Home Verkennen Help
Inloggen
kindring
/
libpeer
1
0
Vork 0
Bestanden Issues 0 Pull-aanvragen 0 Wiki
Boom: de2c325705
Aftakkingen Labels
libpeer
/
third_party
/
mbedtls
/
library
/
chachapoly.c

chachapoly.c 15 KB
Geschiedenis Ruwe

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492 
  1. /**
    2. 

  2.  * \file chachapoly.c
    3. 

  3.  *
    4. 

  4.  * \brief ChaCha20-Poly1305 AEAD construction based on RFC 7539.
    5. 

  5.  *
    6. 

  6.  *  Copyright The Mbed TLS Contributors
    7. 

  7.  *  SPDX-License-Identifier: Apache-2.0
    8. 

  8.  *
    9. 

  9.  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
    10. 

  10.  *  not use this file except in compliance with the License.
    11. 

  11.  *  You may obtain a copy of the License at
    12. 

  12.  *
    13. 

  13.  *  http://www.apache.org/licenses/LICENSE-2.0
    14. 

  14.  *
    15. 

  15.  *  Unless required by applicable law or agreed to in writing, software
    16. 

  16.  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
    17. 

  17.  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    18. 

  18.  *  See the License for the specific language governing permissions and
    19. 

  19.  *  limitations under the License.
    20. 

  20.  */
    21. 

  21. #include "common.h"
    22. 

  22. 

  23. #if defined(MBEDTLS_CHACHAPOLY_C)
    24. 

  24. 

  25. #include "mbedtls/chachapoly.h"
    26. 

  26. #include "mbedtls/platform_util.h"
    27. 

  27. #include "mbedtls/error.h"
    28. 

  28. 

  29. #include <string.h>
    30. 

  30. 

  31. #include "mbedtls/platform.h"
    32. 

  32. 

  33. #if !defined(MBEDTLS_CHACHAPOLY_ALT)
    34. 

  34. 

  35. #define CHACHAPOLY_STATE_INIT       (0)
    36. 

  36. #define CHACHAPOLY_STATE_AAD        (1)
    37. 

  37. #define CHACHAPOLY_STATE_CIPHERTEXT (2)   /* Encrypting or decrypting */
    38. 

  38. #define CHACHAPOLY_STATE_FINISHED   (3)
    39. 

  39. 

  40. /**
    41. 

  41.  * \brief           Adds nul bytes to pad the AAD for Poly1305.
    42. 

  42.  *
    43. 

  43.  * \param ctx       The ChaCha20-Poly1305 context.
    44. 

  44.  */
    45. 

  45. static int chachapoly_pad_aad(mbedtls_chachapoly_context *ctx)
    46. 

  46. {
    47. 

  47.     uint32_t partial_block_len = (uint32_t) (ctx->aad_len % 16U);
    48. 

  48.     unsigned char zeroes[15];
    49. 

  49. 

  50.     if (partial_block_len == 0U) {
    51. 

  51.         return 0;
    52. 

  52.     }
    53. 

  53. 

  54.     memset(zeroes, 0, sizeof(zeroes));
    55. 

  55. 

  56.     return mbedtls_poly1305_update(&ctx->poly1305_ctx,
    57. 

  57.                                    zeroes,
    58. 

  58.                                    16U - partial_block_len);
    59. 

  59. }
    60. 

  60. 

  61. /**
    62. 

  62.  * \brief           Adds nul bytes to pad the ciphertext for Poly1305.
    63. 

  63.  *
    64. 

  64.  * \param ctx       The ChaCha20-Poly1305 context.
    65. 

  65.  */
    66. 

  66. static int chachapoly_pad_ciphertext(mbedtls_chachapoly_context *ctx)
    67. 

  67. {
    68. 

  68.     uint32_t partial_block_len = (uint32_t) (ctx->ciphertext_len % 16U);
    69. 

  69.     unsigned char zeroes[15];
    70. 

  70. 

  71.     if (partial_block_len == 0U) {
    72. 

  72.         return 0;
    73. 

  73.     }
    74. 

  74. 

  75.     memset(zeroes, 0, sizeof(zeroes));
    76. 

  76.     return mbedtls_poly1305_update(&ctx->poly1305_ctx,
    77. 

