Details | Last modification | View Log | RSS feed
| Rev | Author | Line No. | Line |
|---|---|---|---|
| 8774 | rgimad | 1 | /** |
| 2 | * \file poly1305.c |
||
| 3 | * |
||
| 4 | * \brief Poly1305 authentication algorithm. |
||
| 5 | * |
||
| 6 | * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved |
||
| 7 | * SPDX-License-Identifier: GPL-2.0 |
||
| 8 | * |
||
| 9 | * This program is free software; you can redistribute it and/or modify |
||
| 10 | * it under the terms of the GNU General Public License as published by |
||
| 11 | * the Free Software Foundation; either version 2 of the License, or |
||
| 12 | * (at your option) any later version. |
||
| 13 | * |
||
| 14 | * This program is distributed in the hope that it will be useful, |
||
| 15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
||
| 16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
||
| 17 | * GNU General Public License for more details. |
||
| 18 | * |
||
| 19 | * You should have received a copy of the GNU General Public License along |
||
| 20 | * with this program; if not, write to the Free Software Foundation, Inc., |
||
| 21 | * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. |
||
| 22 | * |
||
| 23 | * This file is part of mbed TLS (https://tls.mbed.org) |
||
| 24 | */ |
||
| 25 | #if !defined(MBEDTLS_CONFIG_FILE) |
||
| 26 | #include "mbedtls/config.h" |
||
| 27 | #else |
||
| 28 | #include MBEDTLS_CONFIG_FILE |
||
| 29 | #endif |
||
| 30 | |||
| 31 | #if defined(MBEDTLS_POLY1305_C) |
||
| 32 | |||
| 33 | #include "mbedtls/poly1305.h" |
||
| 34 | #include "mbedtls/platform_util.h" |
||
| 35 | |||
| 36 | #include |
||
| 37 | |||
| 38 | #if defined(MBEDTLS_SELF_TEST) |
||
| 39 | #if defined(MBEDTLS_PLATFORM_C) |
||
| 40 | #include "mbedtls/platform.h" |
||
| 41 | #else |
||
| 42 | #include |
||
| 43 | #define mbedtls_printf printf |
||
| 44 | #endif /* MBEDTLS_PLATFORM_C */ |
||
| 45 | #endif /* MBEDTLS_SELF_TEST */ |
||
| 46 | |||
| 47 | #if !defined(MBEDTLS_POLY1305_ALT) |
||
| 48 | |||
| 49 | #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \ |
||
| 50 | !defined(inline) && !defined(__cplusplus) |
||
| 51 | #define inline __inline |
||
| 52 | #endif |
||
| 53 | |||
| 54 | /* Parameter validation macros */ |
||
| 55 | #define POLY1305_VALIDATE_RET( cond ) \ |
||
| 56 | MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA ) |
||
| 57 | #define POLY1305_VALIDATE( cond ) \ |
||
| 58 | MBEDTLS_INTERNAL_VALIDATE( cond ) |
||
| 59 | |||
| 60 | #define POLY1305_BLOCK_SIZE_BYTES ( 16U ) |
||
| 61 | |||
| 62 | #define BYTES_TO_U32_LE( data, offset ) \ |
||
| 63 | ( (uint32_t) (data)[offset] \ |
||
