TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / refs/heads/archive/dev/mbedtls-2.10.0-preview / . / library / poly1305.c
blob: a9fff4757c1eeb0f4029119bc4c7a019134836f0 [file] [log] [blame]
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]1/**
2 * \file poly1305.c
3 *
4 * \brief Poly1305 authentication algorithm.
5 *
6 * Copyright (C) 2006-2016, ARM Limited, All Rights Reserved
7 * SPDX-License-Identifier: Apache-2.0
8 *
9 * Licensed under the Apache License, Version 2.0 (the "License"); you may
10 * not use this file except in compliance with the License.
11 * You may obtain a copy of the License at
12 *
13 * http://www.apache.org/licenses/LICENSE-2.0
14 *
15 * Unless required by applicable law or agreed to in writing, software
16 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
17 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
18 * See the License for the specific language governing permissions and
19 * limitations under the License.
20 *
21 * This file is part of mbed TLS (https://tls.mbed.org)
22 */
23#if !defined(MBEDTLS_CONFIG_FILE)
24#include "mbedtls/config.h"
25#else
26#include MBEDTLS_CONFIG_FILE
27#endif
28
29#if defined(MBEDTLS_POLY1305_C)
30
31#if !defined(MBEDTLS_POLY1305_ALT)
32
33#include "mbedtls/poly1305.h"
34
35#include <string.h>
36
37#if defined(MBEDTLS_SELF_TEST)
38#if defined(MBEDTLS_PLATFORM_C)
39#include "mbedtls/platform.h"
40#else
41#include <stdio.h>
42#define mbedtls_printf printf
43#endif /* MBEDTLS_PLATFORM_C */
44#endif /* MBEDTLS_SELF_TEST */
45
46#define POLY1305_BLOCK_SIZE_BYTES ( 16U )
47
Daniel Kingf5892752016-05-24 11:16:17 -0300[diff] [blame]48#define BYTES_TO_U32_LE( data, offset ) \
49 ( (uint32_t) data[offset] \
50 | (uint32_t) ( (uint32_t) data[( offset ) + 1] << 8 ) \
51 | (uint32_t) ( (uint32_t) data[( offset ) + 2] << 16 ) \
52 | (uint32_t) ( (uint32_t) data[( offset ) + 3] << 24 ) \
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]53 )
54
55/* Implementation that should never be optimized out by the compiler */
56static void mbedtls_zeroize( void *v, size_t n ) {
57 volatile unsigned char *p = v; while( n-- ) *p++ = 0;
58}
59
60/**
61 * \brief Process blocks with Poly1305.
62 *
63 * \param ctx The Poly1305 context.
64 * \param nblocks Number of blocks to process. Note that this function
65 * only processes full blocks.
66 * \param input Buffer containing the input block(s).
67 * \param needs_padding Set to 0 if the padding bit has already been applied
68 * to the input data before calling this function.
69 * Otherwise, set this parameter to 1.
70 */
71static void mbedtls_poly1305_process( mbedtls_poly1305_context *ctx,
72 size_t nblocks,
73 const unsigned char *input,
74 uint32_t needs_padding )
75{
76 uint64_t d0, d1, d2, d3;
77 uint32_t acc0, acc1, acc2, acc3, acc4;
78 uint32_t r0, r1, r2, r3;
79 uint32_t rs1, rs2, rs3;
80 size_t offset = 0U;
81 size_t i;
82
83 r0 = ctx->r[0];
84 r1 = ctx->r[1];
85 r2 = ctx->r[2];
86 r3 = ctx->r[3];
87
88 rs1 = r1 + ( r1 >> 2U );
89 rs2 = r2 + ( r2 >> 2U );
90 rs3 = r3 + ( r3 >> 2U );
91
92 acc0 = ctx->acc[0];
93 acc1 = ctx->acc[1];
94 acc2 = ctx->acc[2];
95 acc3 = ctx->acc[3];
96 acc4 = ctx->acc[4];
97
98 /* Process full blocks */
99 for ( i = 0U; i < nblocks; i++ )
100 {
101 /* Compute: acc += block */