  77.                                    zeroes,
    78. 

  78.                                    16U - partial_block_len);
    79. 

  79. }
    80. 

  80. 

  81. void mbedtls_chachapoly_init(mbedtls_chachapoly_context *ctx)
    82. 

  82. {
    83. 

  83.     mbedtls_chacha20_init(&ctx->chacha20_ctx);
    84. 

  84.     mbedtls_poly1305_init(&ctx->poly1305_ctx);
    85. 

  85.     ctx->aad_len        = 0U;
    86. 

  86.     ctx->ciphertext_len = 0U;
    87. 

  87.     ctx->state          = CHACHAPOLY_STATE_INIT;
    88. 

  88.     ctx->mode           = MBEDTLS_CHACHAPOLY_ENCRYPT;
    89. 

  89. }
    90. 

  90. 

  91. void mbedtls_chachapoly_free(mbedtls_chachapoly_context *ctx)
    92. 

  92. {
    93. 

  93.     if (ctx == NULL) {
    94. 

  94.         return;
    95. 

  95.     }
    96. 

  96. 

  97.     mbedtls_chacha20_free(&ctx->chacha20_ctx);
    98. 

  98.     mbedtls_poly1305_free(&ctx->poly1305_ctx);
    99. 

  99.     ctx->aad_len        = 0U;
    100. 

  100.     ctx->ciphertext_len = 0U;
    101. 

  101.     ctx->state          = CHACHAPOLY_STATE_INIT;
    102. 

  102.     ctx->mode           = MBEDTLS_CHACHAPOLY_ENCRYPT;
    103. 

  103. }
    104. 

  104. 

  105. int mbedtls_chachapoly_setkey(mbedtls_chachapoly_context *ctx,
    106. 

  106.                               const unsigned char key[32])
    107. 

  107. {
    108. 

  108.     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    109. 

  109. 

  110.     ret = mbedtls_chacha20_setkey(&ctx->chacha20_ctx, key);
    111. 

  111. 

  112.     return ret;
    113. 

  113. }
    114. 

  114. 

  115. int mbedtls_chachapoly_starts(mbedtls_chachapoly_context *ctx,
    116. 

  116.                               const unsigned char nonce[12],
    117. 

  117.                               mbedtls_chachapoly_mode_t mode)
    118. 

  118. {
    119. 

  119.     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    120. 

  120.     unsigned char poly1305_key[64];
    121. 

  121. 

  122.     /* Set counter = 0, will be update to 1 when generating Poly1305 key */
    123. 

  123.     ret = mbedtls_chacha20_starts(&ctx->chacha20_ctx, nonce, 0U);
    124. 

  124.     if (ret != 0) {
    125. 

  125.         goto cleanup;
    126. 

  126.     }
    127. 

  127. 

  128.     /* Generate the Poly1305 key by getting the ChaCha20 keystream output with
    129. 

  129.      * counter = 0.  This is the same as encrypting a buffer of zeroes.
    130. 

  130.      * Only the first 256-bits (32 bytes) of the key is used for Poly1305.
    131. 

  131.      * The other 256 bits are discarded.
    132. 

  132.      */
    133. 

  133.     memset(poly1305_key, 0, sizeof(poly1305_key));
    134. 

  134.     ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, sizeof(poly1305_key),
    135. 

  135.                                   poly1305_key, poly1305_key);
    136. 

  136.     if (ret != 0) {
    137. 

  137.         goto cleanup;
    138. 

  138.     }
    139. 

  139. 

  140.     ret = mbedtls_poly1305_starts(&ctx->poly1305_ctx, poly1305_key);
    141. 

  141. 

  142.     if (ret == 0) {
    143. 

  143.         ctx->aad_len        = 0U;
    144. 

  144.         ctx->ciphertext_len = 0U;
    145. 

  145.         ctx->state          = CHACHAPOLY_STATE_AAD;
    146. 

  146.         ctx->mode           = mode;
    147. 

  147.     }
    148. 

  148. 

  149. cleanup:
    150. 

  150.     mbedtls_platform_zeroize(poly1305_key, 64U);
    151. 

  151.     return ret;
    152. 

  152. }
    153. 

  153. 

  154. int mbedtls_chachapoly_update_aad(mbedtls_chachapoly_context *ctx,
    155. 

