u8 ad [32]; FOR (j, 0, 32) { ad [j] = work_area[j + ad_offset]; } + + crypto_argon2i_general(hash1, 32, clean_work_area, 8, 1, + pass, 16, salt, 16, key, 32, ad, 32); + crypto_argon2i_general(hash2, 32, work_area, 8, 1, + work_area + pass_offset, 16, + work_area + salt_offset, 16, + work_area + key_offset, 32, + work_area + ad_offset, 32); + status |= memcmp(hash1, hash2, 32); + } + free(work_area); + free(clean_work_area); + printf("%s: Argon2i (overlapping i/o)\n", status != 0 ? "FAILED" : "OK"); + return status; } // Tests that the shared key and secret key buffers of crypto_x25519 can // overlap. static int p_x25519_overlap() { - int status = 0; - FOR (i, 0, 62) { - u8 overlapping[94]; - u8 separate[32]; - RANDOM_INPUT(sk, 32); - RANDOM_INPUT(pk, 32); - memcpy(overlapping + 31, sk, 32); - crypto_x25519(overlapping + i, overlapping + 31, pk); - crypto_x25519(separate, sk, pk); - status |= memcmp(separate, overlapping + i, 32); - } - printf("%s: x25519 (overlapping i/o)\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR (i, 0, 62) { + u8 overlapping[94]; + u8 separate[32]; + RANDOM_INPUT(sk, 32); + RANDOM_INPUT(pk, 32); + memcpy(overlapping + 31, sk, 32); + crypto_x25519(overlapping + i, overlapping + 31, pk); + crypto_x25519(separate, sk, pk); + status |= memcmp(separate, overlapping + i, 32); + } + printf("%s: x25519 (overlapping i/o)\n", status != 0 ? "FAILED" : "OK"); + return status; } // Tests that the shared key and secret key buffers of // crypto_key_exchange can overlap. static int p_key_exchange_overlap() { - int status = 0; - FOR (i, 0, 62) { - u8 overlapping[94]; - u8 separate[32]; - RANDOM_INPUT(sk, 32); - RANDOM_INPUT(pk, 32); - memcpy(overlapping + 31, sk, 32); - crypto_key_exchange(overlapping + i, overlapping + 31, pk); - crypto_key_exchange(separate, sk, pk); - status |= memcmp(separate, overlapping + i, 32); - } - printf("%s: key_exchange (overlapping i/o)\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR (i, 0, 62) { + u8 overlapping[94]; + u8 separate[32]; + RANDOM_INPUT(sk, 32); + RANDOM_INPUT(pk, 32); + memcpy(overlapping + 31, sk, 32); + crypto_key_exchange(overlapping + i, overlapping + 31, pk); + crypto_key_exchange(separate, sk, pk); + status |= memcmp(separate, overlapping + i, 32); + } + printf("%s: key_exchange (overlapping i/o)\n", status != 0 ? "FAILED":"OK"); + return status; } static int p_eddsa_roundtrip() { #define MESSAGE_SIZE 30 - int status = 0; - FOR (i, 0, MESSAGE_SIZE) { - RANDOM_INPUT(message, MESSAGE_SIZE); - RANDOM_INPUT(sk, 32); - u8 pk [32]; crypto_sign_public_key(pk, sk); - u8 signature[64]; crypto_sign(signature, sk, pk, message, i); - status |= crypto_check(signature, pk, message, i); - - // reject forgeries - u8 zero [64] = {0}; - u8 forgery[64]; FOR (j, 0, 64) { forgery[j] = signature[j] + 1; } - status |= !crypto_check(zero , pk, message, i); - status |= !crypto_check(forgery, pk, message, i); - } - printf("%s: EdDSA (roundtrip)\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR (i, 0, MESSAGE_SIZE) { + RANDOM_INPUT(message, MESSAGE_SIZE); + RANDOM_INPUT(sk, 32); + u8 pk [32]; crypto_sign_public_key(pk, sk); + u8 signature[64]; crypto_sign(signature, sk, pk, message, i); + status |= crypto_check(signature, pk, message, i); + + // reject forgeries + u8 zero [64] = {0}; + u8 forgery[64]; FOR (j, 0, 64) { forgery[j] = signature[j] + 1; } + status |= !crypto_check(zero , pk, message, i); + status |= !crypto_check(forgery, pk, message, i); + } + printf("%s: EdDSA (roundtrip)\n", status != 0 ? "FAILED" : "OK"); + return status; } // Verifies that random signatures are all invalid. Uses random @@ -768,356 +768,358 @@ static int p_eddsa_roundtrip() // yield an invalid signature). static int p_eddsa_random() { - int status = 0; - FOR (i, 0, 100) { - RANDOM_INPUT(message, MESSAGE_SIZE); - RANDOM_INPUT(pk, 32); - RANDOM_INPUT(signature , 64); - status |= ~crypto_check(signature, pk, message, MESSAGE_SIZE); - } - // Testing S == L (for code coverage) - RANDOM_INPUT(message, MESSAGE_SIZE); - RANDOM_INPUT(pk, 32); - static const u8 signature[64] = - { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, - 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10}; - status |= ~crypto_check(signature, pk, message, MESSAGE_SIZE); - - printf("%s: EdDSA (random)\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR (i, 0, 100) { + RANDOM_INPUT(message, MESSAGE_SIZE); + RANDOM_INPUT(pk, 32); + RANDOM_INPUT(signature , 64); + status |= ~crypto_check(signature, pk, message, MESSAGE_SIZE); + } + // Testing S == L (for code coverage) + RANDOM_INPUT(message, MESSAGE_SIZE); + RANDOM_INPUT(pk, 32); + static const u8 signature[64] = + { + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, + 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, + }; + status |= ~crypto_check(signature, pk, message, MESSAGE_SIZE); + + printf("%s: EdDSA (random)\n", status != 0 ? "FAILED" : "OK"); + return status; } // Tests that the input and output buffers of crypto_sign() can overlap. static int p_eddsa_overlap() { - int status = 0; - FOR(i, 0, MESSAGE_SIZE + 64) { + int status = 0; + FOR(i, 0, MESSAGE_SIZE + 64) { #undef INPUT_SIZE #define INPUT_SIZE (MESSAGE_SIZE + (2 * 64)) // total input size - RANDOM_INPUT(input, INPUT_SIZE); - RANDOM_INPUT(sk , 32 ); - u8 pk [32]; crypto_sign_public_key(pk, sk); - u8 signature[64]; - crypto_sign(signature, sk, pk, input + 64, MESSAGE_SIZE); - crypto_sign(input+i , sk, pk, input + 64, MESSAGE_SIZE); - status |= memcmp(signature, input + i, 64); - } - printf("%s: EdDSA (overlap)\n", status != 0 ? "FAILED" : "OK"); - return status; + RANDOM_INPUT(input, INPUT_SIZE); + RANDOM_INPUT(sk , 32 ); + u8 pk [32]; crypto_sign_public_key(pk, sk); + u8 signature[64]; + crypto_sign(signature, sk, pk, input + 64, MESSAGE_SIZE); + crypto_sign(input+i , sk, pk, input + 64, MESSAGE_SIZE); + status |= memcmp(signature, input + i, 64); + } + printf("%s: EdDSA (overlap)\n", status != 0 ? "FAILED" : "OK"); + return status; } static int p_eddsa_incremental() { - int status = 0; - FOR (i, 0, MESSAGE_SIZE) { - RANDOM_INPUT(msg, MESSAGE_SIZE); - RANDOM_INPUT(sk, 32); - u8 pk [32]; crypto_sign_public_key(pk, sk); - u8 sig_mono[64]; crypto_sign(sig_mono, sk, pk, msg, MESSAGE_SIZE); - u8 sig_incr[64]; - { - crypto_sign_ctx ctx; - crypto_sign_ctx_abstract *actx = (crypto_sign_ctx_abstract*)&ctx; - crypto_sign_init_first_pass (actx, sk, pk); - crypto_sign_update (actx, msg , i); - crypto_sign_update (actx, msg+i, MESSAGE_SIZE-i); - crypto_sign_init_second_pass(actx); - crypto_sign_update (actx, msg , i); - crypto_sign_update (actx, msg+i, MESSAGE_SIZE-i); - crypto_sign_final (actx, sig_incr); - } - status |= memcmp(sig_mono, sig_incr, 64); - status |= crypto_check(sig_mono, pk, msg, MESSAGE_SIZE); - { - crypto_check_ctx ctx; - crypto_check_ctx_abstract *actx = (crypto_check_ctx_abstract*)&ctx; - crypto_check_init (actx, sig_incr, pk); - crypto_check_update(actx, msg , i); - crypto_check_update(actx, msg+i, MESSAGE_SIZE-i); - status |= crypto_check_final(actx); - } - } - printf("%s: EdDSA (incremental)\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR (i, 0, MESSAGE_SIZE) { + RANDOM_INPUT(msg, MESSAGE_SIZE); + RANDOM_INPUT(sk, 32); + u8 pk [32]; crypto_sign_public_key(pk, sk); + u8 sig_mono[64]; crypto_sign(sig_mono, sk, pk, msg, MESSAGE_SIZE); + u8 sig_incr[64]; + { + crypto_sign_ctx ctx; + crypto_sign_ctx_abstract *actx = (crypto_sign_ctx_abstract*)&ctx; + crypto_sign_init_first_pass (actx, sk, pk); + crypto_sign_update (actx, msg , i); + crypto_sign_update (actx, msg+i, MESSAGE_SIZE-i); + crypto_sign_init_second_pass(actx); + crypto_sign_update (actx, msg , i); + crypto_sign_update (actx, msg+i, MESSAGE_SIZE-i); + crypto_sign_final (actx, sig_incr); + } + status |= memcmp(sig_mono, sig_incr, 64); + status |= crypto_check(sig_mono, pk, msg, MESSAGE_SIZE); + { + crypto_check_ctx ctx; + crypto_check_ctx_abstract *actx = (crypto_check_ctx_abstract*)&ctx; + crypto_check_init (actx, sig_incr, pk); + crypto_check_update(actx, msg , i); + crypto_check_update(actx, msg+i, MESSAGE_SIZE-i); + status |= crypto_check_final(actx); + } + } + printf("%s: EdDSA (incremental)\n", status != 0 ? "FAILED" : "OK"); + return status; } static int p_aead() { - int status = 0; - FOR (i, 0, 1000) { - RANDOM_INPUT(key , 32); - RANDOM_INPUT(nonce , 24); - RANDOM_INPUT(ad , 4); - RANDOM_INPUT(plaintext, 8); - u8 box[24], box2[24]; - u8 out[8]; - // AEAD roundtrip - crypto_lock_aead(box, box+16, key, nonce, ad, 4, plaintext, 8); - status |= crypto_unlock_aead(out, key, nonce, box, ad, 4, box+16, 8); - status |= memcmp(plaintext, out, 8); - box[0]++; - status |= !crypto_unlock_aead(out, key, nonce, box, ad, 4, box+16, 8); - - // Authenticated roundtrip (easy interface) - // Make and accept message - crypto_lock(box, box + 16, key, nonce, plaintext, 8); - status |= crypto_unlock(out, key, nonce, box, box + 16, 8); - // Make sure decrypted text and original text are the same - status |= memcmp(plaintext, out, 8); - // Make and reject forgery - box[0]++; - status |= !crypto_unlock(out, key, nonce, box, box + 16, 8); - box[0]--; // undo forgery - - // Same result for both interfaces - crypto_lock_aead(box2, box2 + 16, key, nonce, 0, 0, plaintext, 8); - status |= memcmp(box, box2, 24); - } - printf("%s: aead (roundtrip)\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR (i, 0, 1000) { + RANDOM_INPUT(key , 32); + RANDOM_INPUT(nonce , 24); + RANDOM_INPUT(ad , 4); + RANDOM_INPUT(plaintext, 8); + u8 box[24], box2[24]; + u8 out[8]; + // AEAD roundtrip + crypto_lock_aead(box, box+16, key, nonce, ad, 4, plaintext, 8); + status |= crypto_unlock_aead(out, key, nonce, box, ad, 4, box+16, 8); + status |= memcmp(plaintext, out, 8); + box[0]++; + status |= !crypto_unlock_aead(out, key, nonce, box, ad, 4, box+16, 8); + + // Authenticated roundtrip (easy interface) + // Make and accept message + crypto_lock(box, box + 16, key, nonce, plaintext, 8); + status |= crypto_unlock(out, key, nonce, box, box + 16, 8); + // Make sure decrypted text and original text are the same + status |= memcmp(plaintext, out, 8); + // Make and reject forgery + box[0]++; + status |= !crypto_unlock(out, key, nonce, box, box + 16, 8); + box[0]--; // undo forgery + + // Same result for both interfaces + crypto_lock_aead(box2, box2 + 16, key, nonce, 0, 0, plaintext, 8); + status |= memcmp(box, box2, 24); + } + printf("%s: aead (roundtrip)\n", status != 0 ? "FAILED" : "OK"); + return status; } // Elligator direct mapping must ignore the most significant bits static int p_elligator_direct_msb() { - int status = 0; - FOR (i, 0, 20) { - RANDOM_INPUT(r, 32); - u8 r1[32]; memcpy(r1, r, 32); r1[31] = (r[31] & 0x3f) | 0x00; - u8 r2[32]; memcpy(r2, r, 32); r2[31] = (r[31] & 0x3f) | 0x40; - u8 r3[32]; memcpy(r3, r, 32); r3[31] = (r[31] & 0x3f) | 0x80; - u8 r4[32]; memcpy(r4, r, 32); r4[31] = (r[31] & 0x3f) | 0xc0; - u8 u [32]; crypto_hidden_to_curve(u , r ); - u8 u1[32]; crypto_hidden_to_curve(u1, r1); - u8 u2[32]; crypto_hidden_to_curve(u2, r2); - u8 u3[32]; crypto_hidden_to_curve(u3, r3); - u8 u4[32]; crypto_hidden_to_curve(u4, r4); - status |= memcmp(u, u1, 32); - status |= memcmp(u, u2, 32); - status |= memcmp(u, u3, 32); - status |= memcmp(u, u4, 32); - } - printf("%s: elligator direct (msb)\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR (i, 0, 20) { + RANDOM_INPUT(r, 32); + u8 r1[32]; memcpy(r1, r, 32); r1[31] = (r[31] & 0x3f) | 0x00; + u8 r2[32]; memcpy(r2, r, 32); r2[31] = (r[31] & 0x3f) | 0x40; + u8 r3[32]; memcpy(r3, r, 32); r3[31] = (r[31] & 0x3f) | 0x80; + u8 r4[32]; memcpy(r4, r, 32); r4[31] = (r[31] & 0x3f) | 0xc0; + u8 u [32]; crypto_hidden_to_curve(u , r ); + u8 u1[32]; crypto_hidden_to_curve(u1, r1); + u8 u2[32]; crypto_hidden_to_curve(u2, r2); + u8 u3[32]; crypto_hidden_to_curve(u3, r3); + u8 u4[32]; crypto_hidden_to_curve(u4, r4); + status |= memcmp(u, u1, 32); + status |= memcmp(u, u2, 32); + status |= memcmp(u, u3, 32); + status |= memcmp(u, u4, 32); + } + printf("%s: elligator direct (msb)\n", status != 0 ? "FAILED" : "OK"); + return status; } static int p_elligator_direct_overlap() { - int status = 0; - FOR (i, 0, 62) { - u8 overlapping[94]; - u8 separate[32]; - RANDOM_INPUT(r, 32); - memcpy(overlapping + 31, r, 32); - crypto_hidden_to_curve(overlapping + i, overlapping + 31); - crypto_hidden_to_curve(separate, r); - status |= memcmp(separate, overlapping + i, 32); - } - printf("%s: elligator direct (overlapping i/o)\n", - status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR (i, 0, 62) { + u8 overlapping[94]; + u8 separate[32]; + RANDOM_INPUT(r, 32); + memcpy(overlapping + 31, r, 32); + crypto_hidden_to_curve(overlapping + i, overlapping + 31); + crypto_hidden_to_curve(separate, r); + status |= memcmp(separate, overlapping + i, 32); + } + printf("%s: elligator direct (overlapping i/o)\n", + status != 0 ? "FAILED" : "OK"); + return status; } static int p_elligator_inverse_overlap() { - int status = 0; - FOR (i, 0, 62) { - u8 overlapping[94]; - u8 separate[32]; - RANDOM_INPUT(pk, 33); - u8 tweak = pk[32]; - memcpy(overlapping + 31, pk, 32); - int a = crypto_curve_to_hidden(overlapping+i, overlapping+31, tweak); - int b = crypto_curve_to_hidden(separate, pk, tweak); - status |= a - b; - if (a == 0) { - // The buffers are the same only if written to to begin with - status |= memcmp(separate, overlapping + i, 32); - } - } - printf("%s: elligator inverse (overlapping i/o)\n", - status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR (i, 0, 62) { + u8 overlapping[94]; + u8 separate[32]; + RANDOM_INPUT(pk, 33); + u8 tweak = pk[32]; + memcpy(overlapping + 31, pk, 32); + int a = crypto_curve_to_hidden(overlapping+i, overlapping+31, tweak); + int b = crypto_curve_to_hidden(separate, pk, tweak); + status |= a - b; + if (a == 