310 lines
8.0 KiB
C
310 lines
8.0 KiB
C
|
// This file is dual-licensed. Choose whichever licence you want from
|
||
|
// the two licences listed below.
|
||
|
//
|
||
|
// The first licence is a regular 2-clause BSD licence. The second licence
|
||
|
// is the CC-0 from Creative Commons. It is intended to release Monocypher
|
||
|
// to the public domain. The BSD licence serves as a fallback option.
|
||
|
//
|
||
|
// SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
|
||
|
//
|
||
|
// ------------------------------------------------------------------------
|
||
|
//
|
||
|
// Copyright (c) 2020, Loup Vaillant
|
||
|
// All rights reserved.
|
||
|
//
|
||
|
//
|
||
|
// Redistribution and use in source and binary forms, with or without
|
||
|
// modification, are permitted provided that the following conditions are
|
||
|
// met:
|
||
|
//
|
||
|
// 1. Redistributions of source code must retain the above copyright
|
||
|
// notice, this list of conditions and the following disclaimer.
|
||
|
//
|
||
|
// 2. Redistributions in binary form must reproduce the above copyright
|
||
|
// notice, this list of conditions and the following disclaimer in the
|
||
|
// documentation and/or other materials provided with the
|
||
|
// distribution.
|
||
|
//
|
||
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||
|
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||
|
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||
|
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||
|
// HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||
|
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||
|
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||
|
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||
|
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||
|
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||
|
//
|
||
|
// ------------------------------------------------------------------------
|
||
|
//
|
||
|
// Written in 2020 by Loup Vaillant
|
||
|
//
|
||
|
// To the extent possible under law, the author(s) have dedicated all copyright
|
||
|
// and related neighboring rights to this software to the public domain
|
||
|
// worldwide. This software is distributed without any warranty.
|
||
|
//
|
||
|
// You should have received a copy of the CC0 Public Domain Dedication along
|
||
|
// with this software. If not, see
|
||
|
// <https://creativecommons.org/publicdomain/zero/1.0/>
|
||
|
|
||
|
#include <stdio.h>
|
||
|
#include <stdlib.h>
|
||
|
#include <string.h>
|
||
|
#include "monocypher.h"
|
||
|
#include "monocypher-ed25519.h"
|
||
|
#include "utils.h"
|
||
|
|
||
|
static void verify16()
|
||
|
{
|
||
|
u8 a[16];
|
||
|
u8 b[16];
|
||
|
crypto_verify16(a, b);
|
||
|
}
|
||
|
|
||
|
static void verify32()
|
||
|
{
|
||
|
u8 a[32];
|
||
|
u8 b[32];
|
||
|
crypto_verify32(a, b);
|
||
|
}
|
||
|
|
||
|
static void verify64()
|
||
|
{
|
||
|
u8 a[64];
|
||
|
u8 b[64];
|
||
|
crypto_verify64(a, b);
|
||
|
}
|
||
|
|
||
|
static void wipe()
|
||