  155.                                   const unsigned char *aad,
    156. 

  156.                                   size_t aad_len)
    157. 

  157. {
    158. 

  158.     if (ctx->state != CHACHAPOLY_STATE_AAD) {
    159. 

  159.         return MBEDTLS_ERR_CHACHAPOLY_BAD_STATE;
    160. 

  160.     }
    161. 

  161. 

  162.     ctx->aad_len += aad_len;
    163. 

  163. 

  164.     return mbedtls_poly1305_update(&ctx->poly1305_ctx, aad, aad_len);
    165. 

  165. }
    166. 

  166. 

  167. int mbedtls_chachapoly_update(mbedtls_chachapoly_context *ctx,
    168. 

  168.                               size_t len,
    169. 

  169.                               const unsigned char *input,
    170. 

  170.                               unsigned char *output)
    171. 

  171. {
    172. 

  172.     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    173. 

  173. 

  174.     if ((ctx->state != CHACHAPOLY_STATE_AAD) &&
    175. 

  175.         (ctx->state != CHACHAPOLY_STATE_CIPHERTEXT)) {
    176. 

  176.         return MBEDTLS_ERR_CHACHAPOLY_BAD_STATE;
    177. 

  177.     }
    178. 

  178. 

  179.     if (ctx->state == CHACHAPOLY_STATE_AAD) {
    180. 

  180.         ctx->state = CHACHAPOLY_STATE_CIPHERTEXT;
    181. 

  181. 

  182.         ret = chachapoly_pad_aad(ctx);
    183. 

  183.         if (ret != 0) {
    184. 

  184.             return ret;
    185. 

  185.         }
    186. 

  186.     }
    187. 

  187. 

  188.     ctx->ciphertext_len += len;
    189. 

  189. 

  190.     if (ctx->mode == MBEDTLS_CHACHAPOLY_ENCRYPT) {
    191. 

  191.         ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, len, input, output);
    192. 

  192.         if (ret != 0) {
    193. 

  193.             return ret;
    194. 

  194.         }
    195. 

  195. 

  196.         ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, output, len);
    197. 

  197.         if (ret != 0) {
    198. 

  198.             return ret;
    199. 

  199.         }
    200. 

  200.     } else { /* DECRYPT */
    201. 

  201.         ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, input, len);
    202. 

  202.         if (ret != 0) {
    203. 

  203.             return ret;
    204. 

  204.         }
    205. 

  205. 

  206.         ret = mbedtls_chacha20_update(&ctx->chacha20_ctx, len, input, output);
    207. 

  207.         if (ret != 0) {
    208. 

  208.             return ret;
    209. 

  209.         }
    210. 

  210.     }
    211. 

  211. 

  212.     return 0;
    213. 

  213. }
    214. 

  214. 

  215. int mbedtls_chachapoly_finish(mbedtls_chachapoly_context *ctx,
    216. 

  216.                               unsigned char mac[16])
    217. 

  217. {
    218. 

  218.     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    219. 

  219.     unsigned char len_block[16];
    220. 

  220. 

  221.     if (ctx->state == CHACHAPOLY_STATE_INIT) {
    222. 

  222.         return MBEDTLS_ERR_CHACHAPOLY_BAD_STATE;
    223. 

  223.     }
    224. 

  224. 

  225.     if (ctx->state == CHACHAPOLY_STATE_AAD) {
    226. 

  226.         ret = chachapoly_pad_aad(ctx);
    227. 

  227.         if (ret != 0) {
    228. 

  228.             return ret;
    229. 

  229.         }
    230. 

  230.     } else if (ctx->state == CHACHAPOLY_STATE_CIPHERTEXT) {
    231. 

  231.         ret = chachapoly_pad_ciphertext(ctx);
    232. 

  232.         if (ret != 0) {
    233. 

  233.             return ret;
    234. 

  234.         }
    235. 

  235.     }
    236. 

  236. 

  237.     ctx->state = CHACHAPOLY_STATE_FINISHED;
    238. 

  238. 

  239.     /* The lengths of the AAD and ciphertext are processed by
    240. 

  240.      * Poly1305 as the final 128-bit block, encoded as little-endian integers.
    241. 

  241.      */
    242. 