102 /* Note that the input block is treated as a 128-bit little-endian integer */
Daniel Kingf5892752016-05-24 11:16:17 -0300[diff] [blame]103 d0 = (uint64_t) acc0 + BYTES_TO_U32_LE( input, offset + 0 );
104 d1 = (uint64_t) acc1 + BYTES_TO_U32_LE( input, offset + 4 ) + ( d0 >> 32U );
105 d2 = (uint64_t) acc2 + BYTES_TO_U32_LE( input, offset + 8 ) + ( d1 >> 32U );
106 d3 = (uint64_t) acc3 + BYTES_TO_U32_LE( input, offset + 12 ) + ( d2 >> 32U );
107 acc0 = (uint32_t) d0;
108 acc1 = (uint32_t) d1;
109 acc2 = (uint32_t) d2;
110 acc3 = (uint32_t) d3;
111 acc4 += (uint32_t) ( d3 >> 32U ) + needs_padding;
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]112
113 /* Compute: acc *= r */
Daniel Kingf5892752016-05-24 11:16:17 -0300[diff] [blame]114 d0 = ( (uint64_t) acc0 * r0 ) +
115 ( (uint64_t) acc1 * rs3 ) +
116 ( (uint64_t) acc2 * rs2 ) +
117 ( (uint64_t) acc3 * rs1 );
118 d1 = ( (uint64_t) acc0 * r1 ) +
119 ( (uint64_t) acc1 * r0 ) +
120 ( (uint64_t) acc2 * rs3 ) +
121 ( (uint64_t) acc3 * rs2 ) +
122 ( (uint64_t) acc4 * rs1 );
123 d2 = ( (uint64_t) acc0 * r2 ) +
124 ( (uint64_t) acc1 * r1 ) +
125 ( (uint64_t) acc2 * r0 ) +
126 ( (uint64_t) acc3 * rs3 ) +
127 ( (uint64_t) acc4 * rs2 );
128 d3 = ( (uint64_t) acc0 * r3 ) +
129 ( (uint64_t) acc1 * r2 ) +
130 ( (uint64_t) acc2 * r1 ) +
131 ( (uint64_t) acc3 * r0 ) +
132 ( (uint64_t) acc4 * rs3 );
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]133 acc4 *= r0;
134
135 /* Compute: acc %= (2^130 - 5) (partial remainder) */
136 d1 += ( d0 >> 32 );
137 d2 += ( d1 >> 32 );
138 d3 += ( d2 >> 32 );
Daniel Kingf5892752016-05-24 11:16:17 -0300[diff] [blame]139 acc0 = (uint32_t) d0;
140 acc1 = (uint32_t) d1;
141 acc2 = (uint32_t) d2;
142 acc3 = (uint32_t) d3;
143 acc4 = (uint32_t) ( d3 >> 32 ) + acc4;
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]144
Daniel Kingf5892752016-05-24 11:16:17 -0300[diff] [blame]145 d0 = (uint64_t) acc0 + ( acc4 >> 2 ) + ( acc4 & 0xFFFFFFFCU );
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]146 acc4 &= 3U;
Daniel Kingf5892752016-05-24 11:16:17 -0300[diff] [blame]147 acc0 = (uint32_t) d0;
148 d0 = (uint64_t) acc1 + ( d0 >> 32U );
149 acc1 = (uint32_t) d0;
150 d0 = (uint64_t) acc2 + ( d0 >> 32U );
151 acc2 = (uint32_t) d0;
152 d0 = (uint64_t) acc3 + ( d0 >> 32U );
153 acc3 = (uint32_t) d0;
154 d0 = (uint64_t) acc4 + ( d0 >> 32U );
155 acc4 = (uint32_t) d0;
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]156
157 offset += POLY1305_BLOCK_SIZE_BYTES;
158 }
159
160 ctx->acc[0] = acc0;
161 ctx->acc[1] = acc1;
162 ctx->acc[2] = acc2;
163 ctx->acc[3] = acc3;
164 ctx->acc[4] = acc4;
165}
166
167/**
168 * \brief Compute the Poly1305 MAC
169 *
170 * \param ctx The Poly1305 context.
171 * \param mac The buffer to where the MAC is written. Must be
172 * big enough to contain the 16-byte MAC.
173 */
174static void mbedtls_poly1305_compute_mac( const mbedtls_poly1305_context *ctx,
175 unsigned char mac[16] )
176{
177 uint64_t d;
178 uint32_t g0, g1, g2, g3, g4;
179 uint32_t acc0, acc1, acc2, acc3, acc4;
180 uint32_t mask;
181 uint32_t mask_inv;
182
183 acc0 = ctx->acc[0];
184 acc1 = ctx->acc[1];
185 acc2 = ctx->acc[2];
186 acc3 = ctx->acc[3];
187 acc4 = ctx->acc[4];
188
189 /* Before adding 's' we need to ensure that the accumulator is mod 2^130 - 5.