|
{
|
||
|
FOR (i, 0, 128) {
|
||
|
u8 secret[128];
|
||
|
crypto_wipe(secret, i);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
static void lock_aead()
|
||
|
{
|
||
|
FOR(i, 0, 128) {
|
||
|
u8 mac [ 16];
|
||
|
u8 cipher_text[128];
|
||
|
u8 key [ 32];
|
||
|
u8 nonce [ 24];
|
||
|
u8 ad [128];
|
||
|
u8 plain_text [128];
|
||
|
crypto_lock_aead(mac, cipher_text, key, nonce, ad, i, plain_text, i);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
static void unlock_aead()
|
||
|
{
|
||
|
FOR(i, 0, 128) {
|
||
|
u8 plain_text [128];
|
||
|
u8 key [ 32];
|
||
|
u8 nonce [ 24];
|
||
|
u8 mac [ 16];
|
||
|
u8 ad [128];
|
||
|
u8 cipher_text[128];
|
||
|
crypto_unlock_aead(plain_text, key, nonce, mac, ad, i, cipher_text, i);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
static void blake2b_general()
|
||
|
{
|
||
|
FOR (i, 0, 256) {
|
||
|
u8 hash [ 64];
|
||
|
u8 key [ 64];
|
||
|
u8 message[256];
|
||
|
crypto_blake2b_general(hash, 64, key, 0, message, i);
|
||
|
}
|
||
|
FOR (i, 0, 64) {
|
||
|
u8 hash [ 64];
|
||
|
u8 key [ 64];
|
||
|
u8 message[256];
|
||
|
crypto_blake2b_general(hash, 64, key, i, message, 128);
|
||
|
}
|
||
|
FOR (i, 0, 64) {
|
||
|
u8 hash [ 64];
|
||
|
u8 key [ 64];
|
||
|
u8 message[256];
|
||
|
crypto_blake2b_general(hash, i, key, 0, message, 0);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
static void argon2i_general()
|
||
|
{
|
||
|
void *work_area = alloc(1024 * 600);
|
||
|
u8 hash [ 32];
|
||
|
u8 password[ 16];
|
||
|
u8 salt [ 16];
|
||
|
u8 key [ 32];
|
||
|
u8 ad [128];
|
||
|
crypto_argon2i_general(hash, 32, work_area, 600, 3,
|
||
|
password, 16, salt, 16, key, 32, ad, 128);
|
||
|
free(work_area);
|
||
|
}
|
||
|
|
||
|
static void key_exchange()
|
||
|
{
|
||
|
u8 shared_key [32];
|
||
|
u8 your_secret_key [32];
|
||
|
u8 their_public_key[32];
|
||
|
crypto_key_exchange(shared_key, your_secret_key, their_public_key);
|
||
|
}
|
||
|
|
||
|
static void sign_public_key()
|
||
|
{
|
||
|
u8 public_key[32];
|
||
|
u8 secret_key[32];
|
||
|
crypto_sign_public_key(public_key, secret_key);
|
||
|
}
|
||
|
|
||
|
static void sign()
|
||
|
{
|
||
|
u8 signature [64];
|
||
|
u8 secret_key[32];
|
||
|
u8 public_key[32];
|
||
|
u8 message [64];
|
||
|
crypto_sign(signature, secret_key, public_key, message, 64);
|
||
|
}
|
||
|
|
||
|
static void from_eddsa_private()
|
||
|
{
|
||
|
u8 x25519[32];
|
||
|
u8 eddsa [32];
|
||
|
crypto_from_eddsa_private(x25519, eddsa);
|
||
|
}
|
||
|
static void from_eddsa_public()
|
||
|
{
|
||
|
u8 x25519[32];
|
||
|
u8 eddsa [32];
|
||
|
crypto_from_eddsa_public(x25519, eddsa);
|
||
|
}
|
||
|
|
||
|
static void hidden_to_curve()
|
||
|
{
|
||
|
u8 curve [32];
|
||
|
u8 hidden[32];
|
||
|
crypto_hidden_to_curve(curve, hidden);
|
||
|
}
|
||
|
|
||
|
static void curve_to_hidden()
|
||
|
{
|
||
|
u8 hidden[32];
|
||
|
u8 curve [32];
|
||
|
u8 tweak; // The compiler notices this one is used uninitialised
|
||
|
crypto_curve_to_hidden(hidden, curve, tweak);
|
||
|
}
|
||
|
|
||
|
