]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/poly1305/poly1305.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Add reference ChaCha20 and Poly1305 implementations.
[thirdparty/openssl.git] / crypto / poly1305 / poly1305.c
1 /* ====================================================================
2 * Copyright (c) 2015 The OpenSSL Project. All rights reserved.
3 *
4 * Rights for redistribution and usage in source and binary
5 * forms are granted according to the OpenSSL license.
6 */
7
8 #include <stdlib.h>
9 #include <string.h>
10
11 #include "internal/poly1305.h"
12
13 typedef void (*poly1305_blocks_f) (void *ctx, const unsigned char *inp,
14 size_t len, unsigned int padbit);
15 typedef void (*poly1305_emit_f) (void *ctx, unsigned char mac[16],
16 const unsigned int nonce[4]);
17
18 struct poly1305_context {
19 double opaque[24]; /* large enough to hold internal state, declared
20 * 'double' to ensure at least 64-bit invariant
21 * alignment across all platforms and
22 * configurations */
23 unsigned int nonce[4];
24 unsigned char data[POLY1305_BLOCK_SIZE];
25 size_t num;
26 struct {
27 poly1305_blocks_f blocks;
28 poly1305_emit_f emit;
29 } func;
30 };
31
32 size_t Poly1305_ctx_size ()
33 {
34 return sizeof(struct poly1305_context);
35 }
36
37 /* pick 32-bit unsigned integer in little endian order */
38 static unsigned int U8TOU32(const unsigned char *p)
39 {
40 return (((unsigned int)(p[0] & 0xff)) |
41 ((unsigned int)(p[1] & 0xff) << 8) |
42 ((unsigned int)(p[2] & 0xff) << 16) |
43 ((unsigned int)(p[3] & 0xff) << 24));
44 }
45
46 /*
47 * Implementations can be classified by amount of significant bits in
48 * words making up the multi-precision value, or in other words radix
49 * or base of numerical representation, e.g. base 2^64, base 2^32,
50 * base 2^26. Complementary characteristic is how wide is the result of
51 * multiplication of pair of digits, e.g. it would take 128 bits to
52 * accommodate multiplication result in base 2^64 case. These are used
53 * interchangeably. To describe implementation that is. But interface
54 * is designed to isolate this so that low-level primitives implemented
55 * in assembly can be self-contained/self-coherent.
56 */
57 #ifndef POLY1305_ASM
58 /*
59 * Even though there is __int128 reference implementation targeting
60 * 64-bit platforms provided below, it's not obvious that it's optimal
61 * choice for every one of them. Depending on instruction set overall
62 * amount of instructions can be comparable to one in __int64
63 * implementation. Amount of multiplication instructions would be lower,
64 * but not necessarily overall. And in out-of-order execution context,
65 * it is the latter that can be crucial...
66 *
67 * On related note. Poly1305 author, D. J. Bernstein, discusses and
68 * provides floating-point implementations of the algorithm in question.
69 * It made a lot of sense by the time of introduction, because most
70 * then-modern processors didn't have pipelined integer multiplier.
71 * [Not to mention that some had non-constant timing for integer
72 * multiplications.] Floating-point instructions on the other hand could
73 * be issued every cycle, which allowed to achieve better performance.
74 * Nowadays, with SIMD and/or out-or-order execution, shared or
75 * even emulated FPU, it's more complicated, and floating-point
76 * implementation is not necessarily optimal choice in every situation,
77 * rather contrary...
78 *
79 * <appro@openssl.org>
80 */
81
82 typedef unsigned int u32;
83
84 /*
85 * poly1305_blocks processes a multiple of POLY1305_BLOCK_SIZE blocks
86 * of |inp| no longer than |len|. Behaviour for |len| not divisible by
87 * block size is unspecified in general case, even though in reference
88 * implementation the trailing chunk is simply ignored. Per algorithm
89 * specification, every input block, complete or last partial, is to be
90 * padded with a bit past most significant byte. The latter kind is then
91 * padded with zeros till block size. This last partial block padding
92 * is caller(*)'s responsibility, and because of this the last partial
93 * block is always processed with separate call with |len| set to
94 * POLY1305_BLOCK_SIZE and |padbit| to 0. In all other cases |padbit|
95 * should be set to 1 to perform implicit padding with 128th bit.
96 * poly1305_blocks does not actually check for this constraint though,
97 * it's caller(*)'s resposibility to comply.
98 *
99 * (*) In the context "caller" is not application code, but higher
100 * level Poly1305_* from this very module, so that quirks are
101 * handled locally.