0) { + // The buffers are the same only if written to to begin with + status |= memcmp(separate, overlapping + i, 32); + } + } + printf("%s: elligator inverse (overlapping i/o)\n", + status != 0 ? "FAILED" : "OK"); + return status; } static int p_elligator_x25519() { - int status = 0; - int i = 0; - while (i < 64) { - RANDOM_INPUT(sk1, 32); - RANDOM_INPUT(sk2, 32); - u8 skc [32]; memcpy(skc, sk1, 32); skc[0] &= 248; - u8 pks [32]; crypto_x25519_dirty_small(pks , sk1); - u8 pksc[32]; crypto_x25519_dirty_small(pksc, skc); - u8 pkf [32]; crypto_x25519_dirty_fast (pkf , sk1); - u8 pkfc[32]; crypto_x25519_dirty_fast (pkfc, skc); - u8 pk1 [32]; crypto_x25519_public_key (pk1 , sk1); - - // Both dirty functions behave the same - status |= memcmp(pks, pkf, 32); - - // Dirty functions behave cleanly if we clear the 3 lsb first - status |= memcmp(pksc, pk1, 32); - status |= memcmp(pkfc, pk1, 32); - - // Dirty functions behave the same as the clean one if the lsb - // are 0, differently if it is not - if ((sk1[0] & 7) == 0) { status |= memcmp(pk1, pkf, 32); } - else { status |= memcmp(pk1, pkf, 32) == 0; } - - // Maximise tweak diversity. - // We want to set the bits 1 (sign) and 6-7 (padding) - u8 tweak = (u8)((i & 1) + (i << 5)); - u8 r[32]; - if (crypto_curve_to_hidden(r, pkf, tweak)) { - continue; // retry untill success (doesn't increment the tweak) - } - // Verify that the tweak's msb are copied to the representative - status |= (tweak >> 6) ^ (r[31] >> 6); - - // Round trip - u8 pkr[32]; crypto_hidden_to_curve(pkr, r); - status |= memcmp(pkr, pkf, 32); - - // Dirty and safe keys are compatible - u8 e1 [32]; crypto_x25519(e1, sk2, pk1); - u8 e2 [32]; crypto_x25519(e2, sk2, pkr); - status |= memcmp(e1, e2, 32); - i++; - } - printf("%s: elligator x25519\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + int i = 0; + while (i < 64) { + RANDOM_INPUT(sk1, 32); + RANDOM_INPUT(sk2, 32); + u8 skc [32]; memcpy(skc, sk1, 32); skc[0] &= 248; + u8 pks [32]; crypto_x25519_dirty_small(pks , sk1); + u8 pksc[32]; crypto_x25519_dirty_small(pksc, skc); + u8 pkf [32]; crypto_x25519_dirty_fast (pkf , sk1); + u8 pkfc[32]; crypto_x25519_dirty_fast (pkfc, skc); + u8 pk1 [32]; crypto_x25519_public_key (pk1 , sk1); + + // Both dirty functions behave the same + status |= memcmp(pks, pkf, 32); + + // Dirty functions behave cleanly if we clear the 3 lsb first + status |= memcmp(pksc, pk1, 32); + status |= memcmp(pkfc, pk1, 32); + + // Dirty functions behave the same as the clean one if the lsb + // are 0, differently if it is not + if ((sk1[0] & 7) == 0) { status |= memcmp(pk1, pkf, 32); } + else { status |= memcmp(pk1, pkf, 32) == 0; } + + // Maximise tweak diversity. + // We want to set the bits 1 (sign) and 6-7 (padding) + u8 tweak = (u8)((i & 1) + (i << 5)); + u8 r[32]; + if (crypto_curve_to_hidden(r, pkf, tweak)) { + continue; // retry untill success (doesn't increment the tweak) + } + // Verify that the tweak's msb are copied to the representative + status |= (tweak >> 6) ^ (r[31] >> 6); + + // Round trip + u8 pkr[32]; crypto_hidden_to_curve(pkr, r); + status |= memcmp(pkr, pkf, 32); + + // Dirty and safe keys are compatible + u8 e1 [32]; crypto_x25519(e1, sk2, pk1); + u8 e2 [32]; crypto_x25519(e2, sk2, pkr); + status |= memcmp(e1, e2, 32); + i++; + } + printf("%s: elligator x25519\n", status != 0 ? "FAILED" : "OK"); + return status; } static int p_elligator_key_pair() { - int status = 0; - FOR(i, 0, 32) { - RANDOM_INPUT(seed, 32); - RANDOM_INPUT(sk2 , 32); - u8 r [32]; - u8 sk1[32]; crypto_hidden_key_pair(r, sk1, seed); - u8 pkr[32]; crypto_hidden_to_curve(pkr, r); - u8 pk1[32]; crypto_x25519_public_key(pk1, sk1); - u8 e1 [32]; crypto_x25519(e1, sk2, pk1); - u8 e2 [32]; crypto_x25519(e2, sk2, pkr); - status |= memcmp(e1, e2, 32); - } - - printf("%s: elligator key pair\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR(i, 0, 32) { + RANDOM_INPUT(seed, 32); + RANDOM_INPUT(sk2 , 32); + u8 r [32]; + u8 sk1[32]; crypto_hidden_key_pair(r, sk1, seed); + u8 pkr[32]; crypto_hidden_to_curve(pkr, r); + u8 pk1[32]; crypto_x25519_public_key(pk1, sk1); + u8 e1 [32]; crypto_x25519(e1, sk2, pk1); + u8 e2 [32]; crypto_x25519(e2, sk2, pkr); + status |= memcmp(e1, e2, 32); + } + + printf("%s: elligator key pair\n", status != 0 ? "FAILED" : "OK"); + return status; } static int p_elligator_key_pair_overlap() { - int status = 0; - FOR (i, 0, 94) { - u8 over[158]; - u8 sep [ 64]; - RANDOM_INPUT(s1, 32); - u8 *s2 = over + 63; - memcpy(s2, s1, 32); - crypto_hidden_key_pair(sep , sep + 32, s1); - crypto_hidden_key_pair(over + i, over + i + 32, s2); - status |= memcmp(sep, over + i, 64); - } - - printf("%s: elligator key pair (overlapping i/o)\n", - status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR (i, 0, 94) { + u8 over[158]; + u8 sep [ 64]; + RANDOM_INPUT(s1, 32); + u8 *s2 = over + 63; + memcpy(s2, s1, 32); + crypto_hidden_key_pair(sep , sep + 32, s1); + crypto_hidden_key_pair(over + i, over + i + 32, s2); + status |= memcmp(sep, over + i, 64); + } + + printf("%s: elligator key pair (overlapping i/o)\n", + status != 0 ? "FAILED" : "OK"); + return status; } static int p_x25519_inverse() { - int status = 0; - RANDOM_INPUT(b, 32); - u8 base[32]; // random point (cofactor is cleared). - crypto_x25519_public_key(base, b); - // check round trip - FOR (i, 0, 50) { - RANDOM_INPUT(sk, 32); - u8 pk [32]; - u8 blind[32]; - crypto_x25519(pk, sk, base); - crypto_x25519_inverse(blind, sk, pk); - status |= memcmp(blind, base, 32); - } - - // check cofactor clearing - // (Multiplying by a low order point yields zero - u8 low_order[4][32] = { - {0}, {1}, - {0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, - 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b, - 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, - 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57,}, - {0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, - 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, - 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, - 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00,}, - }; - u8 zero[32] = {0}; - FOR (i, 0, 32) { - u8 blind[32]; - RANDOM_INPUT(sk, 32); - crypto_x25519_inverse(blind, sk, low_order[i%4]); - status |= memcmp(blind, zero, 32); - } - printf("%s: x25519_inverse\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + RANDOM_INPUT(b, 32); + u8 base[32]; // random point (cofactor is cleared). + crypto_x25519_public_key(base, b); + // check round trip + FOR (i, 0, 50) { + RANDOM_INPUT(sk, 32); + u8 pk [32]; + u8 blind[32]; + crypto_x25519(pk, sk, base); + crypto_x25519_inverse(blind, sk, pk); + status |= memcmp(blind, base, 32); + } + + // check cofactor clearing + // (Multiplying by a low order point yields zero + u8 low_order[4][32] = { + {0}, {1}, + {0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, + 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b, + 