static void hidden_key_pair()
|
||
|
{
|
||
|
u8 hidden [32];
|
||
|
u8 secret_key[32];
|
||
|
u8 seed [32];
|
||
|
crypto_hidden_key_pair(hidden, secret_key,seed);
|
||
|
}
|
||
|
|
||
|
static void h_chacha20()
|
||
|
{
|
||
|
u8 out[32], key[32], in[16];
|
||
|
crypto_hchacha20(out, key, in);
|
||
|
}
|
||
|
|
||
|
static void chacha20()
|
||
|
{
|
||
|
FOR (i, 0, 128) {
|
||
|
u8 cipher_text[128];
|
||
|
u8 plain_text [128];
|
||
|
u8 key [ 32];
|
||
|
u8 nonce [ 8];
|
||
|
crypto_chacha20(cipher_text, plain_text, i, key, nonce);
|
||
|
}
|
||
|
}
|
||
|
static void xchacha20()
|
||
|
{
|
||
|
FOR (i, 0, 128) {
|
||
|
u8 cipher_text[128];
|
||
|
u8 plain_text [128];
|
||
|
u8 key [ 32];
|
||
|
u8 nonce [ 24];
|
||
|
crypto_xchacha20(cipher_text, plain_text, i, key, nonce);
|
||
|
}
|
||
|
}
|
||
|
static void ietf_chacha20()
|
||
|
{
|
||
|
FOR (i, 0, 128) {
|
||
|
u8 cipher_text[128];
|
||
|
u8 plain_text [128];
|
||
|
u8 key [ 32];
|
||
|
u8 nonce [ 12];
|
||
|
crypto_ietf_chacha20(cipher_text, plain_text, i, key, nonce);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
static void poly1305()
|
||
|
{
|
||
|
FOR (i, 0, 32) {
|
||
|
u8 mac [16];
|
||
|
u8 message [32];
|
||
|
u8 key [32];
|
||
|
crypto_poly1305(mac, message, i, key);
|
||
|
}
|
||
|
}
|
||
|
|
||
|
static void x25519_dirty_small()
|
||
|
{
|
||
|
u8 pk[32];
|
||
|
u8 sk[32];
|
||
|
crypto_x25519_dirty_small(pk, sk);
|
||
|
}
|
||
|
static void x25519_dirty_fast()
|
||
|
{
|
||
|
u8 pk[32];
|
||
|
u8 sk[32];
|
||
|
crypto_x25519_dirty_fast(pk, sk);
|
||
|
}
|
||
|
|
||
|
static void x25519_inverse()
|
||
|
{
|
||
|
u8 blind_salt [32];
|
||
|
u8 private_key[32];
|
||
|
u8 curve_point[32];
|
||
|
crypto_x25519_inverse(blind_salt, private_key, curve_point);
|
||
|
}
|
||
|
|
||
|
|
||
|
#define RUN(f, s) printf("%s: crypto_"#f"\n", s); f()
|
||
|
|
||
|
int main()
|
||
|
{
|
||
|
RUN(verify16 , "constant time");
|
||
|
RUN(verify32 , "constant time");
|
||
|
RUN(verify64 , "constant time");
|
||
|
RUN(wipe , "constant time");
|
||
|
RUN(lock_aead , "constant time");
|
||
|
RUN(unlock_aead , "1 conditional");
|
||
|
RUN(blake2b_general , "constant time");
|
||
|
RUN(argon2i_general , "constant time");
|
||
|
RUN(key_exchange , "constant time");
|
||
|
RUN(sign_public_key , "constant time");
|
||
|
RUN(sign , "constant time");
|
||
|
printf( "skipped : crypto_check.\n");
|
||
|
RUN(from_eddsa_private, "constant time");
|
||
|
RUN(from_eddsa_public , "constant time");
|
||
|
RUN(hidden_to_curve , "constant time");
|
||
|
RUN(curve_to_hidden , "1 conditional");
|
||
|
RUN(hidden_key_pair , "1 conditional"); // shouldn't that be 2?
|
||
|
RUN(h_chacha20 , "constant time");
|
||
|
RUN(chacha20 , "constant time");
|
||
|
RUN(xchacha20 , "constant time");
|
||
|
RUN(ietf_chacha20 , "constant time");
|
||
|
RUN(poly1305 , "constant time");
|
||
|
RUN(x25519_dirty_small, "constant time");
|
||
|
RUN(x25519_dirty_fast , "constant time");
|
||
|
RUN(x25519_inverse , "constant time");
|
||
|
|
||
|
return 0;
|
||
|
}
|