102 */
103 static void
104 poly1305_blocks(void *ctx, const unsigned char *inp, size_t len, u32 padbit);
105
106 /*
107 * Type-agnostic "rip-off" from constant_time_locl.h
108 */
109 # define CONSTANT_TIME_CARRY(a,b) ( \
110 (a ^ ((a ^ b) | ((a - b) ^ b))) >> (sizeof(a) * 8 - 1) \
111 )
112
113 # if !defined(PEDANTIC) && \
114 (defined(__SIZEOF_INT128__) && __SIZEOF_INT128__==16) && \
115 (defined(__SIZEOF_LONG__) && __SIZEOF_LONG__==8)
116
117 typedef unsigned long u64;
118 typedef unsigned __int128 u128;
119
120 typedef struct {
121 u64 h[3];
122 u64 r[2];
123 } poly1305_internal;
124
125 /* pick 32-bit unsigned integer in little endian order */
126 static u64 U8TOU64(const unsigned char *p)
127 {
128 return (((u64)(p[0] & 0xff)) |
129 ((u64)(p[1] & 0xff) << 8) |
130 ((u64)(p[2] & 0xff) << 16) |
131 ((u64)(p[3] & 0xff) << 24) |
132 ((u64)(p[4] & 0xff) << 32) |
133 ((u64)(p[5] & 0xff) << 40) |
134 ((u64)(p[6] & 0xff) << 48) |
135 ((u64)(p[7] & 0xff) << 56));
136 }
137
138 /* store a 32-bit unsigned integer in little endian */
139 static void U64TO8(unsigned char *p, u64 v)
140 {
141 p[0] = (unsigned char)((v) & 0xff);
142 p[1] = (unsigned char)((v >> 8) & 0xff);
143 p[2] = (unsigned char)((v >> 16) & 0xff);
144 p[3] = (unsigned char)((v >> 24) & 0xff);
145 p[4] = (unsigned char)((v >> 32) & 0xff);
146 p[5] = (unsigned char)((v >> 40) & 0xff);
147 p[6] = (unsigned char)((v >> 48) & 0xff);
148 p[7] = (unsigned char)((v >> 56) & 0xff);
149 }
150
151 static void poly1305_init(void *ctx, const unsigned char key[16])
152 {
153 poly1305_internal *st = (poly1305_internal *) ctx;
154
155 /* h = 0 */
156 st->h[0] = 0;
157 st->h[1] = 0;
158 st->h[2] = 0;
159
160 /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
161 st->r[0] = U8TOU64(&key[0]) & 0x0ffffffc0fffffff;
162 st->r[1] = U8TOU64(&key[8]) & 0x0ffffffc0ffffffc;
163 }
164
165 static void
166 poly1305_blocks(void *ctx, const unsigned char *inp, size_t len, u32 padbit)
167 {
168 poly1305_internal *st = (poly1305_internal *)ctx;
169 u64 r0, r1;
170 u64 s1;
171 u64 h0, h1, h2, c;
172 u128 d0, d1;
173
174 r0 = st->r[0];
175 r1 = st->r[1];
176
177 s1 = r1 + (r1 >> 2);
178
179 h0 = st->h[0];
180 h1 = st->h[1];
181 h2 = st->h[2];
182
183 while (len >= POLY1305_BLOCK_SIZE) {
184 /* h += m[i] */
185 h0 = (u64)(d0 = (u128)h0 + U8TOU64(inp + 0));
186 h1 = (u64)(d1 = (u128)h1 + (d0 >> 64) + U8TOU64(inp + 8));
187 /*
188 * padbit can be zero only when original len was
189 * POLY1306_BLOCK_SIZE, but we don't check
190 */
191 h2 += (u64)(d1 >> 64) + padbit;
192
193 /* h *= r "%" p, where "%" stands for "partial remainder" */
194 d0 = ((u128)h0 * r0) +
195 ((u128)h1 * s1);
196 d1 = ((u128)h0 * r1) +
197 ((u128)h1 * r0) +
198 (h2 * s1);
199 h2 = (h2 * r0);
200
201 /* last reduction step: */
202 /* a) h2:h0 = h2<<128 + d1<<64 + d0 */
203 h0 = (u64)d0;
204 h1 = (u64)(d1 += d0 >> 64);
205 h2 += (u64)(d1 >> 64);
206 /* b) (h2:h0 += (h2:h0>>130) * 5) %= 2^130 */
207 c = (h2 >> 2) + (h2 & ~3UL);
208 h2 &= 3;
209 h0 += c;
210 h1 += (c = CONSTANT_TIME_CARRY(h0,c)); /* doesn't overflow */
211
212 inp += POLY1305_BLOCK_SIZE;
213 len -= POLY1305_BLOCK_SIZE;
214 }
215
216 st->h[0] = h0;
217 st->h[1] = h1;
218 st->h[2] = h2;
219 }
220
221 static void poly1305_emit(void *ctx, unsigned char mac[16],