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, + 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57,}, + {0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, + 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, + 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, + 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00,}, + }; + u8 zero[32] = {0}; + FOR (i, 0, 32) { + u8 blind[32]; + RANDOM_INPUT(sk, 32); + crypto_x25519_inverse(blind, sk, low_order[i%4]); + status |= memcmp(blind, zero, 32); + } + printf("%s: x25519_inverse\n", status != 0 ? "FAILED" : "OK"); + return status; } static int p_x25519_inverse_overlap() { - int status = 0; - FOR (i, 0, 62) { - u8 overlapping[94]; - u8 separate[32]; - RANDOM_INPUT(sk, 32); - RANDOM_INPUT(pk, 32); - memcpy(overlapping + 31, sk, 32); - crypto_x25519_inverse(overlapping + i, overlapping + 31, pk); - crypto_x25519_inverse(separate, sk, pk); - status |= memcmp(separate, overlapping + i, 32); - } - printf("%s: x25519 inverse (overlapping i/o)\n", - status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR (i, 0, 62) { + u8 overlapping[94]; + u8 separate[32]; + RANDOM_INPUT(sk, 32); + RANDOM_INPUT(pk, 32); + memcpy(overlapping + 31, sk, 32); + crypto_x25519_inverse(overlapping + i, overlapping + 31, pk); + crypto_x25519_inverse(separate, sk, pk); + status |= memcmp(separate, overlapping + i, 32); + } + printf("%s: x25519 inverse (overlapping i/o)\n", + status != 0 ? "FAILED" : "OK"); + return status; } static int p_from_eddsa() { - int status = 0; - FOR (i, 0, 32) { - RANDOM_INPUT(ed_private, 32); - u8 ed_public[32]; crypto_sign_public_key (ed_public, ed_private); - u8 x_private[32]; crypto_from_eddsa_private(x_private, ed_private); - u8 x_public1[32]; crypto_from_eddsa_public (x_public1, ed_public); - u8 x_public2[32]; crypto_x25519_public_key (x_public2, x_private); - status |= memcmp(x_public1, x_public2, 32); - } - printf("%s: from_eddsa\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR (i, 0, 32) { + RANDOM_INPUT(ed_private, 32); + u8 ed_public[32]; crypto_sign_public_key (ed_public, ed_private); + u8 x_private[32]; crypto_from_eddsa_private(x_private, ed_private); + u8 x_public1[32]; crypto_from_eddsa_public (x_public1, ed_public); + u8 x_public2[32]; crypto_x25519_public_key (x_public2, x_private); + status |= memcmp(x_public1, x_public2, 32); + } + printf("%s: from_eddsa\n", status != 0 ? "FAILED" : "OK"); + return status; } static int p_from_ed25519() { - int status = 0; - FOR (i, 0, 32) { - RANDOM_INPUT(ed_private, 32); - u8 ed_public[32]; crypto_ed25519_public_key (ed_public, ed_private); - u8 x_private[32]; crypto_from_ed25519_private(x_private, ed_private); - u8 x_public1[32]; crypto_from_ed25519_public (x_public1, ed_public); - u8 x_public2[32]; crypto_x25519_public_key (x_public2, x_private); - status |= memcmp(x_public1, x_public2, 32); - } - printf("%s: from_ed25519\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + FOR (i, 0, 32) { + RANDOM_INPUT(ed_private, 32); + u8 ed_public[32]; crypto_ed25519_public_key (ed_public, ed_private); + u8 x_private[32]; crypto_from_ed25519_private(x_private, ed_private); + u8 x_public1[32]; crypto_from_ed25519_public (x_public1, ed_public); + u8 x_public2[32]; crypto_x25519_public_key (x_public2, x_private); + status |= memcmp(x_public1, x_public2, 32); + } + printf("%s: from_ed25519\n", status != 0 ? "FAILED" : "OK"); + return status; } int vector_test(void (*f)(vector_reader*), @@ -1127,71 +1129,71 @@ int vector_test(void (*f)(vector_reader*), int main(int argc, char *argv[]) { - if (argc > 1) { - sscanf(argv[1], "%" PRIu64 "", &random_state); - } - printf("\nRandom seed: %" PRIu64 "\n", random_state); - - int status = 0; - printf("\nTest against vectors"); - printf("\n--------------------\n"); - status |= TEST(chacha20); - status |= TEST(ietf_chacha20); - status |= TEST(hchacha20); - status |= TEST(xchacha20); - status |= TEST(poly1305); - status |= TEST(aead_ietf); - status |= TEST(blake2b); - status |= TEST(sha512); - status |= TEST(hmac_sha512); - status |= TEST(argon2i); - status |= TEST(x25519); - status |= TEST(x25519_pk); - status |= TEST(key_exchange); - status |= TEST(edDSA); - status |= TEST(edDSA_pk); - status |= TEST(ed_25519); - status |= TEST(ed_25519_pk); - status |= TEST(ed_25519_check); - status |= TEST(elligator_dir); - status |= TEST(elligator_inv); - status |= test_x25519(); - printf("\nProperty based tests"); - printf("\n--------------------\n"); - status |= p_verify16(); - status |= p_verify32(); - status |= p_verify64(); - status |= p_chacha20_ctr(); - status |= p_chacha20_stream(); - status |= p_chacha20_same_ptr(); - status |= p_hchacha20(); - status |= p_poly1305(); - status |= p_poly1305_overlap(); - status |= p_blake2b(); - status |= p_blake2b_overlap(); - status |= p_sha512(); - status |= p_sha512_overlap(); - status |= p_hmac_sha512(); - status |= p_hmac_sha512_overlap(); - status |= p_argon2i_easy(); - status |= p_argon2i_overlap(); - status |= p_x25519_overlap(); - status |= p_key_exchange_overlap(); - status |= p_eddsa_roundtrip(); - status |= p_eddsa_random(); - status |= p_eddsa_overlap(); - status |= p_eddsa_incremental(); - status |= p_aead(); - status |= p_elligator_direct_msb(); - status |= p_elligator_direct_overlap(); - status |= p_elligator_inverse_overlap(); - status |= p_elligator_x25519(); - status |= p_elligator_key_pair(); - status |= p_elligator_key_pair_overlap(); - status |= p_x25519_inverse(); - status |= p_x25519_inverse_overlap(); - status |= p_from_eddsa(); - status |= p_from_ed25519(); - printf("\n%s\n\n", status != 0 ? "SOME TESTS FAILED" : "All tests OK!"); - return status; + if (argc > 1) { + sscanf(argv[1], "%" PRIu64 "", &random_state); + } + printf("\nRandom seed: %" PRIu64 "\n", random_state); + + int status = 0; + printf("\nTest against vectors"); + printf("\n--------------------\n"); + status |= TEST(chacha20); + status |= TEST(ietf_chacha20); + status |= TEST(hchacha20); + status |= TEST(xchacha20); + status |= TEST(poly1305); + status |= TEST(aead_ietf); + status |= TEST(blake2b); + status |= TEST(sha512); + status |= TEST(hmac_sha512); + status |= TEST(argon2i); + status |= TEST(x25519); + status |= TEST(x25519_pk); + status |= TEST(key_exchange); + status |= TEST(edDSA); + status |= TEST(edDSA_pk); + status |= TEST(ed_25519); + status |= TEST(ed_25519_pk); + status |= TEST(ed_25519_check); + status |= TEST(elligator_dir); + status |= TEST(elligator_inv); + status |= test_x25519(); + printf("\nProperty based tests"); + printf("\n--------------------\n"); + status |= p_verify16(); + status |= p_verify32(); + status |= p_verify64(); + status |= p_chacha20_ctr(); + status |= p_chacha20_stream(); + status |= p_chacha20_same_ptr(); + status |= p_hchacha20(); + status |= p_poly1305(); + status |= p_poly1305_overlap(); + status |= p_blake2b(); + status |= p_blake2b_overlap(); + status |= p_sha512(); + status |= p_sha512_overlap(); + status |= p_hmac_sha512(); + status |= p_hmac_sha512_overlap(); + status |= p_argon2i_easy(); + status |= p_argon2i_overlap(); + status |= p_x25519_overlap(); + status |= p_key_exchange_overlap(); + status |= p_eddsa_roundtrip(); + status |= p_eddsa_random(); + status |= p_eddsa_overlap(); + status |= p_eddsa_incremental(); + status |= p_aead(); + status |= p_elligator_direct_msb(); + status |= p_elligator_direct_overlap(); + status |= p_elligator_inverse_overlap(); + status |= p_elligator_x25519(); + status |= p_elligator_key_pair(); + status |= p_elligator_key_pair_overlap(); + status |= p_x25519_inverse(); + status |= p_x25519_inverse_overlap(); + status |= p_from_eddsa(); + status |= p_from_ed25519(); + printf("\n%s\n\n", status != 0 ? "SOME TESTS FAILED" : "All tests OK!"); + return status; } diff --git a/tests/tis-ci.c b/tests/tis-ci.c index 73a4e02..b434054 100644 --- a/tests/tis-ci.c +++ b/tests/tis-ci.c @@ -57,317 +57,317 @@ #include #include -#define ARRAY(name, size) \ - u8 name[size]; \ - for(size_t i = 0; i < size; i++) name[i] = i; +#define ARRAY(name, size) \ + u8 name[size]; \ + for(size_t i = 0; i < size; i++) name[i] = i; static void chacha20(vector_reader *reader) { - vector key = next_input(reader); - vector nonce = next_input(reader); - vector plain = next_input(reader); - u64 ctr = load64_le(next_input(reader).buf); - vector out = next_output(reader); - u64 nb_blocks = plain.size / 64 + (plain.size % 64 != 0); - u64 new_ctr = crypto_chacha20_ctr(out.buf, plain.buf, plain.size, - key.buf, nonce.buf, ctr); - if (new_ctr - ctr != nb_blocks) { - printf("FAILURE: Chacha20 returned counter not correct: "); - } + vector key = next_input(reader); + vector nonce = next_input(reader); + vector plain = next_input(reader); + u64 ctr = load64_le(next_input(reader).buf); + vector out = next_output(reader); + u64 nb_blocks = plain.size / 64 + (plain.size % 64 != 0); + u64 new_ctr = crypto_chacha20_ctr(out.buf, plain.buf, plain.size, + key.buf, nonce.buf, ctr); + if (new_ctr - ctr != nb_blocks) { + printf("FAILURE: Chacha20 returned counter not correct: "); + } } static void ietf_chacha20(vector_reader *reader) { - vector key = next_input(reader); - vector nonce = next_input(reader); - vector plain = next_input(reader); - u64 ctr = load64_le(next_input(reader).buf); - vector out = next_output(reader); - u32 nb_blocks = (u32)(plain.size / 64 + (plain.size % 64 != 0)); - u32 new_ctr = crypto_ietf_chacha20_ctr(out.buf, plain.buf, plain.size, - key.buf, nonce.buf, ctr); - if (new_ctr - ctr != nb_blocks) { - printf("FAILURE: IETF Chacha20 returned counter not correct: "); - } + vector key = next_input(reader); + vector nonce = next_input(reader); + vector plain = next_input(reader); + u64 ctr = load64_le(next_input(reader).buf); + vector out = next_output(reader); + u32 nb_blocks = (u32)(plain.size / 64 + (plain.size % 64 != 0)); + u32 new_ctr = crypto_ietf_chacha20_ctr(out.buf, plain.buf, plain.size, + key.buf, nonce.buf, ctr); + if (new_ctr - ctr != nb_blocks) { + printf("FAILURE: IETF Chacha20 returned counter not correct: "); + } } static void hchacha20(vector_reader *reader) { - vector key = next_input(reader); - vector nonce = next_input(reader); - vector out = next_output(reader); - crypto_hchacha20(out.buf, key.buf, nonce.buf); + vector key = next_input(reader); + vector nonce = next_input(reader); + vector out = next_output(reader); + crypto_hchacha20(out.buf, key.buf, nonce.buf); } static void xchacha20(vector_reader *reader) { - vector key = next_input(reader); - vector nonce = next_input(reader); - vector plain = next_input(reader); - u64 ctr = load64_le(next_input(reader).buf); - vector out = next_output(reader); - u64 nb_blocks = plain.size / 64 + (plain.size % 64 != 0); - u64 new_ctr = crypto_xchacha20_ctr(out.buf, plain.buf, plain.size, - key.buf, nonce.buf, ctr); - if (new_ctr - ctr != nb_blocks) { - printf("FAILURE: XChacha20 returned counter not correct: "); - } + vector key = next_input(reader); + vector nonce = next_input(reader); + vector plain = next_input(reader); + u64 ctr = load64_le(next_input(reader).buf); + vector out = next_output(reader); + u64 nb_blocks = plain.size / 64 + (plain.size % 64 != 0); + u64 new_ctr = crypto_xchacha20_ctr(out.buf, plain.buf, plain.size, + key.buf, nonce.buf, ctr); + if (new_ctr - ctr != nb_blocks) { + printf("FAILURE: XChacha20 returned counter not correct: "); + } } static void poly1305(vector_reader *reader) { - vector key = next_input(reader); - vector msg = next_input(reader); - vector out = next_output(reader); - crypto_poly1305(out.buf, msg.buf, msg.size, key.buf); + vector key = next_input(reader); + vector msg = next_input(reader); + vector out = next_output(reader); + crypto_poly1305(out.buf, msg.buf, msg.size, key.buf); } static void aead_ietf(vector_reader *reader) { - vector key = next_input(reader); - vector nonce = next_input(reader); - vector ad = next_input(reader); - vector text = next_input(reader); - vector out = next_output(reader); - crypto_lock_aead(out.buf, out.buf + 16, key.buf, nonce.buf, - ad.buf, ad.size, text.buf, text.size); + vector key = next_input(reader); + vector nonce = next_input(reader); + vector ad = next_input(reader); + vector text = next_input(reader); + vector out = next_output(reader); + crypto_lock_aead(out.buf, out.buf + 16, key.buf, nonce.buf, + ad.buf, ad.size, text.buf, text.size); } static void blake2b(vector_reader *reader) { - vector msg = next_input(reader); - vector key = next_input(reader); - vector out = next_output(reader); - crypto_blake2b_general(out.buf, out.size, - key.buf, key.size, - msg.buf, msg.size); + vector msg = next_input(reader); + vector key = next_input(reader); + vector out = next_output(reader); + crypto_blake2b_general(out.buf, out.size, + key.buf, key.size, + msg.buf, msg.size); } static void sha512(vector_reader *reader) { - vector in = next_input(reader); - vector out = next_output(reader); - crypto_sha512(out.buf, in.buf, in.size); + vector in = next_input(reader); + vector out = next_output(reader); + crypto_sha512(out.buf, in.buf, in.size); } static void hmac_sha512(vector_reader *reader) { - vector key = next_input(reader); - vector msg = next_input(reader); - vector out = next_output(reader); - crypto_hmac_sha512(out.buf, key.buf, key.size, msg.buf, msg.size); + vector key = next_input(reader); + vector msg = next_input(reader); + vector out = next_output(reader); + crypto_hmac_sha512(out.buf, key.buf, key.size, msg.buf, msg.size); } static void argon2i(vector_reader *reader) { - u64 nb_blocks = load64_le(next_input(reader).buf); - u64 nb_iterations = load64_le(next_input(reader).buf); - vector password = next_input(reader); - vector salt = next_input(reader); - vector key = next_input(reader); - vector ad = next_input(reader); - vector out = next_output(reader); - void *work_area = alloc(nb_blocks * 1024); - crypto_argon2i_general(out.buf, (u32)out.size, - work_area, (u32)nb_blocks, (u32)nb_iterations, - password.buf, (u32)password.size, - salt .buf, (u32)salt .size, - key .buf, (u32)key .size, - ad .buf, (u32)ad .size); - free(work_area); + u64 nb_blocks = load64_le(next_input(reader).buf); + u64 nb_iterations = load64_le(next_input(reader).buf); + vector password = next_input(reader); + vector salt = next_input(reader); + vector key = next_input(reader); + vector ad = next_input(reader); + vector out = next_output(reader); + void *work_area = alloc(nb_blocks * 1024); + crypto_argon2i_general(out.buf, (u32)out.size, + work_area, (u32)nb_blocks, (u32)nb_iterations, + password.buf, (u32)password.size, + salt .buf, (u32)salt .size, + key .buf, (u32)key .size, + ad .buf, (u32)ad .size); + free(work_area); } static void key_exchange(vector_reader *reader) { - vector secret_key = next_input(reader); - vector public_key = next_input(reader); - vector out = next_output(reader); - crypto_key_exchange(out.buf, secret_key.buf, public_key.buf); + vector secret_key = next_input(reader); + vector public_key = next_input(reader); + vector out = next_output(reader); + crypto_key_exchange(out.buf, secret_key.buf, public_key.buf); } static void edDSA(vector_reader *reader) { - vector secret_k = next_input(reader); - vector public_k = next_input(reader); - vector msg = next_input(reader); - vector out = next_output(reader); - u8 out2[64]; - - // Sign with cached public key, then by reconstructing the key - crypto_sign(out.buf, secret_k.buf, public_k.buf, msg.buf, msg.size); - crypto_sign(out2 , secret_k.buf, 0 , msg.buf, msg.size); - // Compare signatures (must be the same) - if (memcmp(out.buf, out2, out.size)) { - printf("FAILURE: reconstructing public key" - " yields different signature\n"); - exit(1); - } + vector secret_k = next_input(reader); + vector public_k = next_input(reader); + vector msg = next_input(reader); + vector out = next_output(reader); + u8 out2[64]; + + // Sign with cached public key, then by reconstructing the key + crypto_sign(out.buf, secret_k.buf, public_k.buf, msg.buf, msg.size); + crypto_sign(out2 , secret_k.buf, 0 , msg.buf, msg.size); + // Compare signatures (must be the same) + if (memcmp(out.buf, out2, out.size)) { + printf("FAILURE: reconstructing public key" + " yields different signature\n"); + exit(1); + } } static void ed_25519(vector_reader *reader) { - vector secret_k = next_input(reader); - vector public_k = next_input(reader); - vector msg = next_input(reader); - vector out = next_output(reader); - u8 out2[64]; - - // Sign with cached public key, then by reconstructing the key - crypto_ed25519_sign(out.buf, secret_k.buf, public_k.buf, msg.buf, msg.size); - crypto_ed25519_sign(out2 , secret_k.buf, 0 , msg.buf, msg.size); - // Compare signatures (must be the same) - if (memcmp(out.buf, out2, out.size)) { - printf("FAILURE: reconstructing public key" - " yields different signature\n"); - exit(1); - } + vector secret_k = next_input(reader); + vector public_k = next_input(reader); + vector msg = next_input(reader); + vector out = next_output(reader); + u8 out2[64]; + + // Sign with cached public key, then by reconstructing the key + crypto_ed25519_sign(out.buf, secret_k.buf, public_k.buf, msg.buf, msg.size); + crypto_ed25519_sign(out2 , secret_k.buf, 0 , msg.buf, msg.size); + // Compare signatures (must be the same) + if (memcmp(out.buf, out2, out.size)) { + printf("FAILURE: reconstructing public key" + " yields different signature\n"); + exit(1); + } } static void ed_25519_check(vector_reader *reader) { - vector public_k = next_input(reader); - vector msg = next_input(reader); - vector sig = next_input(reader); - vector out = next_output(reader); - out.buf[0] = (u8)crypto_ed25519_check(sig.buf, public_k.buf, - msg.buf, msg.size); + vector public_k = next_input(reader); + vector msg = next_input(reader); + vector sig = next_input(reader); + vector out = next_output(reader); + out.buf[0] = (u8)crypto_ed25519_check(sig.buf, public_k.buf, + msg.buf, msg.size); } static void elligator_dir(vector_reader *reader) { - vector in = next_input(reader); - vector out = next_output(reader); - crypto_hidden_to_curve(out.buf, in.buf); + vector in = next_input(reader); + vector out = next_output(reader); + crypto_hidden_to_curve(out.buf, in.buf); } static void elligator_inv(vector_reader *reader) { - vector point = next_input(reader); - u8 tweak = next_input(reader).buf[0]; - u8 failure = next_input(reader).buf[0]; - vector out = next_output(reader); - int check = crypto_curve_to_hidden(out.buf, point.buf, tweak); - if ((u8)check != failure) { - printf("Elligator inverse map: failure mismatch\n"); - exit(1); - } - if (check) { - out.buf[0] = 0; - } + vector point = next_input(reader); + u8 tweak = next_input(reader).buf[0]; + u8 failure = next_input(reader).buf[0]; + vector out = next_output(reader); + int check = crypto_curve_to_hidden(out.buf, point.buf, tweak); + if ((u8)check != failure) { + printf("Elligator inverse map: failure mismatch\n"); + exit(1); + } + if (check) { + out.buf[0] = 0; + } } //@ ensures \result == 0; static int p_from_eddsa() { - int status = 0; - RANDOM_INPUT(ed_private, 32); - u8 ed_public[32]; crypto_sign_public_key (ed_public, ed_private); - u8 x_private[32]; crypto_from_eddsa_private(x_private, ed_private); - u8 x_public1[32]; crypto_from_eddsa_public (x_public1, ed_public); - u8 x_public2[32]; crypto_x25519_public_key (x_public2, x_private); - status |= memcmp(x_public1, x_public2, 32); - printf("%s: from_eddsa\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + RANDOM_INPUT(ed_private, 32); + u8 ed_public[32]; crypto_sign_public_key (ed_public, ed_private); + u8 x_private[32]; crypto_from_eddsa_private(x_private, ed_private); + u8 x_public1[32]; crypto_from_eddsa_public (x_public1, ed_public); + u8 x_public2[32]; crypto_x25519_public_key (x_public2, x_private); + status |= memcmp(x_public1, x_public2, 32); + printf("%s: from_eddsa\n", status != 0 ? "FAILED" : "OK"); + return status; } //@ ensures \result == 0; static int p_from_ed25519() { - int status = 0; - RANDOM_INPUT(ed_private, 32); - u8 ed_public[32]; crypto_ed25519_public_key (ed_public, ed_private); - u8 x_private[32]; crypto_from_ed25519_private(x_private, ed_private); - u8 x_public1[32]; crypto_from_ed25519_public (x_public1, ed_public); - u8 x_public2[32]; crypto_x25519_public_key (x_public2, x_private); - status |= memcmp(x_public1, x_public2, 32); - printf("%s: from_ed25519\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + RANDOM_INPUT(ed_private, 32); + u8 ed_public[32]; crypto_ed25519_public_key (ed_public, ed_private); + u8 x_private[32]; crypto_from_ed25519_private(x_private, ed_private); + u8 x_public1[32]; crypto_from_ed25519_public (x_public1, ed_public); + u8 x_public2[32]; crypto_x25519_public_key (x_public2, x_private); + status |= memcmp(x_public1, x_public2, 32); + printf("%s: from_ed25519\n", status != 0 ? "FAILED" : "OK"); + return status; } //@ ensures \result == 0; static int p_dirty() { - int status = 0; + int status = 0; - RANDOM_INPUT(sk1, 32); sk1[0] |= 1; // make sure it's dirty - u8 skc [32]; memcpy(skc, sk1, 32); skc[0] &= 248; // make sure it's clean - u8 pks [32]; crypto_x25519_dirty_small(pks , sk1); - u8 pksc[32]; crypto_x25519_dirty_small(pksc, skc); - u8 pkf [32]; crypto_x25519_dirty_fast (pkf , sk1); - u8 pkfc[32]; crypto_x25519_dirty_fast (pkfc, skc); - u8 pk1 [32]; crypto_x25519_public_key (pk1 , sk1); + RANDOM_INPUT(sk1, 32); sk1[0] |= 1; // make sure it's dirty + u8 skc [32]; memcpy(skc, sk1, 32); skc[0] &= 248; // make sure it's clean + u8 pks [32]; crypto_x25519_dirty_small(pks , sk1); + u8 pksc[32]; crypto_x25519_dirty_small(pksc, skc); + u8 pkf [32]; crypto_x25519_dirty_fast (pkf , sk1); + u8 pkfc[32]; crypto_x25519_dirty_fast (pkfc, skc); + u8 pk1 [32]; crypto_x25519_public_key (pk1 , sk1); - // Both dirty functions behave the same - status |= memcmp(pks, pkf, 32); + // Both dirty functions behave the same + status |= memcmp(pks, pkf, 32); - // Dirty functions behave cleanly if we clear the 3 msb first - status |= memcmp(pksc, pk1, 32); - status |= memcmp(pkfc, pk1, 32); + // Dirty functions behave cleanly if we clear the 3 msb first + status |= memcmp(pksc, pk1, 32); + status |= memcmp(pkfc, pk1, 32); - printf("%s: x25519 dirty\n", status != 0 ? "FAILED" : "OK"); - return status; + printf("%s: x25519 dirty\n", status != 0 ? "FAILED" : "OK"); + return status; } //@ ensures \result == 0; static int p_x25519_inverse() { - int status = 0; - RANDOM_INPUT(b, 32); - u8 base[32]; // random point (cofactor is cleared). - crypto_x25519_public_key(base, b); - // check round trip - RANDOM_INPUT(sk, 32); - u8 pk [32]; - u8 blind[32]; - crypto_x25519(pk, sk, base); - crypto_x25519_inverse(blind, sk, pk); - status |= memcmp(blind, base, 32); - - // check cofactor clearing - // (Multiplying by a low order point yields zero - u8 low_order[32] = { - 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, - 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b, - 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, - 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57, - }; - u8 zero[32] = {0}; - crypto_x25519_inverse(blind, sk, low_order); - status |= memcmp(blind, zero, 32); - printf("%s: x25519_inverse\n", status != 0 ? "FAILED" : "OK"); - return status; + int status = 0; + RANDOM_INPUT(b, 32); + u8 base[32]; // random point (cofactor is cleared). + crypto_x25519_public_key(base, b); + // check round trip + RANDOM_INPUT(sk, 32); + u8 pk [32]; + u8 blind[32]; + crypto_x25519(pk, sk, base); + crypto_x25519_inverse(blind, sk, pk); + status |= memcmp(blind, base, 32); + + // check cofactor clearing + // (Multiplying by a low order point yields zero + u8 low_order[32] = { + 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, + 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b, + 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, + 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57, + }; + u8 zero[32] = {0}; + crypto_x25519_inverse(blind, sk, low_order); + status |= memcmp(blind, zero, 32); + printf("%s: x25519_inverse\n", status != 0 ? "FAILED" : "OK"); + return status; } //@ ensures \result == 0; static int p_verify(size_t size, int (*compare)(const u8*, const u8*)) { - int status = 0; - u8 a[64]; // size <= 64 - u8 b[64]; // size <= 64 - FOR (i, 0, 2) { - FOR (j, 0, 2) { - // Set every byte to the chosen value, then compare - FOR (k, 0, size) { - a[k] = (u8)i; - b[k] = (u8)j; - } - int cmp = compare(a, b); - status |= (i == j ? cmp : ~cmp); - // Set only two bytes to the chosen value, then compare - FOR (k, 0, size / 2) { - FOR (l, 0, size) { - a[l] = 0; - b[l] = 0; - } - a[k] = (u8)i; a[k + size/2 - 1] = (u8)i; - b[k] = (u8)j; b[k + size/2 - 1] = (u8)j; - cmp = compare(a, b); - status |= (i == j ? cmp : ~cmp); - } - } - } - printf("%s: crypto_verify%zu\n", status != 0 ? "FAILED" : "OK", size); - return status; + int status = 0; + u8 a[64]; // size <= 64 + u8 b[64]; // size <= 64 + FOR (i, 0, 2) { + FOR (j, 0, 2) { + // Set every byte to the chosen value, then compare + FOR (k, 0, size) { + a[k] = (u8)i; + b[k] = (u8)j; + } + int cmp = compare(a, b); + status |= (i == j ? cmp : ~cmp); + // Set only two bytes to the chosen value, then compare + FOR (k, 0, size / 2) { + FOR (l, 0, size) { + a[l] = 0; + b[l] = 0; + } + a[k] = (u8)i; a[k + size/2 - 1] = (u8)i; + b[k] = (u8)j; b[k + size/2 - 1] = (u8)j; + cmp = compare(a, b); + status |= (i == j ? cmp : ~cmp); + } + } + } + printf("%s: crypto_verify%zu\n", status != 0 ? "FAILED" : "OK", size); + return status; } //@ ensures \result == 0; static int p_verify16(){ return p_verify(16, crypto_verify16); } @@ -377,9 +377,9 @@ static int p_verify32(){ return p_verify(32, crypto_verify32); } static int p_verify64(){ return p_verify(64, crypto_verify64); } #define TEST(name) \ - int v_##name() { \ - return vector_test(name, #name, nb_##name##_vectors, name##_vectors); \ - } + int v_##name() { \ + return vector_test(name, #name, nb_##name##_vectors, name##_vectors); \ + } //@ ensures \result == 0; TEST(chacha20) @@ -416,30 +416,30 @@ TEST(elligator_inv) //@ ensures \result == 0; int main(void) { - int status = 0; - status |= v_chacha20 (); - status |= v_ietf_chacha20 (); - status |= v_hchacha20 (); - status |= v_xchacha20 (); - status |= v_poly1305 (); - status |= v_aead_ietf (); - status |= v_blake2b (); - status |= v_sha512 (); - status |= v_hmac_sha512 (); - status |= v_argon2i (); - status |= v_key_exchange (); - status |= v_edDSA (); - status |= v_ed_25519 (); - status |= v_ed_25519_check(); - status |= v_elligator_dir (); - status |= v_elligator_inv (); - - status |= p_from_eddsa (); - status |= p_from_ed25519 (); - status |= p_dirty (); - status |= p_x25519_inverse(); - status |= p_verify16 (); - status |= p_verify32 (); - status |= p_verify64 (); - return status; + int status = 0; + status |= v_chacha20 (); + status |= v_ietf_chacha20 (); + status |= v_hchacha20 (); + status |= v_xchacha20 (); + status |= v_poly1305 (); + status |= v_aead_ietf (); + status |= v_blake2b (); + status |= v_sha512 (); + status |= v_hmac_sha512 (); + status |= v_argon2i (); + status |= v_key_exchange (); + status |= v_edDSA (); + status |= v_ed_25519 (); + status |= v_ed_25519_check(); + status |= v_elligator_dir (); + status |= v_elligator_inv (); + + status |= p_from_eddsa (); + status |= p_from_ed25519 (); + status |= p_dirty (); + status |= p_x25519_inverse(); + status |= p_verify16 (); + status |= p_verify32 (); + status |= p_verify64 (); + return status; } diff --git a/tests/utils.c b/tests/utils.c index 427d315..f55f11e 100644 --- a/tests/utils.c +++ b/tests/utils.c @@ -57,27 +57,28 @@ void store64_le(u8 out[8], u64 in) { - out[0] = in & 0xff; - out[1] = (in >> 8) & 0xff; - out[2] = (in >> 16) & 0xff; - out[3] = (in >> 24) & 0xff; - out[4] = (in >> 32) & 0xff; - out[5] = (in >> 40) & 0xff; - out[6] = (in >> 48) & 0xff; - out[7] = (in >> 56) & 0xff; + out[0] = in & 0xff; + out[1] = (in >> 8) & 0xff; + out[2] = (in >> 16) & 0xff; + out[3] = (in >> 24) & 0xff; + out[4] = (in >> 32) & 0xff; + out[5] = (in >> 40) & 0xff; + out[6] = (in >> 48) & 0xff; + out[7] = (in >> 56) & 0xff; } u32 load32_le(const u8 s[4]) { - return (u32)s[0] - | ((u32)s[1] << 8) - | ((u32)s[2] << 16) - | ((u32)s[3] << 24); + return + ((u32)s[0] << 0) | + ((u32)s[1] << 8) | + ((u32)s[2] << 16) | + ((u32)s[3] << 24); } u64 load64_le(const u8 s[8]) { - return load32_le(s) | ((u64)load32_le(s+4) << 32); + return load32_le(s) | ((u64)load32_le(s+4) << 32); } // Must be seeded with a nonzero value. @@ -87,124 +88,124 @@ u64 random_state = 12345; // Pseudo-random 64 bit number, based on xorshift* u64 rand64(void) { - random_state ^= random_state >> 12; - random_state ^= random_state << 25; - random_state ^= random_state >> 27; - return random_state * 0x2545F4914F6CDD1D; // magic constant + random_state ^= random_state >> 12; + random_state ^= random_state << 25; + random_state ^= random_state >> 27; + return random_state * 0x2545F4914F6CDD1D; // magic constant } void p_random(u8 *stream, size_t size) { - FOR (i, 0, size) { - stream[i] = (u8)rand64(); - } + FOR (i, 0, size) { + stream[i] = (u8)rand64(); + } } void print_vector(const u8 *buf, size_t size) { - FOR (i, 0, size) { - printf("%x%x", buf[i] >> 4, buf[i] & 0x0f); - } - printf(":\n"); + FOR (i, 0, size) { + printf("%x%x", buf[i] >> 4, buf[i] & 0x0f); + } + printf(":\n"); } void print_number(u64 n) { - u8 buf[8]; - store64_le(buf, n); - print_vector(buf, 8); + u8 buf[8]; + store64_le(buf, n); + print_vector(buf, 8); } void* alloc(size_t size) { - if (size == 0) { - // Some systems refuse to allocate zero bytes. - // So we don't. Instead, we just return a non-sensical pointer. - // It shouldn't be dereferenced anyway. - return NULL; - } - void *buf = malloc(size); - if (buf == NULL) { - fprintf(stderr, "Allocation failed: 0x%zx bytes\n", size); - exit(1); - } - return buf; + if (size == 0) { + // Some systems refuse to allocate zero bytes. + // So we don't. Instead, we just return a non-sensical pointer. + // It shouldn't be dereferenced anyway. + return NULL; + } + void *buf = malloc(size); + if (buf == NULL) { + fprintf(stderr, "Allocation failed: 0x%zx bytes\n", size); + exit(1); + } + return buf; } static int to_num(char c) { - return c >= '0' && c <= '9' ? c - '0' - : c >= 'a' && c <= 'f' ? c - 'a' + 10 - : c - 'A' + 10; + return c >= '0' && c <= '9' ? c - '0' + : c >= 'a' && c <= 'f' ? c - 'a' + 10 + : c - 'A' + 10; } static vector vector_of_string(const char *s) { - vector v; - v.size = strlen(s) / 2; - v.buf = v.size == 0 ? 0 : (u8*)alloc(v.size); - FOR (i, 0, v.size) { - int msb = to_num(*s); s++; - int lsb = to_num(*s); s++; - v.buf[i] = (u8)(msb * 16 + lsb); - } - return v; + vector v; + v.size = strlen(s) / 2; + v.buf = v.size == 0 ? 0 : (u8*)alloc(v.size); + FOR (i, 0, v.size) { + int msb = to_num(*s); s++; + int lsb = to_num(*s); s++; + v.buf[i] = (u8)(msb * 16 + lsb); + } + return v; } vector next_input(vector_reader *reader) { - if (reader->size == 0 || reader->nb_inputs >= 10) { - fprintf(stderr, "Input reader overload (no more vectors)\n"); - exit(1); - } - const char *next = *(reader->next); - vector *input = reader->inputs + reader->nb_inputs; - reader->next++; - reader->size--; - *input = vector_of_string(next); - reader->nb_inputs++; - return *input; + if (reader->size == 0 || reader->nb_inputs >= 10) { + fprintf(stderr, "Input reader overload (no more vectors)\n"); + exit(1); + } + const char *next = *(reader->next); + vector *input = reader->inputs + reader->nb_inputs; + reader->next++; + reader->size--; + *input = vector_of_string(next); + reader->nb_inputs++; + return *input; } vector next_output(vector_reader *reader) { - if (reader->size == 0 || reader->nb_inputs >= 10) { - fprintf(stderr, "Input reader overload (no more vectors)\n"); - exit(1); - } - const char *next = *(reader->next); - reader->next++; - reader->size--; - reader->expected = vector_of_string(next); - reader->out.size = reader->expected.size; - reader->out.buf = (u8*)alloc(reader->out.size); - return reader->out; + if (reader->size == 0 || reader->nb_inputs >= 10) { + fprintf(stderr, "Input reader overload (no more vectors)\n"); + exit(1); + } + const char *next = *(reader->next); + reader->next++; + reader->size--; + reader->expected = vector_of_string(next); + reader->out.size = reader->expected.size; + reader->out.buf = (u8*)alloc(reader->out.size); + return reader->out; } int vector_test(void (*f)(vector_reader*), const char *name, size_t nb_vectors, const char *vectors[]) { - int status = 0; - int nb_tests = 0; - vector_reader in; - in.size = nb_vectors; - in.next = vectors; - - while (in.size > 0) { - in.nb_inputs = 0; - f(&in); - if (in.expected.size != 0) { - status |= memcmp(in.out.buf, in.expected.buf, in.expected.size); - } - FOR (i, 0, in.nb_inputs) { - free(in.inputs[i].buf); - } - free(in.out.buf); - free(in.expected.buf); - nb_tests++; - } - printf("%s %4d tests: %s\n", - status != 0 ? "FAILED" : "OK", nb_tests, name); - return status; + int status = 0; + int nb_tests = 0; + vector_reader in; + in.size = nb_vectors; + in.next = vectors; + + while (in.size > 0) { + in.nb_inputs = 0; + f(&in); + if (in.expected.size != 0) { + status |= memcmp(in.out.buf, in.expected.buf, in.expected.size); + } + FOR (i, 0, in.nb_inputs) { + free(in.inputs[i].buf); + } + free(in.out.buf); + free(in.expected.buf); + nb_tests++; + } + printf("%s %4d tests: %s\n", + status != 0 ? "FAILED" : "OK", nb_tests, name); + return status; } diff --git a/tests/utils.h b/tests/utils.h index 8040ae0..30db972 100644 --- a/tests/utils.h +++ b/tests/utils.h @@ -63,29 +63,29 @@ typedef int64_t i64; typedef uint64_t u64; #define FOR(i, start, end) for (size_t i = (start); i < (end); i++) -#define SODIUM_INIT \ - do { \ - if (sodium_init() == -1) { \ - printf("libsodium init failed. Abort.\n"); \ - return 1; \ - } \ - } while (0) +#define SODIUM_INIT \ + do { \ + if (sodium_init() == -1) { \ + printf("libsodium init failed. Abort.\n"); \ + return 1; \ + } \ + } while (0) #define RANDOM_INPUT(name, size) u8 name[size]; p_random(name, size) extern u64 random_state; // state of the RNG typedef struct { - u8 *buf; - size_t size; + u8 *buf; + size_t size; } vector; typedef struct { - const char **next; - size_t size; - vector inputs[10]; - size_t nb_inputs; - vector expected; - vector out; + const char **next; + size_t size; + vector inputs[10]; + size_t nb_inputs; + vector expected; + vector out; } vector_reader; void store64_le(u8 out[8], u64 in);