| 64 | | (uint32_t) ( (uint32_t) (data)[( offset ) + 1] << 8 ) \ |
||
| 65 | | (uint32_t) ( (uint32_t) (data)[( offset ) + 2] << 16 ) \ |
||
| 66 | | (uint32_t) ( (uint32_t) (data)[( offset ) + 3] << 24 ) \ |
||
| 67 | ) |
||
| 68 | |||
| 69 | /* |
||
| 70 | * Our implementation is tuned for 32-bit platforms with a 64-bit multiplier. |
||
| 71 | * However we provided an alternative for platforms without such a multiplier. |
||
| 72 | */ |
||
| 73 | #if defined(MBEDTLS_NO_64BIT_MULTIPLICATION) |
||
| 74 | static uint64_t mul64( uint32_t a, uint32_t b ) |
||
| 75 | { |
||
| 76 | /* a = al + 2**16 ah, b = bl + 2**16 bh */ |
||
| 77 | const uint16_t al = (uint16_t) a; |
||
| 78 | const uint16_t bl = (uint16_t) b; |
||
| 79 | const uint16_t ah = a >> 16; |
||
| 80 | const uint16_t bh = b >> 16; |
||
| 81 | |||
| 82 | /* ab = al*bl + 2**16 (ah*bl + bl*bh) + 2**32 ah*bh */ |
||
| 83 | const uint32_t lo = (uint32_t) al * bl; |
||
| 84 | const uint64_t me = (uint64_t)( (uint32_t) ah * bl ) + (uint32_t) al * bh; |
||
| 85 | const uint32_t hi = (uint32_t) ah * bh; |
||
| 86 | |||
| 87 | return( lo + ( me << 16 ) + ( (uint64_t) hi << 32 ) ); |
||
| 88 | } |
||
| 89 | #else |
||
| 90 | static inline uint64_t mul64( uint32_t a, uint32_t b ) |
||
| 91 | { |
||
| 92 | return( (uint64_t) a * b ); |
||
| 93 | } |
||
| 94 | #endif |
||
| 95 | |||
| 96 | |||
| 97 | /** |
||
| 98 | * \brief Process blocks with Poly1305. |
||
| 99 | * |
||
| 100 | * \param ctx The Poly1305 context. |
||
| 101 | * \param nblocks Number of blocks to process. Note that this |
||
| 102 | * function only processes full blocks. |
||
| 103 | * \param input Buffer containing the input block(s). |
||
| 104 | * \param needs_padding Set to 0 if the padding bit has already been |
||
| 105 | * applied to the input data before calling this |
||
| 106 | * function. Otherwise, set this parameter to 1. |
||
| 107 | */ |
||
| 108 | static void poly1305_process( mbedtls_poly1305_context *ctx, |
||
| 109 | size_t nblocks, |
||
| 110 | const unsigned char *input, |
||
| 111 | uint32_t needs_padding ) |
||
| 112 | { |
||
| 113 | uint64_t d0, d1, d2, d3; |
||
| 114 | uint32_t acc0, acc1, acc2, acc3, acc4; |
||
| 115 | uint32_t r0, r1, r2, r3; |
||
| 116 | uint32_t rs1, rs2, rs3; |
||
| 117 | size_t offset = 0U; |
||
| 118 | size_t i; |
||
| 119 | |||
| 120 | r0 = ctx->r[0]; |
||
| 121 | r1 = ctx->r[1]; |
||
| 122 | r2 = ctx->r[2]; |
||
| 123 | r3 = ctx->r[3]; |
||
| 124 | |||
| 125 | rs1 = r1 + ( r1 >> 2U ); |
||
| 126 | rs2 = r2 + ( r2 >> 2U ); |
||
| 127 | rs3 = r3 + ( r3 >> 2U ); |
||
| 128 | |||
| 129 | acc0 = ctx->acc[0]; |
||
| 130 | acc1 = ctx->acc[1]; |
||