222 const u32 nonce[4])
223 {
224 poly1305_internal *st = (poly1305_internal *) ctx;
225 u64 h0, h1, h2;
226 u64 g0, g1, g2;
227 u128 t;
228 u64 mask;
229
230 h0 = st->h[0];
231 h1 = st->h[1];
232 h2 = st->h[2];
233
234 /* compute h + -p */
235 g0 = (u64)(t = (u128)h0 + 5);
236 g1 = (u64)(t = (u128)h1 + (t >> 64));
237 g2 = h2 + (u64)(t >> 64);
238
239 /* if there was carry into 130th bit, h1:h0 = g1:g0 */
240 mask = 0 - (g2 >> 2);
241 g0 &= mask;
242 g1 &= mask;
243 mask = ~mask;
244 h0 = (h0 & mask) | g0;
245 h1 = (h1 & mask) | g1;
246
247 /* mac = (h + nonce) % (2^128) */
248 h0 = (u64)(t = (u128)h0 + nonce[0] + ((u64)nonce[1]<<32));
249 h1 = (u64)(t = (u128)h1 + nonce[2] + ((u64)nonce[3]<<32) + (t >> 64));
250
251 U64TO8(mac + 0, h0);
252 U64TO8(mac + 8, h1);
253 }
254
255 # else
256
257 # if defined(_WIN32) && !defined(__MINGW32__)
258 typedef unsigned __int64 u64;
259 # elif defined(__arch64__)
260 typedef unsigned long u64;
261 # else
262 typedef unsigned long long u64;
263 # endif
264
265 typedef struct {
266 u32 h[5];
267 u32 r[4];
268 } poly1305_internal;
269
270 /* store a 32-bit unsigned integer in little endian */
271 static void U32TO8(unsigned char *p, unsigned int v)
272 {
273 p[0] = (unsigned char)((v) & 0xff);
274 p[1] = (unsigned char)((v >> 8) & 0xff);
275 p[2] = (unsigned char)((v >> 16) & 0xff);
276 p[3] = (unsigned char)((v >> 24) & 0xff);
277 }
278
279 static void poly1305_init(void *ctx, const unsigned char key[16])
280 {
281 poly1305_internal *st = (poly1305_internal *) ctx;
282
283 /* h = 0 */
284 st->h[0] = 0;
285 st->h[1] = 0;
286 st->h[2] = 0;
287 st->h[3] = 0;
288 st->h[4] = 0;
289
290 /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
291 st->r[0] = U8TOU32(&key[0]) & 0x0fffffff;
292 st->r[1] = U8TOU32(&key[4]) & 0x0ffffffc;
293 st->r[2] = U8TOU32(&key[8]) & 0x0ffffffc;
294 st->r[3] = U8TOU32(&key[12]) & 0x0ffffffc;
295 }
296
297 static void
298 poly1305_blocks(void *ctx, const unsigned char *inp, size_t len, u32 padbit)
299 {
300 poly1305_internal *st = (poly1305_internal *)ctx;
301 u32 r0, r1, r2, r3;
302 u32 s1, s2, s3;
303 u32 h0, h1, h2, h3, h4, c;
304 u64 d0, d1, d2, d3;
305
306 r0 = st->r[0];
307 r1 = st->r[1];
308 r2 = st->r[2];
309 r3 = st->r[3];
310
311 s1 = r1 + (r1 >> 2);
312 s2 = r2 + (r2 >> 2);
313 s3 = r3 + (r3 >> 2);
314
315 h0 = st->h[0];
316 h1 = st->h[1];
317 h2 = st->h[2];
318 h3 = st->h[3];
319 h4 = st->h[4];
320
321 while (len >= POLY1305_BLOCK_SIZE) {
322 /* h += m[i] */
323 h0 = (u32)(d0 = (u64)h0 + U8TOU32(inp + 0));
324 h1 = (u32)(d1 = (u64)h1 + (d0 >> 32) + U8TOU32(inp + 4));
325 h2 = (u32)(d2 = (u64)h2 + (d1 >> 32) + U8TOU32(inp + 8));
326 h3 = (u32)(d3 = (u64)h3 + (d2 >> 32) + U8TOU32(inp + 12));
327 h4 += (u32)(d3 >> 32) + padbit;
328
329 /* h *= r "%" p, where "%" stands for "partial remainder" */
330 d0 = ((u64)h0 * r0) +
331 ((u64)h1 * s3) +
332 ((u64)h2 * s2) +
333 ((u64)h3 * s1);
334 d1 = ((u64)h0 * r1) +
335 ((u64)h1 * r0) +
336 ((u64)h2 * s3) +
337 ((u64)h3 * s2) +
338 (h4 * s1);
339 d2 = ((u64)h0 * r2) +
340 ((u64)h1 * r1) +
341 ((u64)h2 * r0) +
342 ((u64)h3 * s3) +
343 (h4 * s2);
344 d3 = ((u64)h0 * r3) +
345 ((u64)h1 * r2) +
346 ((u64)h2 * r1) +
347 ((u64)h3 * r0) +
348 (h4 * s3);
349 h4 = (h4 * r0);
350
