Details | Last modification | View Log | RSS feed
Rev | Author | Line No. | Line |
---|---|---|---|
8774 | rgimad | 1 | /** |
2 | * \file poly1305.c |
||
3 | * |
||
4 | * \brief Poly1305 authentication algorithm. |
||
5 | * |
||
6 | * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved |
||
7 | * SPDX-License-Identifier: GPL-2.0 |
||
8 | * |
||
9 | * This program is free software; you can redistribute it and/or modify |
||
10 | * it under the terms of the GNU General Public License as published by |
||
11 | * the Free Software Foundation; either version 2 of the License, or |
||
12 | * (at your option) any later version. |
||
13 | * |
||
14 | * This program is distributed in the hope that it will be useful, |
||
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
17 | * GNU General Public License for more details. |
||
18 | * |
||
19 | * You should have received a copy of the GNU General Public License along |
||
20 | * with this program; if not, write to the Free Software Foundation, Inc., |
||
21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
||
22 | * |
||
23 | * This file is part of mbed TLS (https://tls.mbed.org) |
||
24 | */ |
||
25 | #if !defined(MBEDTLS_CONFIG_FILE) |
||
26 | #include "mbedtls/config.h" |
||
27 | #else |
||
28 | #include MBEDTLS_CONFIG_FILE |
||
29 | #endif |
||
30 | |||
31 | #if defined(MBEDTLS_POLY1305_C) |
||
32 | |||
33 | #include "mbedtls/poly1305.h" |
||
34 | #include "mbedtls/platform_util.h" |
||
35 | |||
36 | #include |
||
37 | |||
38 | #if defined(MBEDTLS_SELF_TEST) |
||
39 | #if defined(MBEDTLS_PLATFORM_C) |
||
40 | #include "mbedtls/platform.h" |
||
41 | #else |
||
42 | #include |
||
43 | #define mbedtls_printf printf |
||
44 | #endif /* MBEDTLS_PLATFORM_C */ |
||
45 | #endif /* MBEDTLS_SELF_TEST */ |
||
46 | |||
47 | #if !defined(MBEDTLS_POLY1305_ALT) |
||
48 | |||
49 | #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ |
||
50 | !defined(inline) && !defined(__cplusplus) |
||
51 | #define inline __inline |
||
52 | #endif |
||
53 | |||
54 | /* Parameter validation macros */ |
||
55 | #define POLY1305_VALIDATE_RET( cond ) \ |
||
56 | MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA ) |
||
57 | #define POLY1305_VALIDATE( cond ) \ |
||
58 | MBEDTLS_INTERNAL_VALIDATE( cond ) |
||
59 | |||
60 | #define POLY1305_BLOCK_SIZE_BYTES ( 16U ) |
||
61 | |||
62 | #define BYTES_TO_U32_LE( data, offset ) \ |
||
63 | ( (uint32_t) (data)[offset] \ |
||
64 | | (uint32_t) ( (uint32_t) (data)[( offset ) + 1] << 8 ) \ |
||
65 | | (uint32_t) ( (uint32_t) (data)[( offset ) + 2] << 16 ) \ |
||
66 | | (uint32_t) ( (uint32_t) (data)[( offset ) + 3] << 24 ) \ |
||
67 | ) |
||
68 | |||
69 | /* |
||
70 | * Our implementation is tuned for 32-bit platforms with a 64-bit multiplier. |
||
71 | * However we provided an alternative for platforms without such a multiplier. |
||