| 131 | acc2 = ctx->acc[2]; |
||
| 132 | acc3 = ctx->acc[3]; |
||
| 133 | acc4 = ctx->acc[4]; |
||
| 134 | |||
| 135 | /* Process full blocks */ |
||
| 136 | for( i = 0U; i < nblocks; i++ ) |
||
| 137 | { |
||
| 138 | /* The input block is treated as a 128-bit little-endian integer */ |
||
| 139 | d0 = BYTES_TO_U32_LE( input, offset + 0 ); |
||
| 140 | d1 = BYTES_TO_U32_LE( input, offset + 4 ); |
||
| 141 | d2 = BYTES_TO_U32_LE( input, offset + 8 ); |
||
| 142 | d3 = BYTES_TO_U32_LE( input, offset + 12 ); |
||
| 143 | |||
| 144 | /* Compute: acc += (padded) block as a 130-bit integer */ |
||
| 145 | d0 += (uint64_t) acc0; |
||
| 146 | d1 += (uint64_t) acc1 + ( d0 >> 32U ); |
||
| 147 | d2 += (uint64_t) acc2 + ( d1 >> 32U ); |
||
| 148 | d3 += (uint64_t) acc3 + ( d2 >> 32U ); |
||
| 149 | acc0 = (uint32_t) d0; |
||
| 150 | acc1 = (uint32_t) d1; |
||
| 151 | acc2 = (uint32_t) d2; |
||
| 152 | acc3 = (uint32_t) d3; |
||
| 153 | acc4 += (uint32_t) ( d3 >> 32U ) + needs_padding; |
||
| 154 | |||
| 155 | /* Compute: acc *= r */ |
||
| 156 | d0 = mul64( acc0, r0 ) + |
||
| 157 | mul64( acc1, rs3 ) + |
||
| 158 | mul64( acc2, rs2 ) + |
||
| 159 | mul64( acc3, rs1 ); |
||
| 160 | d1 = mul64( acc0, r1 ) + |
||
| 161 | mul64( acc1, r0 ) + |
||
| 162 | mul64( acc2, rs3 ) + |
||
| 163 | mul64( acc3, rs2 ) + |
||
| 164 | mul64( acc4, rs1 ); |
||
| 165 | d2 = mul64( acc0, r2 ) + |
||
| 166 | mul64( acc1, r1 ) + |
||
| 167 | mul64( acc2, r0 ) + |
||
| 168 | mul64( acc3, rs3 ) + |
||
| 169 | mul64( acc4, rs2 ); |
||
| 170 | d3 = mul64( acc0, r3 ) + |
||
| 171 | mul64( acc1, r2 ) + |
||
| 172 | mul64( acc2, r1 ) + |
||
| 173 | mul64( acc3, r0 ) + |
||
| 174 | mul64( acc4, rs3 ); |
||
| 175 | acc4 *= r0; |
||
| 176 | |||
| 177 | /* Compute: acc %= (2^130 - 5) (partial remainder) */ |
||
| 178 | d1 += ( d0 >> 32 ); |
||
| 179 | d2 += ( d1 >> 32 ); |
||
| 180 | d3 += ( d2 >> 32 ); |
||
| 181 | acc0 = (uint32_t) d0; |
||
| 182 | acc1 = (uint32_t) d1; |
||
| 183 | acc2 = (uint32_t) d2; |
||
| 184 | acc3 = (uint32_t) d3; |
||
| 185 | acc4 = (uint32_t) ( d3 >> 32 ) + acc4; |
||
| 186 | |||
| 187 | d0 = (uint64_t) acc0 + ( acc4 >> 2 ) + ( acc4 & 0xFFFFFFFCU ); |
||
| 188 | acc4 &= 3U; |
||
| 189 | acc0 = (uint32_t) d0; |
||
| 190 | d0 = (uint64_t) acc1 + ( d0 >> 32U ); |
||
| 191 | acc1 = (uint32_t) d0; |
||
| 192 | d0 = (uint64_t) acc2 + ( d0 >> 32U ); |
||
| 193 | acc2 = (uint32_t) d0; |
||
| 194 | d0 = (uint64_t) acc3 + ( d0 >> 32U ); |
||
| 195 | acc3 = (uint32_t) d0; |
||
| 196 | d0 = (uint64_t) acc4 + ( d0 >> 32U ); |
||
| 197 | acc4 = (uint32_t) d0; |
||
| 198 | |||
| 199 | offset += POLY1305_BLOCK_SIZE_BYTES; |
||