190 * We do this by calculating acc - (2^130 - 5), then checking if
191 * the 131st bit is set. If it is, then reduce: acc -= (2^130 - 5)
192 */
193
194 /* Calculate acc + -(2^130 - 5) */
Daniel Kingf5892752016-05-24 11:16:17 -0300[diff] [blame]195 d = ( (uint64_t) acc0 + 5U );
196 g0 = (uint32_t) d;
197 d = ( (uint64_t) acc1 + ( d >> 32 ) );
198 g1 = (uint32_t) d;
199 d = ( (uint64_t) acc2 + ( d >> 32 ) );
200 g2 = (uint32_t) d;
201 d = ( (uint64_t) acc3 + ( d >> 32 ) );
202 g3 = (uint32_t) d;
203 g4 = acc4 + (uint32_t) ( d >> 32U );
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]204
205 /* mask == 0xFFFFFFFF if 131st bit is set, otherwise mask == 0 */
Daniel Kingf5892752016-05-24 11:16:17 -0300[diff] [blame]206 mask = (uint32_t) 0U - ( g4 >> 2U );
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]207 mask_inv = ~mask;
208
209 /* If 131st bit is set then acc=g, otherwise, acc is unmodified */
210 acc0 = ( acc0 & mask_inv ) | ( g0 & mask );
211 acc1 = ( acc1 & mask_inv ) | ( g1 & mask );
212 acc2 = ( acc2 & mask_inv ) | ( g2 & mask );
213 acc3 = ( acc3 & mask_inv ) | ( g3 & mask );
214
215 /* Add 's' */
Daniel Kingf5892752016-05-24 11:16:17 -0300[diff] [blame]216 d = (uint64_t) acc0 + ctx->s[0];
217 acc0 = (uint32_t) d;
218 d = (uint64_t) acc1 + ctx->s[1] + ( d >> 32U );
219 acc1 = (uint32_t) d;
220 d = (uint64_t) acc2 + ctx->s[2] + ( d >> 32U );
221 acc2 = (uint32_t) d;
222 acc3 += ctx->s[3] + (uint32_t) ( d >> 32U );
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]223
224 /* Compute MAC (128 least significant bits of the accumulator) */
Daniel Kingf5892752016-05-24 11:16:17 -0300[diff] [blame]225 mac[0] = (unsigned char) acc0;
226 mac[1] = (unsigned char) ( acc0 >> 8 );
227 mac[2] = (unsigned char) ( acc0 >> 16 );
228 mac[3] = (unsigned char) ( acc0 >> 24 );
229 mac[4] = (unsigned char) acc1;
230 mac[5] = (unsigned char) ( acc1 >> 8 );
231 mac[6] = (unsigned char) ( acc1 >> 16 );
232 mac[7] = (unsigned char) ( acc1 >> 24 );
233 mac[8] = (unsigned char) acc2;
234 mac[9] = (unsigned char) ( acc2 >> 8 );
235 mac[10] = (unsigned char) ( acc2 >> 16 );
236 mac[11] = (unsigned char) ( acc2 >> 24 );
237 mac[12] = (unsigned char) acc3;
238 mac[13] = (unsigned char) ( acc3 >> 8 );
239 mac[14] = (unsigned char) ( acc3 >> 16 );
240 mac[15] = (unsigned char) ( acc3 >> 24 );
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]241}
242
243void mbedtls_poly1305_init( mbedtls_poly1305_context *ctx )
244{
245 if ( ctx != NULL )
246 {
Daniel Kingf5892752016-05-24 11:16:17 -0300[diff] [blame]247 mbedtls_zeroize( ctx, sizeof( mbedtls_poly1305_context ) );
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]248 }
249}
250
251void mbedtls_poly1305_free( mbedtls_poly1305_context *ctx )
252{
253 if ( ctx != NULL )
254 {
Daniel Kingf5892752016-05-24 11:16:17 -0300[diff] [blame]255 mbedtls_zeroize( ctx, sizeof( mbedtls_poly1305_context ) );