72 | */ |
||
73 | #if defined(MBEDTLS_NO_64BIT_MULTIPLICATION) |
||
74 | static uint64_t mul64( uint32_t a, uint32_t b ) |
||
75 | { |
||
76 | /* a = al + 2**16 ah, b = bl + 2**16 bh */ |
||
77 | const uint16_t al = (uint16_t) a; |
||
78 | const uint16_t bl = (uint16_t) b; |
||
79 | const uint16_t ah = a >> 16; |
||
80 | const uint16_t bh = b >> 16; |
||
81 | |||
82 | /* ab = al*bl + 2**16 (ah*bl + bl*bh) + 2**32 ah*bh */ |
||
83 | const uint32_t lo = (uint32_t) al * bl; |
||
84 | const uint64_t me = (uint64_t)( (uint32_t) ah * bl ) + (uint32_t) al * bh; |
||
85 | const uint32_t hi = (uint32_t) ah * bh; |
||
86 | |||
87 | return( lo + ( me << 16 ) + ( (uint64_t) hi << 32 ) ); |
||
88 | } |
||
89 | #else |
||
90 | static inline uint64_t mul64( uint32_t a, uint32_t b ) |
||
91 | { |
||
92 | return( (uint64_t) a * b ); |
||
93 | } |
||
94 | #endif |
||
95 | |||
96 | |||
97 | /** |
||
98 | * \brief Process blocks with Poly1305. |
||
99 | * |
||
100 | * \param ctx The Poly1305 context. |
||
101 | * \param nblocks Number of blocks to process. Note that this |
||
102 | * function only processes full blocks. |
||
103 | * \param input Buffer containing the input block(s). |
||
104 | * \param needs_padding Set to 0 if the padding bit has already been |
||
105 | * applied to the input data before calling this |
||
106 | * function. Otherwise, set this parameter to 1. |
||
107 | */ |
||
108 | static void poly1305_process( mbedtls_poly1305_context *ctx, |
||
109 | size_t nblocks, |
||
110 | const unsigned char *input, |
||
111 | uint32_t needs_padding ) |
||
112 | { |
||
113 | uint64_t d0, d1, d2, d3; |
||
114 | uint32_t acc0, acc1, acc2, acc3, acc4; |
||
115 | uint32_t r0, r1, r2, r3; |
||
116 | uint32_t rs1, rs2, rs3; |
||
117 | size_t offset = 0U; |
||
118 | size_t i; |
||
119 | |||
120 | r0 = ctx->r[0]; |
||
121 | r1 = ctx->r[1]; |
||
122 | r2 = ctx->r[2]; |
||
123 | r3 = ctx->r[3]; |
||
124 | |||
125 | rs1 = r1 + ( r1 >> 2U ); |
||
126 | rs2 = r2 + ( r2 >> 2U ); |
||
127 | rs3 = r3 + ( r3 >> 2U ); |
||
128 | |||
129 | acc0 = ctx->acc[0]; |
||
130 | acc1 = ctx->acc[1]; |
||
131 | acc2 = ctx->acc[2]; |
||
132 | acc3 = ctx->acc[3]; |
||
133 | acc4 = ctx->acc[4]; |
||
134 | |||
135 | /* Process full blocks */ |
||
136 | for( i = 0U; i < nblocks; i++ ) |
||
137 | { |
||
138 | /* The input block is treated as a 128-bit little-endian integer */ |
||
139 | d0 = BYTES_TO_U32_LE( input, offset + 0 ); |
||
140 | d1 = BYTES_TO_U32_LE( input, offset + 4 ); |
||
141 | d2 = BYTES_TO_U32_LE( input, offset + 8 ); |
||
142 | d3 = BYTES_TO_U32_LE( input, offset + 12 ); |
||
143 | |||
144 | /* Compute: acc += (padded) block as a 130-bit integer */ |
||
145 | d0 += (uint64_t) acc0; |
||
146 | d1 += (uint64_t) acc1 + ( d0 >> 32U ); |
||
147 | d2 += (uint64_t) acc2 + ( d1 >> 32U ); |
||
148 | d3 += (uint64_t) acc3 + ( d2 >> 32U ); |
||