351 /* last reduction step: */
352 /* a) h4:h0 = h4<<128 + d3<<96 + d2<<64 + d1<<32 + d0 */
353 h0 = (u32)d0;
354 h1 = (u32)(d1 += d0 >> 32);
355 h2 = (u32)(d2 += d1 >> 32);
356 h3 = (u32)(d3 += d2 >> 32);
357 h4 += (u32)(d3 >> 32);
358 /* b) (h4:h0 += (h4:h0>>130) * 5) %= 2^130 */
359 c = (h4 >> 2) + (h4 & ~3U);
360 h4 &= 3;
361 h0 += c;
362 h1 += (c = CONSTANT_TIME_CARRY(h0,c));
363 h2 += (c = CONSTANT_TIME_CARRY(h1,c));
364 h3 += (c = CONSTANT_TIME_CARRY(h2,c)); /* doesn't overflow */
365
366 inp += POLY1305_BLOCK_SIZE;
367 len -= POLY1305_BLOCK_SIZE;
368 }
369
370 st->h[0] = h0;
371 st->h[1] = h1;
372 st->h[2] = h2;
373 st->h[3] = h3;
374 st->h[4] = h4;
375 }
376
377 static void poly1305_emit(void *ctx, unsigned char mac[16],
378 const u32 nonce[4])
379 {
380 poly1305_internal *st = (poly1305_internal *) ctx;
381 u32 h0, h1, h2, h3, h4;
382 u32 g0, g1, g2, g3, g4;
383 u64 t;
384 u32 mask;
385
386 h0 = st->h[0];
387 h1 = st->h[1];
388 h2 = st->h[2];
389 h3 = st->h[3];
390 h4 = st->h[4];
391
392 /* compute h + -p */
393 g0 = (u32)(t = (u64)h0 + 5);
394 g1 = (u32)(t = (u64)h1 + (t >> 32));
395 g2 = (u32)(t = (u64)h2 + (t >> 32));
396 g3 = (u32)(t = (u64)h3 + (t >> 32));
397 g4 = h4 + (u32)(t >> 32);
398
399 /* if there was carry into 130th bit, h3:h0 = g3:g0 */
400 mask = 0 - (g4 >> 2);
401 g0 &= mask;
402 g1 &= mask;
403 g2 &= mask;
404 g3 &= mask;
405 mask = ~mask;
406 h0 = (h0 & mask) | g0;
407 h1 = (h1 & mask) | g1;
408 h2 = (h2 & mask) | g2;
409 h3 = (h3 & mask) | g3;
410
411 /* mac = (h + nonce) % (2^128) */
412 h0 = (u32)(t = (u64)h0 + nonce[0]);
413 h1 = (u32)(t = (u64)h1 + (t >> 32) + nonce[1]);
414 h2 = (u32)(t = (u64)h2 + (t >> 32) + nonce[2]);
415 h3 = (u32)(t = (u64)h3 + (t >> 32) + nonce[3]);
416
417 U32TO8(mac + 0, h0);
418 U32TO8(mac + 4, h1);
419 U32TO8(mac + 8, h2);
420 U32TO8(mac + 12, h3);
421 }
422 # endif
423 #else
424 int poly1305_init(void *ctx, const unsigned char key[16], void *func);
425 void poly1305_blocks(void *ctx, const unsigned char *inp, size_t len,
426 unsigned int padbit);
427 void poly1305_emit(void *ctx, unsigned char mac[16],
428 const unsigned int nonce[4]);
429 #endif
430
431 void Poly1305_Init(POLY1305 *ctx, const unsigned char key[32])
432 {
433 ctx->nonce[0] = U8TOU32(&key[16]);
434 ctx->nonce[1] = U8TOU32(&key[20]);
435 ctx->nonce[2] = U8TOU32(&key[24]);
436 ctx->nonce[3] = U8TOU32(&key[28]);
437
438 #ifndef POLY1305_ASM
439 poly1305_init(ctx->opaque, key);
440 #else
441 /*
442 * Unlike reference poly1305_init assembly counterpart is expected
443 * to return a value: non-zero if it initializes ctx->func, and zero
444 * otherwise. Latter is to simplify assembly in cases when there no
445 * multiple code paths to switch between.
446 */
447 if (!poly1305_init(ctx->opaque, key, &ctx->func)) {
448 ctx->func.blocks = poly1305_blocks;
449 ctx->func.emit = poly1305_emit;
450 }
451 #endif
452
453 ctx->num = 0;
454
455 }
456
457 void Poly1305_Update(POLY1305 *ctx, const unsigned char *inp, size_t len)
458 {
459 #ifdef POLY1305_ASM
460 /*
461 * As documented, poly1305_blocks is never called with input
462 * longer than single block and padbit argument set to 0. This
463 * property is fluently used in assembly modules to optimize
464 * padbit handling on loop boundary.