  242.     MBEDTLS_PUT_UINT64_LE(ctx->aad_len, len_block, 0);
    243. 

  243.     MBEDTLS_PUT_UINT64_LE(ctx->ciphertext_len, len_block, 8);
    244. 

  244. 

  245.     ret = mbedtls_poly1305_update(&ctx->poly1305_ctx, len_block, 16U);
    246. 

  246.     if (ret != 0) {
    247. 

  247.         return ret;
    248. 

  248.     }
    249. 

  249. 

  250.     ret = mbedtls_poly1305_finish(&ctx->poly1305_ctx, mac);
    251. 

  251. 

  252.     return ret;
    253. 

  253. }
    254. 

  254. 

  255. static int chachapoly_crypt_and_tag(mbedtls_chachapoly_context *ctx,
    256. 

  256.                                     mbedtls_chachapoly_mode_t mode,
    257. 

  257.                                     size_t length,
    258. 

  258.                                     const unsigned char nonce[12],
    259. 

  259.                                     const unsigned char *aad,
    260. 

  260.                                     size_t aad_len,
    261. 

  261.                                     const unsigned char *input,
    262. 

  262.                                     unsigned char *output,
    263. 

  263.                                     unsigned char tag[16])
    264. 

  264. {
    265. 

  265.     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    266. 

  266. 

  267.     ret = mbedtls_chachapoly_starts(ctx, nonce, mode);
    268. 

  268.     if (ret != 0) {
    269. 

  269.         goto cleanup;
    270. 

  270.     }
    271. 

  271. 

  272.     ret = mbedtls_chachapoly_update_aad(ctx, aad, aad_len);
    273. 

  273.     if (ret != 0) {
    274. 

  274.         goto cleanup;
    275. 

  275.     }
    276. 

  276. 

  277.     ret = mbedtls_chachapoly_update(ctx, length, input, output);
    278. 

  278.     if (ret != 0) {
    279. 

  279.         goto cleanup;
    280. 

  280.     }
    281. 

  281. 

  282.     ret = mbedtls_chachapoly_finish(ctx, tag);
    283. 

  283. 

  284. cleanup:
    285. 

  285.     return ret;
    286. 

  286. }
    287. 

  287. 

  288. int mbedtls_chachapoly_encrypt_and_tag(mbedtls_chachapoly_context *ctx,
    289. 

  289.                                        size_t length,
    290. 

  290.                                        const unsigned char nonce[12],
    291. 

  291.                                        const unsigned char *aad,
    292. 

  292.                                        size_t aad_len,
    293. 

  293.                                        const unsigned char *input,
    294. 

  294.                                        unsigned char *output,
    295. 

  295.                                        unsigned char tag[16])
    296. 

  296. {
    297. 

  297.     return chachapoly_crypt_and_tag(ctx, MBEDTLS_CHACHAPOLY_ENCRYPT,
    298. 

  298.                                     length, nonce, aad, aad_len,
    299. 

  299.                                     input, output, tag);
    300. 

  300. }
    301. 

  301. 

  302. int mbedtls_chachapoly_auth_decrypt(mbedtls_chachapoly_context *ctx,
    303. 

  303.                                     size_t length,
    304. 

  304.                                     const unsigned char nonce[12],
    305. 

  305.                                     const unsigned char *aad,
    306. 

  306.                                     size_t aad_len,
    307. 

  307.                                     const unsigned char tag[16],
    308. 

  308.                                     const unsigned char *input,
    309. 

  309.                                     unsigned char *output)
    310. 

  310. {
    311. 

  311.     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    312. 

  312.     unsigned char check_tag[16];
    313. 

  313.     size_t i;
    314. 

  314.     int diff;
    315. 

  315. 

  316.     if ((ret = chachapoly_crypt_and_tag(ctx,
    317. 

  317.                                         MBEDTLS_CHACHAPOLY_DECRYPT, length, nonce,
    318. 

  318.                                         aad, aad_len, input, output, check_tag)) != 0) {
    319. 

  319.         return ret;
    320. 

  320.     }
    321. 

  321. 

  322.     /* Check tag in "constant-time" */
    323. 

  323.     for (diff = 0, i = 0; i < sizeof(check_tag); i++) {
    324. 