149 | acc0 = (uint32_t) d0; |
||
150 | acc1 = (uint32_t) d1; |
||
151 | acc2 = (uint32_t) d2; |
||
152 | acc3 = (uint32_t) d3; |
||
153 | acc4 += (uint32_t) ( d3 >> 32U ) + needs_padding; |
||
154 | |||
155 | /* Compute: acc *= r */ |
||
156 | d0 = mul64( acc0, r0 ) + |
||
157 | mul64( acc1, rs3 ) + |
||
158 | mul64( acc2, rs2 ) + |
||
159 | mul64( acc3, rs1 ); |
||
160 | d1 = mul64( acc0, r1 ) + |
||
161 | mul64( acc1, r0 ) + |
||
162 | mul64( acc2, rs3 ) + |
||
163 | mul64( acc3, rs2 ) + |
||
164 | mul64( acc4, rs1 ); |
||
165 | d2 = mul64( acc0, r2 ) + |
||
166 | mul64( acc1, r1 ) + |
||
167 | mul64( acc2, r0 ) + |
||
168 | mul64( acc3, rs3 ) + |
||
169 | mul64( acc4, rs2 ); |
||
170 | d3 = mul64( acc0, r3 ) + |
||
171 | mul64( acc1, r2 ) + |
||
172 | mul64( acc2, r1 ) + |
||
173 | mul64( acc3, r0 ) + |
||
174 | mul64( acc4, rs3 ); |
||
175 | acc4 *= r0; |
||
176 | |||
177 | /* Compute: acc %= (2^130 - 5) (partial remainder) */ |
||
178 | d1 += ( d0 >> 32 ); |
||
179 | d2 += ( d1 >> 32 ); |
||
180 | d3 += ( d2 >> 32 ); |
||
181 | acc0 = (uint32_t) d0; |
||
182 | acc1 = (uint32_t) d1; |
||
183 | acc2 = (uint32_t) d2; |
||
184 | acc3 = (uint32_t) d3; |
||
185 | acc4 = (uint32_t) ( d3 >> 32 ) + acc4; |
||
186 | |||
187 | d0 = (uint64_t) acc0 + ( acc4 >> 2 ) + ( acc4 & 0xFFFFFFFCU ); |
||
188 | acc4 &= 3U; |
||
189 | acc0 = (uint32_t) d0; |
||
190 | d0 = (uint64_t) acc1 + ( d0 >> 32U ); |
||
191 | acc1 = (uint32_t) d0; |
||
192 | d0 = (uint64_t) acc2 + ( d0 >> 32U ); |
||
193 | acc2 = (uint32_t) d0; |
||
194 | d0 = (uint64_t) acc3 + ( d0 >> 32U ); |
||
195 | acc3 = (uint32_t) d0; |
||
196 | d0 = (uint64_t) acc4 + ( d0 >> 32U ); |
||
197 | acc4 = (uint32_t) d0; |
||
198 | |||
199 | offset += POLY1305_BLOCK_SIZE_BYTES; |
||
200 | } |
||
201 | |||
202 | ctx->acc[0] = acc0; |
||
203 | ctx->acc[1] = acc1; |
||
204 | ctx->acc[2] = acc2; |
||
205 | ctx->acc[3] = acc3; |
||
206 | ctx->acc[4] = acc4; |
||
207 | } |
||
208 | |||
209 | /** |
||
210 | * \brief Compute the Poly1305 MAC |
||
211 | * |
||
212 | * \param ctx The Poly1305 context. |
||
213 | * \param mac The buffer to where the MAC is written. Must be |
||
214 | * big enough to contain the 16-byte MAC. |
||
215 | */ |
||
216 | static void poly1305_compute_mac( const mbedtls_poly1305_context *ctx, |
||
217 | unsigned char mac[16] ) |
||
218 | { |
||
219 | uint64_t d; |
||
220 | uint32_t g0, g1, g2, g3, g4; |
||
221 | uint32_t acc0, acc1, acc2, acc3, acc4; |
||
222 | uint32_t mask; |
||
223 | uint32_t mask_inv; |
||
224 | |||
225 | acc0 = ctx->acc[0]; |
||
226 | acc1 = ctx->acc[1]; |
||
227 | acc2 = ctx->acc[2]; |
||
228 | acc3 = ctx->acc[3]; |
||
229 | acc4 = ctx->acc[4]; |
||
230 | |||
231 | /* Before adding 's' we ensure that the accumulator is mod 2^130 - 5. |
||
232 | * We do this by calculating acc - (2^130 - 5), then checking if |
||