| 200 | } |
||
| 201 | |||
| 202 | ctx->acc[0] = acc0; |
||
| 203 | ctx->acc[1] = acc1; |
||
| 204 | ctx->acc[2] = acc2; |
||
| 205 | ctx->acc[3] = acc3; |
||
| 206 | ctx->acc[4] = acc4; |
||
| 207 | } |
||
| 208 | |||
| 209 | /** |
||
| 210 | * \brief Compute the Poly1305 MAC |
||
| 211 | * |
||
| 212 | * \param ctx The Poly1305 context. |
||
| 213 | * \param mac The buffer to where the MAC is written. Must be |
||
| 214 | * big enough to contain the 16-byte MAC. |
||
| 215 | */ |
||
| 216 | static void poly1305_compute_mac( const mbedtls_poly1305_context *ctx, |
||
| 217 | unsigned char mac[16] ) |
||
| 218 | { |
||
| 219 | uint64_t d; |
||
| 220 | uint32_t g0, g1, g2, g3, g4; |
||
| 221 | uint32_t acc0, acc1, acc2, acc3, acc4; |
||
| 222 | uint32_t mask; |
||
| 223 | uint32_t mask_inv; |
||
| 224 | |||
| 225 | acc0 = ctx->acc[0]; |
||
| 226 | acc1 = ctx->acc[1]; |
||
| 227 | acc2 = ctx->acc[2]; |
||
| 228 | acc3 = ctx->acc[3]; |
||
| 229 | acc4 = ctx->acc[4]; |
||
| 230 | |||
| 231 | /* Before adding 's' we ensure that the accumulator is mod 2^130 - 5. |
||
| 232 | * We do this by calculating acc - (2^130 - 5), then checking if |
||
| 233 | * the 131st bit is set. If it is, then reduce: acc -= (2^130 - 5) |
||
| 234 | */ |
||
| 235 | |||
| 236 | /* Calculate acc + -(2^130 - 5) */ |
||
| 237 | d = ( (uint64_t) acc0 + 5U ); |
||
| 238 | g0 = (uint32_t) d; |
||
| 239 | d = ( (uint64_t) acc1 + ( d >> 32 ) ); |
||
| 240 | g1 = (uint32_t) d; |
||
| 241 | d = ( (uint64_t) acc2 + ( d >> 32 ) ); |
||
| 242 | g2 = (uint32_t) d; |
||
| 243 | d = ( (uint64_t) acc3 + ( d >> 32 ) ); |
||
| 244 | g3 = (uint32_t) d; |
||
| 245 | g4 = acc4 + (uint32_t) ( d >> 32U ); |
||
| 246 | |||
| 247 | /* mask == 0xFFFFFFFF if 131st bit is set, otherwise mask == 0 */ |
||
| 248 | mask = (uint32_t) 0U - ( g4 >> 2U ); |
||
| 249 | mask_inv = ~mask; |
||
| 250 | |||
| 251 | /* If 131st bit is set then acc=g, otherwise, acc is unmodified */ |
||
| 252 | acc0 = ( acc0 & mask_inv ) | ( g0 & mask ); |
||
| 253 | acc1 = ( acc1 & mask_inv ) | ( g1 & mask ); |
||
| 254 | acc2 = ( acc2 & mask_inv ) | ( g2 & mask ); |
||
| 255 | acc3 = ( acc3 & mask_inv ) | ( g3 & mask ); |
||
| 256 | |||
| 257 | /* Add 's' */ |
||
| 258 | d = (uint64_t) acc0 + ctx->s[0]; |
||
| 259 | acc0 = (uint32_t) d; |
||
| 260 | d = (uint64_t) acc1 + ctx->s[1] + ( d >> 32U ); |
||
| 261 | acc1 = (uint32_t) d; |
||
| 262 | d = (uint64_t) acc2 + ctx->s[2] + ( d >> 32U ); |
||
| 263 | acc2 = (uint32_t) d; |
||
| 264 | acc3 += ctx->s[3] + (uint32_t) ( d >> 32U ); |
||
| 265 | |||
| 266 | /* Compute MAC (128 least significant bits of the accumulator) */ |
||