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]256 }
257}
258
Manuel Pégourié-Gonnard54b1a732018-05-07 10:21:56 +0200[diff] [blame]259int mbedtls_poly1305_starts( mbedtls_poly1305_context *ctx,
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]260 const unsigned char key[32] )
261{
Manuel Pégourié-Gonnard550c20f2018-05-10 10:12:36 +0200[diff] [blame]262 if ( ctx == NULL || key == NULL )
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]263 {
264 return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
265 }
266
267 /* r &= 0x0ffffffc0ffffffc0ffffffc0fffffff */
268 ctx->r[0] = BYTES_TO_U32_LE( key, 0 ) & 0x0FFFFFFFU;
269 ctx->r[1] = BYTES_TO_U32_LE( key, 4 ) & 0x0FFFFFFCU;
270 ctx->r[2] = BYTES_TO_U32_LE( key, 8 ) & 0x0FFFFFFCU;
271 ctx->r[3] = BYTES_TO_U32_LE( key, 12 ) & 0x0FFFFFFCU;
272
273 ctx->s[0] = BYTES_TO_U32_LE( key, 16 );
274 ctx->s[1] = BYTES_TO_U32_LE( key, 20 );
275 ctx->s[2] = BYTES_TO_U32_LE( key, 24 );
276 ctx->s[3] = BYTES_TO_U32_LE( key, 28 );
277
278 /* Initial accumulator state */
279 ctx->acc[0] = 0U;
280 ctx->acc[1] = 0U;
281 ctx->acc[2] = 0U;
282 ctx->acc[3] = 0U;
Manuel Pégourié-Gonnard97e34bf2018-05-09 12:51:54 +0200[diff] [blame]283 ctx->acc[4] = 0U;
284
285 /* Queue initially empty */
286 mbedtls_zeroize( ctx->queue, sizeof( ctx->queue ) );
287 ctx->queue_len = 0U;
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]288
Daniel Kingf5892752016-05-24 11:16:17 -0300[diff] [blame]289 return( 0 );
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]290}
291
292int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx,
Manuel Pégourié-Gonnard9b7a93c2018-05-09 09:25:00 +0200[diff] [blame]293 const unsigned char *input,
294 size_t ilen )
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]295{
296 size_t offset = 0U;
297 size_t remaining = ilen;
298 size_t queue_free_len;
299 size_t nblocks;
300
Daniel Kingf28c2aa2016-05-17 15:56:26 -0300[diff] [blame]301 if ( ctx == NULL )
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]302 {
303 return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
304 }
Daniel Kingf28c2aa2016-05-17 15:56:26 -0300[diff] [blame]305 else if ( ( ilen > 0U ) && ( input == NULL ) )
306 {
307 /* input pointer is allowed to be NULL only if ilen == 0 */
308 return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
309 }
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]310
Daniel Kingf28c2aa2016-05-17 15:56:26 -0300[diff] [blame]311 if ( ( remaining > 0U ) && ( ctx->queue_len > 0U ) )
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]312 {
313 queue_free_len = ( POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len );
314
315 if ( ilen < queue_free_len )
316 {
317 /* Not enough data to complete the block.
318 * Store this data with the other leftovers.