233 | * the 131st bit is set. If it is, then reduce: acc -= (2^130 - 5) |
||
234 | */ |
||
235 | |||
236 | /* Calculate acc + -(2^130 - 5) */ |
||
237 | d = ( (uint64_t) acc0 + 5U ); |
||
238 | g0 = (uint32_t) d; |
||
239 | d = ( (uint64_t) acc1 + ( d >> 32 ) ); |
||
240 | g1 = (uint32_t) d; |
||
241 | d = ( (uint64_t) acc2 + ( d >> 32 ) ); |
||
242 | g2 = (uint32_t) d; |
||
243 | d = ( (uint64_t) acc3 + ( d >> 32 ) ); |
||
244 | g3 = (uint32_t) d; |
||
245 | g4 = acc4 + (uint32_t) ( d >> 32U ); |
||
246 | |||
247 | /* mask == 0xFFFFFFFF if 131st bit is set, otherwise mask == 0 */ |
||
248 | mask = (uint32_t) 0U - ( g4 >> 2U ); |
||
249 | mask_inv = ~mask; |
||
250 | |||
251 | /* If 131st bit is set then acc=g, otherwise, acc is unmodified */ |
||
252 | acc0 = ( acc0 & mask_inv ) | ( g0 & mask ); |
||
253 | acc1 = ( acc1 & mask_inv ) | ( g1 & mask ); |
||
254 | acc2 = ( acc2 & mask_inv ) | ( g2 & mask ); |
||
255 | acc3 = ( acc3 & mask_inv ) | ( g3 & mask ); |
||
256 | |||
257 | /* Add 's' */ |
||
258 | d = (uint64_t) acc0 + ctx->s[0]; |
||
259 | acc0 = (uint32_t) d; |
||
260 | d = (uint64_t) acc1 + ctx->s[1] + ( d >> 32U ); |
||
261 | acc1 = (uint32_t) d; |
||
262 | d = (uint64_t) acc2 + ctx->s[2] + ( d >> 32U ); |
||
263 | acc2 = (uint32_t) d; |
||
264 | acc3 += ctx->s[3] + (uint32_t) ( d >> 32U ); |
||
265 | |||
266 | /* Compute MAC (128 least significant bits of the accumulator) */ |
||
267 | mac[ 0] = (unsigned char)( acc0 ); |
||
268 | mac[ 1] = (unsigned char)( acc0 >> 8 ); |
||
269 | mac[ 2] = (unsigned char)( acc0 >> 16 ); |
||
270 | mac[ 3] = (unsigned char)( acc0 >> 24 ); |
||
271 | mac[ 4] = (unsigned char)( acc1 ); |
||
272 | mac[ 5] = (unsigned char)( acc1 >> 8 ); |
||
273 | mac[ 6] = (unsigned char)( acc1 >> 16 ); |
||
274 | mac[ 7] = (unsigned char)( acc1 >> 24 ); |
||
275 | mac[ 8] = (unsigned char)( acc2 ); |
||
276 | mac[ 9] = (unsigned char)( acc2 >> 8 ); |
||
277 | mac[10] = (unsigned char)( acc2 >> 16 ); |
||
278 | mac[11] = (unsigned char)( acc2 >> 24 ); |
||
279 | mac[12] = (unsigned char)( acc3 ); |
||
280 | mac[13] = (unsigned char)( acc3 >> 8 ); |
||
281 | mac[14] = (unsigned char)( acc3 >> 16 ); |
||
282 | mac[15] = (unsigned char)( acc3 >> 24 ); |
||
283 | } |
||
284 | |||
285 | void mbedtls_poly1305_init( mbedtls_poly1305_context *ctx ) |
||
286 | { |
||
287 | POLY1305_VALIDATE( ctx != NULL ); |
||
288 | |||
289 | mbedtls_platform_zeroize( ctx, sizeof( mbedtls_poly1305_context ) ); |
||
290 | } |
||
291 | |||
292 | void mbedtls_poly1305_free( mbedtls_poly1305_context *ctx ) |
||
293 | { |
||
294 | if( ctx == NULL ) |
||
295 | return; |
||
296 | |||
297 | mbedtls_platform_zeroize( ctx, sizeof( mbedtls_poly1305_context ) ); |
||
298 | } |
||
299 | |||
300 | int mbedtls_poly1305_starts( mbedtls_poly1305_context *ctx, |
||
301 | const unsigned char key[32] ) |
||
302 | { |
||