| 267 | mac[ 0] = (unsigned char)( acc0 ); |
||
| 268 | mac[ 1] = (unsigned char)( acc0 >> 8 ); |
||
| 269 | mac[ 2] = (unsigned char)( acc0 >> 16 ); |
||
| 270 | mac[ 3] = (unsigned char)( acc0 >> 24 ); |
||
| 271 | mac[ 4] = (unsigned char)( acc1 ); |
||
| 272 | mac[ 5] = (unsigned char)( acc1 >> 8 ); |
||
| 273 | mac[ 6] = (unsigned char)( acc1 >> 16 ); |
||
| 274 | mac[ 7] = (unsigned char)( acc1 >> 24 ); |
||
| 275 | mac[ 8] = (unsigned char)( acc2 ); |
||
| 276 | mac[ 9] = (unsigned char)( acc2 >> 8 ); |
||
| 277 | mac[10] = (unsigned char)( acc2 >> 16 ); |
||
| 278 | mac[11] = (unsigned char)( acc2 >> 24 ); |
||
| 279 | mac[12] = (unsigned char)( acc3 ); |
||
| 280 | mac[13] = (unsigned char)( acc3 >> 8 ); |
||
| 281 | mac[14] = (unsigned char)( acc3 >> 16 ); |
||
| 282 | mac[15] = (unsigned char)( acc3 >> 24 ); |
||
| 283 | } |
||
| 284 | |||
| 285 | void mbedtls_poly1305_init( mbedtls_poly1305_context *ctx ) |
||
| 286 | { |
||
| 287 | POLY1305_VALIDATE( ctx != NULL ); |
||
| 288 | |||
| 289 | mbedtls_platform_zeroize( ctx, sizeof( mbedtls_poly1305_context ) ); |
||
| 290 | } |
||
| 291 | |||
| 292 | void mbedtls_poly1305_free( mbedtls_poly1305_context *ctx ) |
||
| 293 | { |
||
| 294 | if( ctx == NULL ) |
||
| 295 | return; |
||
| 296 | |||
| 297 | mbedtls_platform_zeroize( ctx, sizeof( mbedtls_poly1305_context ) ); |
||
| 298 | } |
||
| 299 | |||
| 300 | int mbedtls_poly1305_starts( mbedtls_poly1305_context *ctx, |
||
| 301 | const unsigned char key[32] ) |
||
| 302 | { |
||
| 303 | POLY1305_VALIDATE_RET( ctx != NULL ); |
||
| 304 | POLY1305_VALIDATE_RET( key != NULL ); |
||
| 305 | |||
| 306 | /* r &= 0x0ffffffc0ffffffc0ffffffc0fffffff */ |
||
| 307 | ctx->r[0] = BYTES_TO_U32_LE( key, 0 ) & 0x0FFFFFFFU; |
||
| 308 | ctx->r[1] = BYTES_TO_U32_LE( key, 4 ) & 0x0FFFFFFCU; |
||
| 309 | ctx->r[2] = BYTES_TO_U32_LE( key, 8 ) & 0x0FFFFFFCU; |
||
| 310 | ctx->r[3] = BYTES_TO_U32_LE( key, 12 ) & 0x0FFFFFFCU; |
||
| 311 | |||
| 312 | ctx->s[0] = BYTES_TO_U32_LE( key, 16 ); |
||
| 313 | ctx->s[1] = BYTES_TO_U32_LE( key, 20 ); |
||
| 314 | ctx->s[2] = BYTES_TO_U32_LE( key, 24 ); |
||
| 315 | ctx->s[3] = BYTES_TO_U32_LE( key, 28 ); |
||
| 316 | |||
| 317 | /* Initial accumulator state */ |
||
| 318 | ctx->acc[0] = 0U; |
||
| 319 | ctx->acc[1] = 0U; |
||
| 320 | ctx->acc[2] = 0U; |
||
| 321 | ctx->acc[3] = 0U; |
||
| 322 | ctx->acc[4] = 0U; |
||
| 323 | |||
| 324 | /* Queue initially empty */ |
||
| 325 | mbedtls_platform_zeroize( ctx->queue, sizeof( ctx->queue ) ); |
||
| 326 | ctx->queue_len = 0U; |
||
| 327 | |||
| 328 | return( 0 ); |
||
| 329 | } |
||
| 330 | |||
| 331 | int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx, |