319 */
320 memcpy( &ctx->queue[ctx->queue_len],
321 input,
322 ilen );
323
324 ctx->queue_len += ilen;
325
326 remaining = 0U;
327 }
328 else
329 {
330 /* Enough data to produce a complete block */
331 memcpy( &ctx->queue[ctx->queue_len],
332 input,
333 queue_free_len );
334
335 ctx->queue_len = 0U;
336
337 mbedtls_poly1305_process( ctx,
338 1U,
339 ctx->queue,
340 1U ); /* add padding bit */
341
342 offset += queue_free_len;
343 remaining -= queue_free_len;
344 }
345 }
346
347 if ( remaining >= POLY1305_BLOCK_SIZE_BYTES )
348 {
349 nblocks = remaining / POLY1305_BLOCK_SIZE_BYTES;
350
351 mbedtls_poly1305_process( ctx, nblocks, &input[offset], 1U );
352
353 offset += nblocks * POLY1305_BLOCK_SIZE_BYTES;
354 remaining %= POLY1305_BLOCK_SIZE_BYTES;
355 }
356
357 if ( remaining > 0U )
358 {
359 /* Store partial block */
360 ctx->queue_len = remaining;
361 memcpy( ctx->queue, &input[offset], remaining );
362 }
363
364 return( 0 );
365}
366
367int mbedtls_poly1305_finish( mbedtls_poly1305_context *ctx,
368 unsigned char mac[16] )
369{
370 if ( ( ctx == NULL ) || ( mac == NULL ) )
371 {
372 return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
373 }
374
375 /* Process any leftover data */
376 if ( ctx->queue_len > 0U )
377 {
378 /* Add padding bit */
379 ctx->queue[ctx->queue_len] = 1U;
380 ctx->queue_len++;
381
382 /* Pad with zeroes */
383 memset( &ctx->queue[ctx->queue_len],
384 0,
385 POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len );
386
387 mbedtls_poly1305_process( ctx,
388 1U, /* Process 1 block */
389 ctx->queue,
390 0U ); /* Don't add padding bit (it was just added above) */
391 }
392
393 mbedtls_poly1305_compute_mac( ctx, mac );
394
395 return( 0 );
396}
397
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]398int mbedtls_poly1305_mac( const unsigned char key[32],
Manuel Pégourié-Gonnard9b7a93c2018-05-09 09:25:00 +0200[diff] [blame]399 const unsigned char *input,
400 size_t ilen,
401 unsigned char mac[16] )
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]402{
403 mbedtls_poly1305_context ctx;
404 int result;
405
406 mbedtls_poly1305_init( &ctx );
407
Manuel Pégourié-Gonnard54b1a732018-05-07 10:21:56 +0200[diff] [blame]408 result = mbedtls_poly1305_starts( &ctx, key );
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]409 if ( result != 0 )
410 goto cleanup;
411
Manuel Pégourié-Gonnard9b7a93c2018-05-09 09:25:00 +0200[diff] [blame]412 result = mbedtls_poly1305_update( &ctx, input, ilen );
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]413 if ( result != 0 )
414 goto cleanup;
415
416 result = mbedtls_poly1305_finish( &ctx, mac );
417
418cleanup:
419 mbedtls_poly1305_free( &ctx );
Manuel Pégourié-Gonnard550c20f2018-05-10 10:12:36 +0200[diff] [blame]420 return( result );
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]421}
422
Manuel Pégourié-Gonnarddeda80e2018-05-07 09:58:35 +0200[diff] [blame]423#endif /* MBEDTLS_POLY1305_ALT */
424
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]425#if defined(MBEDTLS_SELF_TEST)
426
427static const unsigned char test_keys[2][32] =
428{
429 {
430 0x85, 0xd6, 0xbe, 0x78, 0x57, 0x55, 0x6d, 0x33,
431 0x7f, 0x44, 0x52, 0xfe, 0x42, 0xd5, 0x06, 0xa8,
432 0x01, 0x03, 0x80, 0x8a, 0xfb, 0x0d, 0xb2, 0xfd,
433 0x4a, 0xbf, 0xf6, 0xaf, 0x41, 0x49, 0xf5, 0x1b
434 },
435 {
436 0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a,
437 0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0,
438 0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09,
439 0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0
440 }
441};
442
443static const unsigned char test_data[2][127] =
444{
445 {
446 0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x67, 0x72,