303 | POLY1305_VALIDATE_RET( ctx != NULL ); |
||
304 | POLY1305_VALIDATE_RET( key != NULL ); |
||
305 | |||
306 | /* r &= 0x0ffffffc0ffffffc0ffffffc0fffffff */ |
||
307 | ctx->r[0] = BYTES_TO_U32_LE( key, 0 ) & 0x0FFFFFFFU; |
||
308 | ctx->r[1] = BYTES_TO_U32_LE( key, 4 ) & 0x0FFFFFFCU; |
||
309 | ctx->r[2] = BYTES_TO_U32_LE( key, 8 ) & 0x0FFFFFFCU; |
||
310 | ctx->r[3] = BYTES_TO_U32_LE( key, 12 ) & 0x0FFFFFFCU; |
||
311 | |||
312 | ctx->s[0] = BYTES_TO_U32_LE( key, 16 ); |
||
313 | ctx->s[1] = BYTES_TO_U32_LE( key, 20 ); |
||
314 | ctx->s[2] = BYTES_TO_U32_LE( key, 24 ); |
||
315 | ctx->s[3] = BYTES_TO_U32_LE( key, 28 ); |
||
316 | |||
317 | /* Initial accumulator state */ |
||
318 | ctx->acc[0] = 0U; |
||
319 | ctx->acc[1] = 0U; |
||
320 | ctx->acc[2] = 0U; |
||
321 | ctx->acc[3] = 0U; |
||
322 | ctx->acc[4] = 0U; |
||
323 | |||
324 | /* Queue initially empty */ |
||
325 | mbedtls_platform_zeroize( ctx->queue, sizeof( ctx->queue ) ); |
||
326 | ctx->queue_len = 0U; |
||
327 | |||
328 | return( 0 ); |
||
329 | } |
||
330 | |||
331 | int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx, |
||
332 | const unsigned char *input, |
||
333 | size_t ilen ) |
||
334 | { |
||
335 | size_t offset = 0U; |
||
336 | size_t remaining = ilen; |
||
337 | size_t queue_free_len; |
||
338 | size_t nblocks; |
||
339 | POLY1305_VALIDATE_RET( ctx != NULL ); |
||
340 | POLY1305_VALIDATE_RET( ilen == 0 || input != NULL ); |
||
341 | |||
342 | if( ( remaining > 0U ) && ( ctx->queue_len > 0U ) ) |
||
343 | { |
||
344 | queue_free_len = ( POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len ); |
||
345 | |||
346 | if( ilen < queue_free_len ) |
||
347 | { |
||
348 | /* Not enough data to complete the block. |
||
349 | * Store this data with the other leftovers. |
||
350 | */ |
||
351 | memcpy( &ctx->queue[ctx->queue_len], |
||
352 | input, |
||
353 | ilen ); |
||
354 | |||
355 | ctx->queue_len += ilen; |
||
356 | |||
357 | remaining = 0U; |
||
358 | } |
||
359 | else |
||
360 | { |
||
361 | /* Enough data to produce a complete block */ |
||
362 | memcpy( &ctx->queue[ctx->queue_len], |
||
363 | input, |
||
364 | queue_free_len ); |
||
365 | |||
366 | ctx->queue_len = 0U; |
||
367 | |||
368 | poly1305_process( ctx, 1U, ctx->queue, 1U ); /* add padding bit */ |
||
369 | |||
370 | offset += queue_free_len; |
||
371 | remaining -= queue_free_len; |
||
372 | } |
||
373 | } |
||
374 | |||
375 | if( remaining >= POLY1305_BLOCK_SIZE_BYTES ) |
||
376 | { |
||
377 | nblocks = remaining / POLY1305_BLOCK_SIZE_BYTES; |
||
378 | |||
379 | poly1305_process( ctx, nblocks, &input[offset], 1U ); |
||
380 | |||
381 | offset += nblocks * POLY1305_BLOCK_SIZE_BYTES; |
||
382 | remaining %= POLY1305_BLOCK_SIZE_BYTES; |
||
383 | } |
||
384 | |||
385 | if( remaining > 0U ) |
||
386 | { |
||
387 | /* Store partial block */ |
||
388 | ctx->queue_len = remaining; |
||
