# HG changeset patch # User Taylor R Campbell # Date 1721873761 0 # Thu Jul 25 02:16:01 2024 +0000 # Branch trunk # Node ID 494691c9df63f4f4d863d5cdab999a9ddc614e3a # Parent 585d6fafefbdab70ca380c2c594b0479ffe25f4b # EXP-Topic riastradh-pr58463-wgidle libsodium: Add a self-test for IETF ChaCha20/Poly1305 AEAD. diff -r 585d6fafefbd -r 494691c9df63 sys/crypto/sodium/sodium_selftest.h --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/sys/crypto/sodium/sodium_selftest.h Thu Jul 25 02:16:01 2024 +0000 @@ -0,0 +1,36 @@ +/* $NetBSD$ */ + +/*- + * Copyright (c) 2024 The NetBSD Foundation, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _SYS_CRYPTO_SODIUM_SODIUM_SELFTEST_H_ +#define _SYS_CRYPTO_SODIUM_SODIUM_SELFTEST_H_ + +int crypto_aead_chacha20poly1305_ietf_selftest(void); + +int sodium_selftest(void); + +#endif /* _SYS_CRYPTO_SODIUM_SODIUM_SELFTEST_H_ */ diff -r 585d6fafefbd -r 494691c9df63 sys/external/isc/libsodium/src/sodium_module.c --- a/sys/external/isc/libsodium/src/sodium_module.c Thu Jul 25 01:23:03 2024 +0000 +++ b/sys/external/isc/libsodium/src/sodium_module.c Thu Jul 25 02:16:01 2024 +0000 @@ -33,6 +33,8 @@ #include #include +#include + MODULE(MODULE_CLASS_MISC, sodium, NULL); static int @@ -41,6 +43,8 @@ sodium_modcmd(modcmd_t cmd, void *arg) switch (cmd) { case MODULE_CMD_INIT: + if (sodium_selftest()) + printf("sodium self-test failed\n"); break; case MODULE_CMD_FINI: diff -r 585d6fafefbd -r 494691c9df63 sys/external/isc/libsodium/src/sodium_selftest.c --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/sys/external/isc/libsodium/src/sodium_selftest.c Thu Jul 25 02:16:01 2024 +0000 @@ -0,0 +1,253 @@ +/* $NetBSD$ */ + +/*- + * Copyright (c) 2024 The NetBSD Foundation, Inc. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS + * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED + * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS + * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN + * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) + * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE + * POSSIBILITY OF SUCH DAMAGE. + */ + +#ifdef _KERNEL + +#include +__KERNEL_RCSID(0, "$NetBSD$"); + +#include + +#include + +#else + +#include +__RCSID("$NetBSD$"); + +#include +#include +#include + +static void +hexdump(int (*prf)(const char *, ...) __printflike(1,2), const char *prefix, + const void *buf, size_t len) +{ + const uint8_t *p = buf; + size_t i; + + (*prf)("%s (%zu bytes @ %p)\n", prefix, len, buf); + for (i = 0; i < len; i++) { + if (i % 16 == 8) + (*prf)(" "); + else + (*prf)(" "); + (*prf)("%02hhx", p[i]); + if ((i + 1) % 16 == 0) + (*prf)("\n"); + } + if (i % 16) + (*prf)("\n"); +} + +#endif + +#include + +#define crypto_aead_encrypt crypto_aead_chacha20poly1305_ietf_encrypt +#define crypto_aead_decrypt crypto_aead_chacha20poly1305_ietf_decrypt + +int +crypto_aead_chacha20poly1305_ietf_selftest(void) +{ + /* https://datatracker.ietf.org/doc/html/rfc8439#section-2.8.2 */ + static const uint8_t plaintext[] = { + 0x4c,0x61,0x64,0x69, 0x65,0x73,0x20,0x61, + 0x6e,0x64,0x20,0x47, 0x65,0x6e,0x74,0x6c, + 0x65,0x6d,0x65,0x6e, 0x20,0x6f,0x66,0x20, + 0x74,0x68,0x65,0x20, 0x63,0x6c,0x61,0x73, + 0x73,0x20,0x6f,0x66, 0x20,0x27,0x39,0x39, + 0x3a,0x20,0x49,0x66, 0x20,0x49,0x20,0x63, + 0x6f,0x75,0x6c,0x64, 0x20,0x6f,0x66,0x66, + 0x65,0x72,0x20,0x79, 0x6f,0x75,0x20,0x6f, + 0x6e,0x6c,0x79,0x20, 0x6f,0x6e,0x65,0x20, + 0x74,0x69,0x70,0x20, 0x66,0x6f,0x72,0x20, + 0x74,0x68,0x65,0x20, 0x66,0x75,0x74,0x75, + 0x72,0x65,0x2c,0x20, 0x73,0x75,0x6e,0x73, + 0x63,0x72,0x65,0x65, 0x6e,0x20,0x77,0x6f, + 0x75,0x6c,0x64,0x20, 0x62,0x65,0x20,0x69, + 0x74,0x2e, + }; + static const uint8_t aad[] = { + 0x50,0x51,0x52,0x53, 0xc0,0xc1,0xc2,0xc3, + 0xc4,0xc5,0xc6,0xc7, + }; + static const uint8_t key[] = { + 0x80,0x81,0x82,0x83, 0x84,0x85,0x86,0x87, + 0x88,0x89,0x8a,0x8b, 0x8c,0x8d,0x8e,0x8f, + 0x90,0x91,0x92,0x93, 0x94,0x95,0x96,0x97, + 0x98,0x99,0x9a,0x9b, 0x9c,0x9d,0x9e,0x9f, + }; + static const uint8_t nonce[] = { + 0x07,0x00,0x00,0x00, 0x40,0x41,0x42,0x43, 0x44,0x45,0x46,0x47, + }; + static const uint8_t ciphertext[] = { + 0xd3,0x1a,0x8d,0x34, 0x64,0x8e,0x60,0xdb, + 0x7b,0x86,0xaf,0xbc, 0x53,0xef,0x7e,0xc2, + 0xa4,0xad,0xed,0x51, 0x28,0x6e,0x08,0xfe, + 0xa9,0xe2,0xb5,0xa7, 0x36,0xee,0x62,0xd6, + 0x3d,0xbe,0xa4,0x5e, 0x8c,0xa9,0x67,0x12, + 0x82,0xfa,0xfb,0x69, 0xda,0x92,0x72,0x8b, + 0x1a,0x71,0xde,0x0a, 0x9e,0x06,0x0b,0x29, + 0x05,0xd6,0xa5,0xb6, 0x7e,0xcd,0x3b,0x36, + 0x92,0xdd,0xbd,0x7f, 0x2d,0x77,0x8b,0x8c, + 0x98,0x03,0xae,0xe3, 0x28,0x09,0x1b,0x58, + 0xfa,0xb3,0x24,0xe4, 0xfa,0xd6,0x75,0x94, + 0x55,0x85,0x80,0x8b, 0x48,0x31,0xd7,0xbc, + 0x3f,0xf4,0xde,0xf0, 0x8e,0x4b,0x7a,0x9d, + 0xe5,0x76,0xd2,0x65, 0x86,0xce,0xc6,0x4b, + 0x61,0x16, + + 0x1a,0xe1,0x0b,0x59, 0x4f,0x09,0xe2,0x6a, + 0x7e,0x90,0x2e,0xcb, 0xd0,0x60,0x06,0x91, + }; + uint8_t inbuf[sizeof(ciphertext) + __ALIGNBYTES]; + uint8_t outbuf[sizeof(ciphertext) + __ALIGNBYTES]; + uint8_t aadbuf[sizeof(aad) + __ALIGNBYTES]; + uint8_t noncebuf[sizeof(nonce) + __ALIGNBYTES]; + uint8_t keybuf[sizeof(key) + __ALIGNBYTES]; + unsigned i, j, k, L, M; + int result = 0; + + for (i = 0; i <= __ALIGNBYTES; i++) { + for (j = 0; j <= __ALIGNBYTES; j++) { + for (k = 0; k <= __ALIGNBYTES; k++) { + for (L = 0; L <= __ALIGNBYTES; L++) { + for (M = 0; M <= __ALIGNBYTES; M++) { + unsigned long long outsize = 0; + int error; + char t[64]; + + memset(inbuf, 0, sizeof(inbuf)); + memset(aadbuf, 0, sizeof(aadbuf)); + memset(noncebuf, 0, sizeof(noncebuf)); + memset(keybuf, 0, sizeof(keybuf)); + memset(outbuf, 0, sizeof(outbuf)); + + memcpy(inbuf + i, plaintext, sizeof(plaintext)); + memcpy(aadbuf + j, aad, sizeof(aad)); + memcpy(noncebuf + k, nonce, sizeof(nonce)); + memcpy(keybuf + L, key, sizeof(key)); + + error = crypto_aead_encrypt(outbuf + M, + &outsize, + inbuf + i, sizeof(plaintext), + aadbuf + j, sizeof(aad), + NULL, /* secret nonce, not supported */ + noncebuf + k, + keybuf + L); + if (error) { + snprintf(t, sizeof(t), + "encrypt i=%u j=%u k=%u L=%u M=%u", + i, j, k, L, M); + printf("%s: encrypt error=%d\n", t, error); + return -1; + } + if (outsize != sizeof(ciphertext)) { + snprintf(t, sizeof(t), + "encrypt i=%u j=%u k=%u L=%u M=%u", + i, j, k, L, M); + printf("%s: outsize=%llu is not %zu\n", t, + outsize, sizeof(ciphertext)); + return -1; + } + if (memcmp(outbuf + M, ciphertext, sizeof(ciphertext)) != 0) { + snprintf(t, sizeof(t), + "encrypt i=%u j=%u k=%u L=%u M=%u", + i, j, k, L, M); + hexdump(printf, t, outbuf + M, sizeof(ciphertext)); + return -1; + } + + memset(inbuf, 0, sizeof(inbuf)); + memset(aadbuf, 0, sizeof(aadbuf)); + memset(noncebuf, 0, sizeof(noncebuf)); + memset(keybuf, 0, sizeof(keybuf)); + memset(outbuf, 0, sizeof(outbuf)); + + memcpy(inbuf + i, ciphertext, sizeof(ciphertext)); + memcpy(aadbuf + j, aad, sizeof(aad)); + memcpy(noncebuf + k, nonce, sizeof(nonce)); + memcpy(keybuf + L, key, sizeof(key)); + + error = crypto_aead_decrypt(outbuf + M, + &outsize, + NULL, /* secret nonce, not supported */ + inbuf + i, sizeof(ciphertext), + aadbuf + j, sizeof(aad), + noncebuf + k, + keybuf + L); + if (error) { + snprintf(t, sizeof(t), + "decrypt i=%u j=%u k=%u L=%u M=%u", + i, j, k, L, M); + printf("%s: decrypt error=%d\n", t, error); + return -1; + } + if (outsize != sizeof(plaintext)) { + snprintf(t, sizeof(t), + "encrypt i=%u j=%u k=%u L=%u M=%u", + i, j, k, L, M); + printf("%s: outsize=%llu is not %zu\n", t, + outsize, sizeof(plaintext)); + return -1; + } + if (memcmp(outbuf + M, plaintext, sizeof(plaintext)) != 0) { + snprintf(t, sizeof(t), + "decrypt i=%u j=%u k=%u L=%u M=%u", + i, j, k, L, M); + hexdump(printf, t, outbuf + M, sizeof(ciphertext)); + return -1; + } + } + } + } + } + } + + return 0; +} + +int +sodium_selftest(void) +{ + int result = 0; + + result |= crypto_aead_chacha20poly1305_ietf_selftest(); + + return result; +} + +#ifdef SODIUM_SELFTEST_MAIN +int +main(void) +{ + + return sodium_selftest(); +} +#endif