||
| 332 | const unsigned char *input, |
||
| 333 | size_t ilen ) |
||
| 334 | { |
||
| 335 | size_t offset = 0U; |
||
| 336 | size_t remaining = ilen; |
||
| 337 | size_t queue_free_len; |
||
| 338 | size_t nblocks; |
||
| 339 | POLY1305_VALIDATE_RET( ctx != NULL ); |
||
| 340 | POLY1305_VALIDATE_RET( ilen == 0 || input != NULL ); |
||
| 341 | |||
| 342 | if( ( remaining > 0U ) && ( ctx->queue_len > 0U ) ) |
||
| 343 | { |
||
| 344 | queue_free_len = ( POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len ); |
||
| 345 | |||
| 346 | if( ilen < queue_free_len ) |
||
| 347 | { |
||
| 348 | /* Not enough data to complete the block. |
||
| 349 | * Store this data with the other leftovers. |
||
| 350 | */ |
||
| 351 | memcpy( &ctx->queue[ctx->queue_len], |
||
| 352 | input, |
||
| 353 | ilen ); |
||
| 354 | |||
| 355 | ctx->queue_len += ilen; |
||
| 356 | |||
| 357 | remaining = 0U; |
||
| 358 | } |
||
| 359 | else |
||
| 360 | { |
||
| 361 | /* Enough data to produce a complete block */ |
||
| 362 | memcpy( &ctx->queue[ctx->queue_len], |
||
| 363 | input, |
||
| 364 | queue_free_len ); |
||
| 365 | |||
| 366 | ctx->queue_len = 0U; |
||
| 367 | |||
| 368 | poly1305_process( ctx, 1U, ctx->queue, 1U ); /* add padding bit */ |
||
| 369 | |||
| 370 | offset += queue_free_len; |
||
| 371 | remaining -= queue_free_len; |
||
| 372 | } |
||
| 373 | } |
||
| 374 | |||
| 375 | if( remaining >= POLY1305_BLOCK_SIZE_BYTES ) |
||
| 376 | { |
||
| 377 | nblocks = remaining / POLY1305_BLOCK_SIZE_BYTES; |
||
| 378 | |||
| 379 | poly1305_process( ctx, nblocks, &input[offset], 1U ); |
||
| 380 | |||
| 381 | offset += nblocks * POLY1305_BLOCK_SIZE_BYTES; |
||
| 382 | remaining %= POLY1305_BLOCK_SIZE_BYTES; |
||
| 383 | } |
||
| 384 | |||
| 385 | if( remaining > 0U ) |
||
| 386 | { |
||
| 387 | /* Store partial block */ |
||
| 388 | ctx->queue_len = remaining; |
||
| 389 | memcpy( ctx->queue, &input[offset], remaining ); |
||
| 390 | } |
||
| 391 | |||
| 392 | return( 0 ); |
||
| 393 | } |
||
| 394 | |||
| 395 | int mbedtls_poly1305_finish( mbedtls_poly1305_context *ctx, |
||
| 396 | unsigned char mac[16] ) |
||
| 397 | { |
||
| 398 | POLY1305_VALIDATE_RET( ctx != NULL ); |
||
| 399 | POLY1305_VALIDATE_RET( mac != NULL ); |
||
| 400 | |||
| 401 | /* Process any leftover data */ |
||
| 402 | if( ctx->queue_len > 0U ) |
||
| 403 | { |
||
| 404 | /* Add padding bit */ |
||
| 405 | ctx->queue[ctx->queue_len] = 1U; |
||
| 406 | ctx->queue_len++; |
||
| 407 | |||
| 408 | /* Pad with zeroes */ |
||
| 409 | memset( &ctx->queue[ctx->queue_len], |
||
| 410 | 0, |
||
| 411 | POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len ); |