389 | memcpy( ctx->queue, &input[offset], remaining ); |
||
390 | } |
||
391 | |||
392 | return( 0 ); |
||
393 | } |
||
394 | |||
395 | int mbedtls_poly1305_finish( mbedtls_poly1305_context *ctx, |
||
396 | unsigned char mac[16] ) |
||
397 | { |
||
398 | POLY1305_VALIDATE_RET( ctx != NULL ); |
||
399 | POLY1305_VALIDATE_RET( mac != NULL ); |
||
400 | |||
401 | /* Process any leftover data */ |
||
402 | if( ctx->queue_len > 0U ) |
||
403 | { |
||
404 | /* Add padding bit */ |
||
405 | ctx->queue[ctx->queue_len] = 1U; |
||
406 | ctx->queue_len++; |
||
407 | |||
408 | /* Pad with zeroes */ |
||
409 | memset( &ctx->queue[ctx->queue_len], |
||
410 | 0, |
||
411 | POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len ); |
||
412 | |||
413 | poly1305_process( ctx, 1U, /* Process 1 block */ |
||
414 | ctx->queue, 0U ); /* Already padded above */ |
||
415 | } |
||
416 | |||
417 | poly1305_compute_mac( ctx, mac ); |
||
418 | |||
419 | return( 0 ); |
||
420 | } |
||
421 | |||
422 | int mbedtls_poly1305_mac( const unsigned char key[32], |
||
423 | const unsigned char *input, |
||
424 | size_t ilen, |
||
425 | unsigned char mac[16] ) |
||
426 | { |
||
427 | mbedtls_poly1305_context ctx; |
||
428 | int ret; |
||
429 | POLY1305_VALIDATE_RET( key != NULL ); |
||
430 | POLY1305_VALIDATE_RET( mac != NULL ); |
||
431 | POLY1305_VALIDATE_RET( ilen == 0 || input != NULL ); |
||
432 | |||
433 | mbedtls_poly1305_init( &ctx ); |
||
434 | |||
435 | ret = mbedtls_poly1305_starts( &ctx, key ); |
||
436 | if( ret != 0 ) |
||
437 | goto cleanup; |
||
438 | |||
439 | ret = mbedtls_poly1305_update( &ctx, input, ilen ); |
||
440 | if( ret != 0 ) |
||
441 | goto cleanup; |
||
442 | |||
443 | ret = mbedtls_poly1305_finish( &ctx, mac ); |
||
444 | |||
445 | cleanup: |
||
446 | mbedtls_poly1305_free( &ctx ); |
||
447 | return( ret ); |
||
448 | } |
||
449 | |||
450 | #endif /* MBEDTLS_POLY1305_ALT */ |
||
451 | |||
452 | #if defined(MBEDTLS_SELF_TEST) |
||
453 | |||
454 | static const unsigned char test_keys[2][32] = |
||
455 | { |
||
456 | { |
||
457 | 0x85, 0xd6, 0xbe, 0x78, 0x57, 0x55, 0x6d, 0x33, |
||
458 | 0x7f, 0x44, 0x52, 0xfe, 0x42, 0xd5, 0x06, 0xa8, |
||
459 | 0x01, 0x03, 0x80, 0x8a, 0xfb, 0x0d, 0xb2, 0xfd, |
||
460 | 0x4a, 0xbf, 0xf6, 0xaf, 0x41, 0x49, 0xf5, 0x1b |
||
461 | }, |
||
462 | { |
||
463 | 0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a, |
||
464 | 0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0, |
||
465 | 0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09, |
||
466 | 0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0 |
||
467 | } |
||
468 | }; |
||
469 | |||
470 | static const unsigned char test_data[2][127] = |
||
471 | { |
||
472 | { |
||
473 | 0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x67, 0x72, |
||
474 | 0x61, 0x70, 0x68, 0x69, 0x63, 0x20, 0x46, 0x6f, |
||