465 */
466 poly1305_blocks_f poly1305_blocks = ctx->func.blocks;
467 #endif
468 size_t rem, num;
469
470 if ((num = ctx->num)) {
471 rem = POLY1305_BLOCK_SIZE - num;
472 if (len >= rem) {
473 memcpy(ctx->data + num, inp, rem);
474 poly1305_blocks(ctx->opaque, ctx->data, POLY1305_BLOCK_SIZE, 1);
475 inp += rem;
476 len -= rem;
477 } else {
478 /* Still not enough data to process a block. */
479 memcpy(ctx->data + num, inp, len);
480 ctx->num = num + len;
481 return;
482 }
483 }
484
485 rem = len % POLY1305_BLOCK_SIZE;
486 len -= rem;
487
488 if (len >= POLY1305_BLOCK_SIZE) {
489 poly1305_blocks(ctx->opaque, inp, len, 1);
490 inp += len;
491 }
492
493 if (rem)
494 memcpy(ctx->data, inp, rem);
495
496 ctx->num = rem;
497 }
498
499 void Poly1305_Final(POLY1305 *ctx, unsigned char mac[16])
500 {
501 #ifdef POLY1305_ASM
502 poly1305_blocks_f poly1305_blocks = ctx->func.blocks;
503 poly1305_emit_f poly1305_emit = ctx->func.emit;
504 #endif
505 size_t num;
506
507 if ((num = ctx->num)) {
508 ctx->data[num++] = 1; /* pad bit */
509 while (num < POLY1305_BLOCK_SIZE)
510 ctx->data[num++] = 0;
511 poly1305_blocks(ctx->opaque, ctx->data, POLY1305_BLOCK_SIZE, 0);
512 }
513
514 poly1305_emit(ctx->opaque, mac, ctx->nonce);
515
516 /* zero out the state */
517 memset(ctx, 0, sizeof(*ctx));
518 }
519
520 #ifdef SELFTEST
521 #include <stdio.h>
522
523 struct poly1305_test {
524 const char *inputhex;
525 const char *keyhex;
526 const char *outhex;
527 };
528
529 static const struct poly1305_test poly1305_tests[] = {
530 /*
531 * RFC7539
532 */
533 {
534 "43727970746f6772617068696320466f72756d2052657365617263682047726f"
535 "7570",
536 "85d6be7857556d337f4452fe42d506a8""0103808afb0db2fd4abff6af4149f51b",
537 "a8061dc1305136c6c22b8baf0c0127a9"
538 },
539 /*
540 * test vectors from "The Poly1305-AES message-authentication code"
541 */
542 {
543 "f3f6",
544 "851fc40c3467ac0be05cc20404f3f700""580b3b0f9447bb1e69d095b5928b6dbc",
545 "f4c633c3044fc145f84f335cb81953de"
546 },
547 {
548 "",
549 "a0f3080000f46400d0c7e9076c834403""dd3fab2251f11ac759f0887129cc2ee7",
550 "dd3fab2251f11ac759f0887129cc2ee7"
551 },
552 {
553 "663cea190ffb83d89593f3f476b6bc24d7e679107ea26adb8caf6652d0656136",
554 "48443d0bb0d21109c89a100b5ce2c208""83149c69b561dd88298a1798b10716ef",
555 "0ee1c16bb73f0f4fd19881753c01cdbe"
556 },
557 {
558 "ab0812724a7f1e342742cbed374d94d136c6b8795d45b3819830f2c04491faf0"
559 "990c62e48b8018b2c3e4a0fa3134cb67fa83e158c994d961c4cb21095c1bf9",
560 "12976a08c4426d0ce8a82407c4f48207""80f8c20aa71202d1e29179cbcb555a57",
561 "5154ad0d2cb26e01274fc51148491f1b"
562 },
563 /*
564 * self-generated
565 */
566 {
567 "ab0812724a7f1e342742cbed374d94d136c6b8795d45b3819830f2c04491faf0"
568 "990c62e48b8018b2c3e4a0fa3134cb67fa83e158c994d961c4cb21095c1bf9af",
569 "12976a08c4426d0ce8a82407c4f48207""80f8c20aa71202d1e29179cbcb555a57",
570 "812059a5da198637cac7c4a631bee466"
571 },
572 {
573 "ab0812724a7f1e342742cbed374d94d136c6b8795d45b3819830f2c04491faf0"
574 "990c62e48b8018b2c3e4a0fa3134cb67",
575 "12976a08c4426d0ce8a82407c4f48207""80f8c20aa71202d1e29179cbcb555a57",
576 "5b88d7f6228b11e2e28579a5c0c1f761"
577 },
578 {
579 "ab0812724a7f1e342742cbed374d94d136c6b8795d45b3819830f2c04491faf0"
580 "990c62e48b8018b2c3e4a0fa3134cb67fa83e158c994d961c4cb21095c1bf9af"
581 "663cea190ffb83d89593f3f476b6bc24d7e679107ea26adb8caf6652d0656136",
582 "12976a08c4426d0ce8a82407c4f48207""80f8c20aa71202d1e29179cbcb555a57",
583 "bbb613b2b6d753ba07395b916aaece15"