  324.         diff |= tag[i] ^ check_tag[i];
    325. 

  325.     }
    326. 

  326. 

  327.     if (diff != 0) {
    328. 

  328.         mbedtls_platform_zeroize(output, length);
    329. 

  329.         return MBEDTLS_ERR_CHACHAPOLY_AUTH_FAILED;
    330. 

  330.     }
    331. 

  331. 

  332.     return 0;
    333. 

  333. }
    334. 

  334. 

  335. #endif /* MBEDTLS_CHACHAPOLY_ALT */
    336. 

  336. 

  337. #if defined(MBEDTLS_SELF_TEST)
    338. 

  338. 

  339. static const unsigned char test_key[1][32] =
    340. 

  340. {
    341. 

  341.     {
    342. 

  342.         0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
    343. 

  343.         0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
    344. 

  344.         0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
    345. 

  345.         0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f
    346. 

  346.     }
    347. 

  347. };
    348. 

  348. 

  349. static const unsigned char test_nonce[1][12] =
    350. 

  350. {
    351. 

  351.     {
    352. 

  352.         0x07, 0x00, 0x00, 0x00,                         /* 32-bit common part */
    353. 

  353.         0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47  /* 64-bit IV */
    354. 

  354.     }
    355. 

  355. };
    356. 

  356. 

  357. static const unsigned char test_aad[1][12] =
    358. 

  358. {
    359. 

  359.     {
    360. 

  360.         0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3,
    361. 

  361.         0xc4, 0xc5, 0xc6, 0xc7
    362. 

  362.     }
    363. 

  363. };
    364. 

  364. 

  365. static const size_t test_aad_len[1] =
    366. 

  366. {
    367. 

  367.     12U
    368. 

  368. };
    369. 

  369. 

  370. static const unsigned char test_input[1][114] =
    371. 

  371. {
    372. 

  372.     {
    373. 

  373.         0x4c, 0x61, 0x64, 0x69, 0x65, 0x73, 0x20, 0x61,
    374. 

  374.         0x6e, 0x64, 0x20, 0x47, 0x65, 0x6e, 0x74, 0x6c,
    375. 

  375.         0x65, 0x6d, 0x65, 0x6e, 0x20, 0x6f, 0x66, 0x20,
    376. 

  376.         0x74, 0x68, 0x65, 0x20, 0x63, 0x6c, 0x61, 0x73,
    377. 

  377.         0x73, 0x20, 0x6f, 0x66, 0x20, 0x27, 0x39, 0x39,
    378. 

  378.         0x3a, 0x20, 0x49, 0x66, 0x20, 0x49, 0x20, 0x63,
    379. 

  379.         0x6f, 0x75, 0x6c, 0x64, 0x20, 0x6f, 0x66, 0x66,
    380. 

  380.         0x65, 0x72, 0x20, 0x79, 0x6f, 0x75, 0x20, 0x6f,
    381. 

  381.         0x6e, 0x6c, 0x79, 0x20, 0x6f, 0x6e, 0x65, 0x20,
    382. 

  382.         0x74, 0x69, 0x70, 0x20, 0x66, 0x6f, 0x72, 0x20,
    383. 

  383.         0x74, 0x68, 0x65, 0x20, 0x66, 0x75, 0x74, 0x75,
    384. 

  384.         0x72, 0x65, 0x2c, 0x20, 0x73, 0x75, 0x6e, 0x73,
    385. 

  385.         0x63, 0x72, 0x65, 0x65, 0x6e, 0x20, 0x77, 0x6f,
    386. 

  386.         0x75, 0x6c, 0x64, 0x20, 0x62, 0x65, 0x20, 0x69,
    387. 

  387.         0x74, 0x2e
    388. 

  388.     }
    389. 

  389. };
    390. 

  390. 

  391. static const unsigned char test_output[1][114] =
    392. 

  392. {
    393. 

  393.     {
    394. 

  394.         0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb,
    395. 

  395.         0x7b, 0x86, 0xaf, 0xbc, 0x53, 0xef, 0x7e, 0xc2,
    396. 

  396.         0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
    397. 

  397.         0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6,
    398. 

  398.         0x3d, 0xbe, 0xa4, 0x5e, 0x8c, 0xa9, 0x67, 0x12,
    399. 