||
| 412 | |||
| 413 | poly1305_process( ctx, 1U, /* Process 1 block */ |
||
| 414 | ctx->queue, 0U ); /* Already padded above */ |
||
| 415 | } |
||
| 416 | |||
| 417 | poly1305_compute_mac( ctx, mac ); |
||
| 418 | |||
| 419 | return( 0 ); |
||
| 420 | } |
||
| 421 | |||
| 422 | int mbedtls_poly1305_mac( const unsigned char key[32], |
||
| 423 | const unsigned char *input, |
||
| 424 | size_t ilen, |
||
| 425 | unsigned char mac[16] ) |
||
| 426 | { |
||
| 427 | mbedtls_poly1305_context ctx; |
||
| 428 | int ret; |
||
| 429 | POLY1305_VALIDATE_RET( key != NULL ); |
||
| 430 | POLY1305_VALIDATE_RET( mac != NULL ); |
||
| 431 | POLY1305_VALIDATE_RET( ilen == 0 || input != NULL ); |
||
| 432 | |||
| 433 | mbedtls_poly1305_init( &ctx ); |
||
| 434 | |||
| 435 | ret = mbedtls_poly1305_starts( &ctx, key ); |
||
| 436 | if( ret != 0 ) |
||
| 437 | goto cleanup; |
||
| 438 | |||
| 439 | ret = mbedtls_poly1305_update( &ctx, input, ilen ); |
||
| 440 | if( ret != 0 ) |
||
| 441 | goto cleanup; |
||
| 442 | |||
| 443 | ret = mbedtls_poly1305_finish( &ctx, mac ); |
||
| 444 | |||
| 445 | cleanup: |
||
| 446 | mbedtls_poly1305_free( &ctx ); |
||
| 447 | return( ret ); |
||
| 448 | } |
||
| 449 | |||
| 450 | #endif /* MBEDTLS_POLY1305_ALT */ |
||
| 451 | |||
| 452 | #if defined(MBEDTLS_SELF_TEST) |
||
| 453 | |||
| 454 | static const unsigned char test_keys[2][32] = |
||
| 455 | { |
||
| 456 | { |
||
| 457 | 0x85, 0xd6, 0xbe, 0x78, 0x57, 0x55, 0x6d, 0x33, |
||
| 458 | 0x7f, 0x44, 0x52, 0xfe, 0x42, 0xd5, 0x06, 0xa8, |
||
| 459 | 0x01, 0x03, 0x80, 0x8a, 0xfb, 0x0d, 0xb2, 0xfd, |
||
| 460 | 0x4a, 0xbf, 0xf6, 0xaf, 0x41, 0x49, 0xf5, 0x1b |
||
| 461 | }, |
||
| 462 | { |
||
| 463 | 0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a, |
||
| 464 | 0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0, |
||
| 465 | 0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09, |
||
| 466 | 0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0 |
||
| 467 | } |
||
| 468 | }; |
||
| 469 | |||
| 470 | static const unsigned char test_data[2][127] = |
||
| 471 | { |
||
| 472 | { |
||
| 473 | 0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x67, 0x72, |
||
| 474 | 0x61, 0x70, 0x68, 0x69, 0x63, 0x20, 0x46, 0x6f, |
||
| 475 | 0x72, 0x75, 0x6d, 0x20, 0x52, 0x65, 0x73, 0x65, |
||
| 476 | 0x61, 0x72, 0x63, 0x68, 0x20, 0x47, 0x72, 0x6f, |
||
| 477 | 0x75, 0x70 |
||
| 478 | }, |
||
| 479 | { |
||
| 480 | 0x27, 0x54, 0x77, 0x61, 0x73, 0x20, 0x62, 0x72, |
||
| 481 | 0x69, 0x6c, 0x6c, 0x69, 0x67, 0x2c, 0x20, 0x61, |
||
| 482 | 0x6e, 0x64, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73, |
||