584 },
585 {
586 "ab0812724a7f1e342742cbed374d94d136c6b8795d45b3819830f2c04491faf0"
587 "990c62e48b8018b2c3e4a0fa3134cb67fa83e158c994d961c4cb21095c1bf9af"
588 "48443d0bb0d21109c89a100b5ce2c20883149c69b561dd88298a1798b10716ef"
589 "663cea190ffb83d89593f3f476b6bc24",
590 "12976a08c4426d0ce8a82407c4f48207""80f8c20aa71202d1e29179cbcb555a57",
591 "c794d7057d1778c4bbee0a39b3d97342"
592 },
593 {
594 "ab0812724a7f1e342742cbed374d94d136c6b8795d45b3819830f2c04491faf0"
595 "990c62e48b8018b2c3e4a0fa3134cb67fa83e158c994d961c4cb21095c1bf9af"
596 "48443d0bb0d21109c89a100b5ce2c20883149c69b561dd88298a1798b10716ef"
597 "663cea190ffb83d89593f3f476b6bc24d7e679107ea26adb8caf6652d0656136",
598 "12976a08c4426d0ce8a82407c4f48207""80f8c20aa71202d1e29179cbcb555a57",
599 "ffbcb9b371423152d7fca5ad042fbaa9"
600 },
601 {
602 "ab0812724a7f1e342742cbed374d94d136c6b8795d45b3819830f2c04491faf0"
603 "990c62e48b8018b2c3e4a0fa3134cb67fa83e158c994d961c4cb21095c1bf9af"
604 "48443d0bb0d21109c89a100b5ce2c20883149c69b561dd88298a1798b10716ef"
605 "663cea190ffb83d89593f3f476b6bc24d7e679107ea26adb8caf6652d0656136"
606 "812059a5da198637cac7c4a631bee466",
607 "12976a08c4426d0ce8a82407c4f48207""80f8c20aa71202d1e29179cbcb555a57",
608 "069ed6b8ef0f207b3e243bb1019fe632"
609 },
610 {
611 "ab0812724a7f1e342742cbed374d94d136c6b8795d45b3819830f2c04491faf0"
612 "990c62e48b8018b2c3e4a0fa3134cb67fa83e158c994d961c4cb21095c1bf9af"
613 "48443d0bb0d21109c89a100b5ce2c20883149c69b561dd88298a1798b10716ef"
614 "663cea190ffb83d89593f3f476b6bc24d7e679107ea26adb8caf6652d0656136"
615 "812059a5da198637cac7c4a631bee4665b88d7f6228b11e2e28579a5c0c1f761",
616 "12976a08c4426d0ce8a82407c4f48207""80f8c20aa71202d1e29179cbcb555a57",
617 "cca339d9a45fa2368c2c68b3a4179133"
618 },
619 {
620 "ab0812724a7f1e342742cbed374d94d136c6b8795d45b3819830f2c04491faf0"
621 "990c62e48b8018b2c3e4a0fa3134cb67fa83e158c994d961c4cb21095c1bf9af"
622 "48443d0bb0d21109c89a100b5ce2c20883149c69b561dd88298a1798b10716ef"
623 "663cea190ffb83d89593f3f476b6bc24d7e679107ea26adb8caf6652d0656136"
624 "812059a5da198637cac7c4a631bee4665b88d7f6228b11e2e28579a5c0c1f761"
625 "ab0812724a7f1e342742cbed374d94d136c6b8795d45b3819830f2c04491faf0"
626 "990c62e48b8018b2c3e4a0fa3134cb67fa83e158c994d961c4cb21095c1bf9af"
627 "48443d0bb0d21109c89a100b5ce2c20883149c69b561dd88298a1798b10716ef"
628 "663cea190ffb83d89593f3f476b6bc24d7e679107ea26adb8caf6652d0656136",
629 "12976a08c4426d0ce8a82407c4f48207""80f8c20aa71202d1e29179cbcb555a57",
630 "53f6e828a2f0fe0ee815bf0bd5841a34"
631 },
632 {
633 "ab0812724a7f1e342742cbed374d94d136c6b8795d45b3819830f2c04491faf0"
634 "990c62e48b8018b2c3e4a0fa3134cb67fa83e158c994d961c4cb21095c1bf9af"
635 "48443d0bb0d21109c89a100b5ce2c20883149c69b561dd88298a1798b10716ef"
636 "663cea190ffb83d89593f3f476b6bc24d7e679107ea26adb8caf6652d0656136"
637 "812059a5da198637cac7c4a631bee4665b88d7f6228b11e2e28579a5c0c1f761"
638 "ab0812724a7f1e342742cbed374d94d136c6b8795d45b3819830f2c04491faf0"
639 "990c62e48b8018b2c3e4a0fa3134cb67fa83e158c994d961c4cb21095c1bf9af"
640 "48443d0bb0d21109c89a100b5ce2c20883149c69b561dd88298a1798b10716ef"
641 "663cea190ffb83d89593f3f476b6bc24d7e679107ea26adb8caf6652d0656136"
642 "812059a5da198637cac7c4a631bee4665b88d7f6228b11e2e28579a5c0c1f761",
643 "12976a08c4426d0ce8a82407c4f48207""80f8c20aa71202d1e29179cbcb555a57",
644 "b846d44e9bbd53cedffbfbb6b7fa4933"
645 },
646 {
647 /*
648 * poly1305_ieee754.c failed this in final stage
649 */
650 "842364e156336c0998b933a6237726180d9e3fdcbde4cd5d17080fc3beb49614"