475 | 0x72, 0x75, 0x6d, 0x20, 0x52, 0x65, 0x73, 0x65, |
||
476 | 0x61, 0x72, 0x63, 0x68, 0x20, 0x47, 0x72, 0x6f, |
||
477 | 0x75, 0x70 |
||
478 | }, |
||
479 | { |
||
480 | 0x27, 0x54, 0x77, 0x61, 0x73, 0x20, 0x62, 0x72, |
||
481 | 0x69, 0x6c, 0x6c, 0x69, 0x67, 0x2c, 0x20, 0x61, |
||
482 | 0x6e, 0x64, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, |
||
483 | 0x6c, 0x69, 0x74, 0x68, 0x79, 0x20, 0x74, 0x6f, |
||
484 | 0x76, 0x65, 0x73, 0x0a, 0x44, 0x69, 0x64, 0x20, |
||
485 | 0x67, 0x79, 0x72, 0x65, 0x20, 0x61, 0x6e, 0x64, |
||
486 | 0x20, 0x67, 0x69, 0x6d, 0x62, 0x6c, 0x65, 0x20, |
||
487 | 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x77, |
||
488 | 0x61, 0x62, 0x65, 0x3a, 0x0a, 0x41, 0x6c, 0x6c, |
||
489 | 0x20, 0x6d, 0x69, 0x6d, 0x73, 0x79, 0x20, 0x77, |
||
490 | 0x65, 0x72, 0x65, 0x20, 0x74, 0x68, 0x65, 0x20, |
||
491 | 0x62, 0x6f, 0x72, 0x6f, 0x67, 0x6f, 0x76, 0x65, |
||
492 | 0x73, 0x2c, 0x0a, 0x41, 0x6e, 0x64, 0x20, 0x74, |
||
493 | 0x68, 0x65, 0x20, 0x6d, 0x6f, 0x6d, 0x65, 0x20, |
||
494 | 0x72, 0x61, 0x74, 0x68, 0x73, 0x20, 0x6f, 0x75, |
||
495 | 0x74, 0x67, 0x72, 0x61, 0x62, 0x65, 0x2e |
||
496 | } |
||
497 | }; |
||
498 | |||
499 | static const size_t test_data_len[2] = |
||
500 | { |
||
501 | 34U, |
||
502 | 127U |
||
503 | }; |
||
504 | |||
505 | static const unsigned char test_mac[2][16] = |
||
506 | { |
||
507 | { |
||
508 | 0xa8, 0x06, 0x1d, 0xc1, 0x30, 0x51, 0x36, 0xc6, |
||
509 | 0xc2, 0x2b, 0x8b, 0xaf, 0x0c, 0x01, 0x27, 0xa9 |
||
510 | }, |
||
511 | { |
||
512 | 0x45, 0x41, 0x66, 0x9a, 0x7e, 0xaa, 0xee, 0x61, |
||
513 | 0xe7, 0x08, 0xdc, 0x7c, 0xbc, 0xc5, 0xeb, 0x62 |
||
514 | } |
||
515 | }; |
||
516 | |||
517 | #define ASSERT( cond, args ) \ |
||
518 | do \ |
||
519 | { \ |
||
520 | if( ! ( cond ) ) \ |
||
521 | { \ |
||
522 | if( verbose != 0 ) \ |
||
523 | mbedtls_printf args; \ |
||
524 | \ |
||
525 | return( -1 ); \ |
||
526 | } \ |
||
527 | } \ |
||
528 | while( 0 ) |
||
529 | |||
530 | int mbedtls_poly1305_self_test( int verbose ) |
||
531 | { |
||
532 | unsigned char mac[16]; |
||
533 | unsigned i; |
||
534 | int ret; |
||
535 | |||
536 | for( i = 0U; i < 2U; i++ ) |
||
537 | { |
||
538 | if( verbose != 0 ) |
||
539 | mbedtls_printf( " Poly1305 test %u ", i ); |
||
540 | |||
541 | ret = mbedtls_poly1305_mac( test_keys[i], |
||
542 | test_data[i], |
||
543 | test_data_len[i], |
||
544 | mac ); |
||
545 | ASSERT( 0 == ret, ( "error code: %i\n", ret ) ); |
||
546 | |||
547 | ASSERT( 0 == memcmp( mac, test_mac[i], 16U ), ( "failed (mac)\n" ) ); |
||
548 | |||
549 | if( verbose != 0 ) |
||
550 | mbedtls_printf( "passed\n" ); |
||
551 | } |
||
552 | |||
553 | if( verbose != 0 ) |
||
554 | mbedtls_printf( "\n" ); |
||
555 | |||
556 | return( 0 ); |
||
557 | } |
||
558 | |||
559 | #endif /* MBEDTLS_SELF_TEST */ |
||
560 | |||
561 | #endif /* MBEDTLS_POLY1305_C */>>>><>><>><>><>><> |