| 483 | 0x6c, 0x69, 0x74, 0x68, 0x79, 0x20, 0x74, 0x6f, |
||
| 484 | 0x76, 0x65, 0x73, 0x0a, 0x44, 0x69, 0x64, 0x20, |
||
| 485 | 0x67, 0x79, 0x72, 0x65, 0x20, 0x61, 0x6e, 0x64, |
||
| 486 | 0x20, 0x67, 0x69, 0x6d, 0x62, 0x6c, 0x65, 0x20, |
||
| 487 | 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x77, |
||
| 488 | 0x61, 0x62, 0x65, 0x3a, 0x0a, 0x41, 0x6c, 0x6c, |
||
| 489 | 0x20, 0x6d, 0x69, 0x6d, 0x73, 0x79, 0x20, 0x77, |
||
| 490 | 0x65, 0x72, 0x65, 0x20, 0x74, 0x68, 0x65, 0x20, |
||
| 491 | 0x62, 0x6f, 0x72, 0x6f, 0x67, 0x6f, 0x76, 0x65, |
||
| 492 | 0x73, 0x2c, 0x0a, 0x41, 0x6e, 0x64, 0x20, 0x74, |
||
| 493 | 0x68, 0x65, 0x20, 0x6d, 0x6f, 0x6d, 0x65, 0x20, |
||
| 494 | 0x72, 0x61, 0x74, 0x68, 0x73, 0x20, 0x6f, 0x75, |
||
| 495 | 0x74, 0x67, 0x72, 0x61, 0x62, 0x65, 0x2e |
||
| 496 | } |
||
| 497 | }; |
||
| 498 | |||
| 499 | static const size_t test_data_len[2] = |
||
| 500 | { |
||
| 501 | 34U, |
||
| 502 | 127U |
||
| 503 | }; |
||
| 504 | |||
| 505 | static const unsigned char test_mac[2][16] = |
||
| 506 | { |
||
| 507 | { |
||
| 508 | 0xa8, 0x06, 0x1d, 0xc1, 0x30, 0x51, 0x36, 0xc6, |
||
| 509 | 0xc2, 0x2b, 0x8b, 0xaf, 0x0c, 0x01, 0x27, 0xa9 |
||
| 510 | }, |
||
| 511 | { |
||
| 512 | 0x45, 0x41, 0x66, 0x9a, 0x7e, 0xaa, 0xee, 0x61, |
||
| 513 | 0xe7, 0x08, 0xdc, 0x7c, 0xbc, 0xc5, 0xeb, 0x62 |
||
| 514 | } |
||
| 515 | }; |
||
| 516 | |||
| 517 | #define ASSERT( cond, args ) \ |
||
| 518 | do \ |
||
| 519 | { \ |
||
| 520 | if( ! ( cond ) ) \ |
||
| 521 | { \ |
||
| 522 | if( verbose != 0 ) \ |
||
| 523 | mbedtls_printf args; \ |
||
| 524 | \ |
||
| 525 | return( -1 ); \ |
||
| 526 | } \ |
||
| 527 | } \ |
||
| 528 | while( 0 ) |
||
| 529 | |||
| 530 | int mbedtls_poly1305_self_test( int verbose ) |
||
| 531 | { |
||
| 532 | unsigned char mac[16]; |
||
| 533 | unsigned i; |
||
| 534 | int ret; |
||
| 535 | |||
| 536 | for( i = 0U; i < 2U; i++ ) |
||
| 537 | { |
||
| 538 | if( verbose != 0 ) |
||
| 539 | mbedtls_printf( " Poly1305 test %u ", i ); |
||
| 540 | |||
| 541 | ret = mbedtls_poly1305_mac( test_keys[i], |
||
| 542 | test_data[i], |
||
| 543 | test_data_len[i], |
||
| 544 | mac ); |
||
| 545 | ASSERT( 0 == ret, ( "error code: %i\n", ret ) ); |
||
| 546 | |||
| 547 | ASSERT( 0 == memcmp( mac, test_mac[i], 16U ), ( "failed (mac)\n" ) ); |
||
| 548 | |||
| 549 | if( verbose != 0 ) |
||
| 550 | mbedtls_printf( "passed\n" ); |
||
| 551 | } |
||
| 552 | |||
| 553 | if( verbose != 0 ) |
||
| 554 | mbedtls_printf( "\n" ); |
||
| 555 | |||
| 556 | return( 0 ); |
||
| 557 | } |
||
| 558 | |||
| 559 | #endif /* MBEDTLS_SELF_TEST */ |
||
| 560 | |||
| 561 | #endif /* MBEDTLS_POLY1305_C */ |