651 "d7122c037463ff104d73f19c12704628d417c4c54a3fe30d3c3d7714382d43b0"
652 "382a50a5dee54be844b076e8df88201a1cd43b90eb21643fa96f39b518aa8340"
653 "c942ff3c31baf7c9bdbf0f31ae3fa096bf8c63030609829fe72e179824890bc8"
654 "e08c315c1cce2a83144dbbff09f74e3efc770b54d0984a8f19b14719e6363564"
655 "1d6b1eedf63efbf080e1783d32445412114c20de0b837a0dfa33d6b82825fff4"
656 "4c9a70ea54ce47f07df698e6b03323b53079364a5fc3e9dd034392bdde86dccd"
657 "da94321c5e44060489336cb65bf3989c36f7282c2f5d2b882c171e74",
658 "95d5c005503e510d8cd0aa072c4a4d06""6eabc52d11653df47fbf63ab198bcc26",
659 "f248312e578d9d58f8b7bb4d19105431"
660 },
661 /*
662 * test vectors from Google
663 */
664 {
665 "",
666 "c8afaac331ee372cd6082de134943b17""4710130e9f6fea8d72293850a667d86c",
667 "4710130e9f6fea8d72293850a667d86c",
668 },
669 {
670 "48656c6c6f20776f726c6421",
671 "746869732069732033322d6279746520""6b657920666f7220506f6c7931333035",
672 "a6f745008f81c916a20dcc74eef2b2f0"
673 },
674 {
675 "0000000000000000000000000000000000000000000000000000000000000000",
676 "746869732069732033322d6279746520""6b657920666f7220506f6c7931333035",
677 "49ec78090e481ec6c26b33b91ccc0307"
678 },
679 /*
680 * test vectors from Andrew Moon
681 */
682 { /* nacl */
683 "8e993b9f48681273c29650ba32fc76ce48332ea7164d96a4476fb8c531a1186a"
684 "c0dfc17c98dce87b4da7f011ec48c97271d2c20f9b928fe2270d6fb863d51738"
685 "b48eeee314a7cc8ab932164548e526ae90224368517acfeabd6bb3732bc0e9da"
686 "99832b61ca01b6de56244a9e88d5f9b37973f622a43d14a6599b1f654cb45a74"
687 "e355a5",
688 "eea6a7251c1e72916d11c2cb214d3c25""2539121d8e234e652d651fa4c8cff880",
689 "f3ffc7703f9400e52a7dfb4b3d3305d9"
690 },
691 { /* wrap 2^130-5 */
692 "ffffffffffffffffffffffffffffffff",
693 "02000000000000000000000000000000""00000000000000000000000000000000",
694 "03000000000000000000000000000000"
695 },
696 { /* wrap 2^128 */
697 "02000000000000000000000000000000",
698 "02000000000000000000000000000000""ffffffffffffffffffffffffffffffff",
699 "03000000000000000000000000000000"
700 },
701 { /* limb carry */
702 "fffffffffffffffffffffffffffffffff0ffffffffffffffffffffffffffffff"
703 "11000000000000000000000000000000",
704 "01000000000000000000000000000000""00000000000000000000000000000000",
705 "05000000000000000000000000000000"
706 },
707 { /* 2^130-5 */
708 "fffffffffffffffffffffffffffffffffbfefefefefefefefefefefefefefefe"
709 "01010101010101010101010101010101",
710 "01000000000000000000000000000000""00000000000000000000000000000000",
711 "00000000000000000000000000000000"
712 },
713 { /* 2^130-6 */
714 "fdffffffffffffffffffffffffffffff",
715 "02000000000000000000000000000000""00000000000000000000000000000000",
716 "faffffffffffffffffffffffffffffff"
717 },
718 { /* 5*H+L reduction intermediate */
719 "e33594d7505e43b900000000000000003394d7505e4379cd0100000000000000"
720 "0000000000000000000000000000000001000000000000000000000000000000",
721 "01000000000000000400000000000000""00000000000000000000000000000000",
722 "14000000000000005500000000000000"
723 },
724 { /* 5*H+L reduction final */
725 "e33594d7505e43b900000000000000003394d7505e4379cd0100000000000000"
726 "00000000000000000000000000000000",
727 "01000000000000000400000000000000""00000000000000000000000000000000",
728 "13000000000000000000000000000000"
729 }
730 };
731
732 static unsigned char hex_digit(char h)
733 {
734 if (h >= '0' && h <= '9')
735 return h - '0';
736 else if (h >= 'a' && h <= 'f')
737 return h - 'a' + 10;