447 0x61, 0x70, 0x68, 0x69, 0x63, 0x20, 0x46, 0x6f,
448 0x72, 0x75, 0x6d, 0x20, 0x52, 0x65, 0x73, 0x65,
449 0x61, 0x72, 0x63, 0x68, 0x20, 0x47, 0x72, 0x6f,
450 0x75, 0x70
451 },
452 {
453 0x27, 0x54, 0x77, 0x61, 0x73, 0x20, 0x62, 0x72,
454 0x69, 0x6c, 0x6c, 0x69, 0x67, 0x2c, 0x20, 0x61,
455 0x6e, 0x64, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
456 0x6c, 0x69, 0x74, 0x68, 0x79, 0x20, 0x74, 0x6f,
457 0x76, 0x65, 0x73, 0x0a, 0x44, 0x69, 0x64, 0x20,
458 0x67, 0x79, 0x72, 0x65, 0x20, 0x61, 0x6e, 0x64,
459 0x20, 0x67, 0x69, 0x6d, 0x62, 0x6c, 0x65, 0x20,
460 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x77,
461 0x61, 0x62, 0x65, 0x3a, 0x0a, 0x41, 0x6c, 0x6c,
462 0x20, 0x6d, 0x69, 0x6d, 0x73, 0x79, 0x20, 0x77,
463 0x65, 0x72, 0x65, 0x20, 0x74, 0x68, 0x65, 0x20,
464 0x62, 0x6f, 0x72, 0x6f, 0x67, 0x6f, 0x76, 0x65,
465 0x73, 0x2c, 0x0a, 0x41, 0x6e, 0x64, 0x20, 0x74,
466 0x68, 0x65, 0x20, 0x6d, 0x6f, 0x6d, 0x65, 0x20,
467 0x72, 0x61, 0x74, 0x68, 0x73, 0x20, 0x6f, 0x75,
468 0x74, 0x67, 0x72, 0x61, 0x62, 0x65, 0x2e
469 }
470};
471
472static const size_t test_data_len[2] =
473{
474 34U,
475 127U
476};
477
478static const unsigned char test_mac[2][16] =
479{
480 {
481 0xa8, 0x06, 0x1d, 0xc1, 0x30, 0x51, 0x36, 0xc6,
482 0xc2, 0x2b, 0x8b, 0xaf, 0x0c, 0x01, 0x27, 0xa9
483 },
484 {
485 0x45, 0x41, 0x66, 0x9a, 0x7e, 0xaa, 0xee, 0x61,
486 0xe7, 0x08, 0xdc, 0x7c, 0xbc, 0xc5, 0xeb, 0x62
487 }
488};
489
Manuel Pégourié-Gonnard53502512018-05-10 11:42:07 +0200[diff] [blame]490#define ASSERT( cond, args ) \
491 do \
492 { \
493 if( ! ( cond ) ) \
494 { \
495 if( verbose != 0 ) \
496 mbedtls_printf args; \
497 \
498 return( -1 ); \
499 } \
500 } \
501 while( 0 )
502
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]503int mbedtls_poly1305_self_test( int verbose )
504{
Daniel Kingf5892752016-05-24 11:16:17 -0300[diff] [blame]505 unsigned char mac[16];
Manuel Pégourié-Gonnard726cf722018-05-07 10:14:18 +0200[diff] [blame]506 unsigned i;
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]507 int result;
508
Manuel Pégourié-Gonnard53502512018-05-10 11:42:07 +0200[diff] [blame]509 for( i = 0U; i < 2U; i++ )
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]510 {
Manuel Pégourié-Gonnard53502512018-05-10 11:42:07 +0200[diff] [blame]511 if( verbose != 0 )
Manuel Pégourié-Gonnard726cf722018-05-07 10:14:18 +0200[diff] [blame]512 mbedtls_printf( " Poly1305 test %u ", i );
Daniel Kingd00afaf2016-05-18 10:07:53 -0300[diff] [blame]513
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]514 result = mbedtls_poly1305_mac( test_keys[i],
Daniel Kingf5892752016-05-24 11:16:17 -0300[diff] [blame]515 test_data[i],
Manuel Pégourié-Gonnard9b7a93c2018-05-09 09:25:00 +0200[diff] [blame]516 test_data_len[i],
Daniel Kingf5892752016-05-24 11:16:17 -0300[diff] [blame]517 mac );
Manuel Pégourié-Gonnard53502512018-05-10 11:42:07 +0200[diff] [blame]518 ASSERT( 0 == result, ( "error code: %i\n", result ) );
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]519
Manuel Pégourié-Gonnard53502512018-05-10 11:42:07 +0200[diff] [blame]520 ASSERT( 0 == memcmp( mac, test_mac[i], 16U ), ( "failed (mac)\n" ) );
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]521
Manuel Pégourié-Gonnard53502512018-05-10 11:42:07 +0200[diff] [blame]522 if( verbose != 0 )
Daniel Kingd00afaf2016-05-18 10:07:53 -0300[diff] [blame]523 mbedtls_printf( "passed\n" );
Daniel Kingd00afaf2016-05-18 10:07:53 -0300[diff] [blame]524 }
525
526 if( verbose != 0 )
Daniel Kingd00afaf2016-05-18 10:07:53 -0300[diff] [blame]527 mbedtls_printf( "\n" );
Daniel King5d77eaa2016-05-16 18:25:45 -0300[diff] [blame]528
529 return( 0 );
530}
531
532#endif /* MBEDTLS_SELF_TEST */
533
534#endif /* MBEDTLS_POLY1305_C */