  399.         0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
    400. 

  400.         0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29,
    401. 

  401.         0x05, 0xd6, 0xa5, 0xb6, 0x7e, 0xcd, 0x3b, 0x36,
    402. 

  402.         0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
    403. 

  403.         0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58,
    404. 

  404.         0xfa, 0xb3, 0x24, 0xe4, 0xfa, 0xd6, 0x75, 0x94,
    405. 

  405.         0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
    406. 

  406.         0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d,
    407. 

  407.         0xe5, 0x76, 0xd2, 0x65, 0x86, 0xce, 0xc6, 0x4b,
    408. 

  408.         0x61, 0x16
    409. 

  409.     }
    410. 

  410. };
    411. 

  411. 

  412. static const size_t test_input_len[1] =
    413. 

  413. {
    414. 

  414.     114U
    415. 

  415. };
    416. 

  416. 

  417. static const unsigned char test_mac[1][16] =
    418. 

  418. {
    419. 

  419.     {
    420. 

  420.         0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a,
    421. 

  421.         0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91
    422. 

  422.     }
    423. 

  423. };
    424. 

  424. 

  425. /* Make sure no other definition is already present. */
    426. 

  426. #undef ASSERT
    427. 

  427. 

  428. #define ASSERT(cond, args)            \
    429. 

  429.     do                                  \
    430. 

  430.     {                                   \
    431. 

  431.         if (!(cond))                \
    432. 

  432.         {                               \
    433. 

  433.             if (verbose != 0)          \
    434. 

  434.             mbedtls_printf args;    \
    435. 

  435.                                         \
    436. 

  436.             return -1;               \
    437. 

  437.         }                               \
    438. 

  438.     }                                   \
    439. 

  439.     while (0)
    440. 

  440. 

  441. int mbedtls_chachapoly_self_test(int verbose)
    442. 

  442. {
    443. 

  443.     mbedtls_chachapoly_context ctx;
    444. 

  444.     unsigned i;
    445. 

  445.     int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
    446. 

  446.     unsigned char output[200];
    447. 

  447.     unsigned char mac[16];
    448. 

  448. 

  449.     for (i = 0U; i < 1U; i++) {
    450. 

  450.         if (verbose != 0) {
    451. 

  451.             mbedtls_printf("  ChaCha20-Poly1305 test %u ", i);
    452. 

  452.         }
    453. 

  453. 

  454.         mbedtls_chachapoly_init(&ctx);
    455. 

  455. 

  456.         ret = mbedtls_chachapoly_setkey(&ctx, test_key[i]);
    457. 

  457.         ASSERT(0 == ret, ("setkey() error code: %i\n", ret));
    458. 

  458. 

  459.         ret = mbedtls_chachapoly_encrypt_and_tag(&ctx,
    460. 

  460.                                                  test_input_len[i],
    461. 

  461.                                                  test_nonce[i],
    462. 

  462.                                                  test_aad[i],
    463. 

  463.                                                  test_aad_len[i],
    464. 

  464.                                                  test_input[i],
    465. 

  465.                                                  output,
    466. 

  466.                                                  mac);
    467. 

  467. 

  468.         ASSERT(0 == ret, ("crypt_and_tag() error code: %i\n", ret));
    469. 

  469. 

  470.         ASSERT(0 == memcmp(output, test_output[i], test_input_len[i]),
    471. 

  471.                ("failure (wrong output)\n"));
    472. 

  472. 

  473.         ASSERT(0 == memcmp(mac, test_mac[i], 16U),
    474. 

  474.                ("failure (wrong MAC)\n"));
    475. 

  475. 

  476.         mbedtls_chachapoly_free(&ctx);
    477. 

  477. 

  478.         if (verbose != 0) {
    479. 

  479.             mbedtls_printf("passed\n");
    480. 

  480.         }
    481. 

  481.     }
    482. 

  482. 

  483.     if (verbose != 0) {
    484. 

  484.         mbedtls_printf("\n");
    485. 

  485.     }
    486. 

  486. 

  487.     return 0;
    488. 

  488. }
    489. 

  489. 

  490. #endif /* MBEDTLS_SELF_TEST */
    491. 

  491. 

  492. #endif /* MBEDTLS_CHACHAPOLY_C */
    493.