738 else if (h >= 'A' && h <= 'F')
739 return h - 'A' + 10;
740 else
741 abort();
742 }
743
744 static void hex_decode(unsigned char *out, const char *hex)
745 {
746 size_t j = 0;
747
748 while (*hex != 0) {
749 unsigned char v = hex_digit(*hex++);
750 v <<= 4;
751 v |= hex_digit(*hex++);
752 out[j++] = v;
753 }
754 }
755
756 static void hexdump(unsigned char *a, size_t len)
757 {
758 size_t i;
759
760 for (i = 0; i < len; i++)
761 printf("%02x", a[i]);
762 }
763
764 int main()
765 {
766 static const unsigned num_tests =
767 sizeof(poly1305_tests) / sizeof(struct poly1305_test);
768 unsigned i;
769 unsigned char key[32], out[16], expected[16];
770 POLY1305 poly1305;
771
772 for (i = 0; i < num_tests; i++) {
773 const struct poly1305_test *test = &poly1305_tests[i];
774 unsigned char *in;
775 size_t inlen = strlen(test->inputhex);
776
777 if (strlen(test->keyhex) != sizeof(key) * 2 ||
778 strlen(test->outhex) != sizeof(out) * 2 || (inlen & 1) == 1)
779 return 1;
780
781 inlen /= 2;
782
783 hex_decode(key, test->keyhex);
784 hex_decode(expected, test->outhex);
785
786 in = malloc(inlen);
787
788 hex_decode(in, test->inputhex);
789
790 Poly1305_Init(&poly1305, key);
791 Poly1305_Update(&poly1305, in, inlen);
792 Poly1305_Final(&poly1305, out);
793
794 if (memcmp(out, expected, sizeof(expected)) != 0) {
795 printf("Poly1305 test #%d failed.\n", i);
796 printf("got: ");
797 hexdump(out, sizeof(out));
798 printf("\nexpected: ");
799 hexdump(expected, sizeof(expected));
800 printf("\n");
801 return 1;
802 }
803
804 if (inlen > 16) {
805 Poly1305_Init(&poly1305, key);
806 Poly1305_Update(&poly1305, in, 1);
807 Poly1305_Update(&poly1305, in+1, inlen-1);
808 Poly1305_Final(&poly1305, out);
809
810 if (memcmp(out, expected, sizeof(expected)) != 0) {
811 printf("Poly1305 test #%d/1+(N-1) failed.\n", i);
812 printf("got: ");
813 hexdump(out, sizeof(out));
814 printf("\nexpected: ");
815 hexdump(expected, sizeof(expected));
816 printf("\n");
817 return 1;
818 }
819 }
820
821 if (inlen > 32) {
822 size_t half = inlen / 2;
823
824 Poly1305_Init(&poly1305, key);
825 Poly1305_Update(&poly1305, in, half);
826 Poly1305_Update(&poly1305, in+half, inlen-half);
827 Poly1305_Final(&poly1305, out);
828
829 if (memcmp(out, expected, sizeof(expected)) != 0) {
830 printf("Poly1305 test #%d/2 failed.\n", i);
831 printf("got: ");
832 hexdump(out, sizeof(out));
833 printf("\nexpected: ");
834 hexdump(expected, sizeof(expected));
835 printf("\n");
836 return 1;
837 }
838 }
839
840 free(in);
841 }
842
843 printf("PASS\n");
844
845 # ifdef OPENSSL_CPUID_OBJ
846 {
847 unsigned char buf[8192];
848 unsigned long long stopwatch;
849 unsigned long long OPENSSL_rdtsc();
850
851 memset (buf,0x55,sizeof(buf));
852 memset (key,0xAA,sizeof(key));
853
854 Poly1305_Init(&poly1305, key);
855
856 for (i=0;i<100000;i++)
857 Poly1305_Update(&poly1305,buf,sizeof(buf));
858
859 stopwatch = OPENSSL_rdtsc();
860 for (i=0;i<10000;i++)
861 Poly1305_Update(&poly1305,buf,sizeof(buf));
862 stopwatch = OPENSSL_rdtsc() - stopwatch;
863
864 printf("%g\n",stopwatch/(double)(i*sizeof(buf)));
865
866 stopwatch = OPENSSL_rdtsc();
867 for (i=0;i<10000;i++) {
868 Poly1305_Init(&poly1305, key);
869 Poly1305_Update(&poly1305,buf,16);
870 Poly1305_Final(&poly1305,buf);
871 }
872 stopwatch = OPENSSL_rdtsc() - stopwatch;
873
874 printf("%g\n",stopwatch/(double)(i));
875 }
876 # endif
877 return 0;
878 }
879 #endif
A mirror of the official openssl repository