Misc style adjustments
- fix some whitespace - fix most overlong lines - remove some superfluous parentheses - s/result/ret/ for consistency with the rest of the library
This commit is contained in:
parent
98fae6d800
commit
1729789075
3 changed files with 189 additions and 182 deletions
|
@ -55,7 +55,8 @@
|
|||
| (uint32_t) ( (uint32_t) data[( offset ) + 3] << 24 ) \
|
||||
)
|
||||
|
||||
#define ROTL32( value, amount ) ( (uint32_t) ( value << amount ) | ( value >> ( 32 - amount ) ) )
|
||||
#define ROTL32( value, amount ) \
|
||||
( (uint32_t) ( value << amount ) | ( value >> ( 32 - amount ) ) )
|
||||
|
||||
#define CHACHA20_CTR_INDEX ( 12U )
|
||||
|
||||
|
@ -127,7 +128,7 @@ static void chacha20_inner_block( uint32_t state[16] )
|
|||
/**
|
||||
* \brief Generates a keystream block.
|
||||
*
|
||||
* \param initial_state The initial ChaCha20 state (containing the key, nonce, counter).
|
||||
* \param initial_state The initial ChaCha20 state (key, nonce, counter).
|
||||
* \param keystream Generated keystream bytes are written to this buffer.
|
||||
*/
|
||||
static void chacha20_block( const uint32_t initial_state[16],
|
||||
|
@ -140,19 +141,19 @@ static void chacha20_block( const uint32_t initial_state[16],
|
|||
initial_state,
|
||||
CHACHA20_BLOCK_SIZE_BYTES );
|
||||
|
||||
for ( i = 0U; i < 10U; i++ )
|
||||
for( i = 0U; i < 10U; i++ )
|
||||
chacha20_inner_block( working_state );
|
||||
|
||||
working_state[0] += initial_state[0];
|
||||
working_state[1] += initial_state[1];
|
||||
working_state[2] += initial_state[2];
|
||||
working_state[3] += initial_state[3];
|
||||
working_state[4] += initial_state[4];
|
||||
working_state[5] += initial_state[5];
|
||||
working_state[6] += initial_state[6];
|
||||
working_state[7] += initial_state[7];
|
||||
working_state[8] += initial_state[8];
|
||||
working_state[9] += initial_state[9];
|
||||
working_state[ 0] += initial_state[ 0];
|
||||
working_state[ 1] += initial_state[ 1];
|
||||
working_state[ 2] += initial_state[ 2];
|
||||
working_state[ 3] += initial_state[ 3];
|
||||
working_state[ 4] += initial_state[ 4];
|
||||
working_state[ 5] += initial_state[ 5];
|
||||
working_state[ 6] += initial_state[ 6];
|
||||
working_state[ 7] += initial_state[ 7];
|
||||
working_state[ 8] += initial_state[ 8];
|
||||
working_state[ 9] += initial_state[ 9];
|
||||
working_state[10] += initial_state[10];
|
||||
working_state[11] += initial_state[11];
|
||||
working_state[12] += initial_state[12];
|
||||
|
@ -160,14 +161,14 @@ static void chacha20_block( const uint32_t initial_state[16],
|
|||
working_state[14] += initial_state[14];
|
||||
working_state[15] += initial_state[15];
|
||||
|
||||
for ( i = 0U; i < 16; i++ )
|
||||
for( i = 0U; i < 16; i++ )
|
||||
{
|
||||
size_t offset = i * 4U;
|
||||
|
||||
keystream[offset ] = (unsigned char) working_state[i];
|
||||
keystream[offset + 1U] = (unsigned char) ( working_state[i] >> 8 );
|
||||
keystream[offset + 2U] = (unsigned char) ( working_state[i] >> 16 );
|
||||
keystream[offset + 3U] = (unsigned char) ( working_state[i] >> 24 );
|
||||
keystream[offset ] = (unsigned char)( working_state[i] );
|
||||
keystream[offset + 1U] = (unsigned char)( working_state[i] >> 8 );
|
||||
keystream[offset + 2U] = (unsigned char)( working_state[i] >> 16 );
|
||||
keystream[offset + 3U] = (unsigned char)( working_state[i] >> 24 );
|
||||
}
|
||||
|
||||
mbedtls_platform_zeroize( working_state, sizeof( working_state ) );
|
||||
|
@ -175,7 +176,7 @@ static void chacha20_block( const uint32_t initial_state[16],
|
|||
|
||||
void mbedtls_chacha20_init( mbedtls_chacha20_context *ctx )
|
||||
{
|
||||
if ( ctx != NULL )
|
||||
if( ctx != NULL )
|
||||
{
|
||||
mbedtls_platform_zeroize( ctx->state, sizeof( ctx->state ) );
|
||||
mbedtls_platform_zeroize( ctx->keystream8, sizeof( ctx->keystream8 ) );
|
||||
|
@ -187,7 +188,7 @@ void mbedtls_chacha20_init( mbedtls_chacha20_context *ctx )
|
|||
|
||||
void mbedtls_chacha20_free( mbedtls_chacha20_context *ctx )
|
||||
{
|
||||
if ( ctx != NULL )
|
||||
if( ctx != NULL )
|
||||
{
|
||||
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_chacha20_context ) );
|
||||
}
|
||||
|
@ -196,7 +197,7 @@ void mbedtls_chacha20_free( mbedtls_chacha20_context *ctx )
|
|||
int mbedtls_chacha20_setkey( mbedtls_chacha20_context *ctx,
|
||||
const unsigned char key[32] )
|
||||
{
|
||||
if ( ( ctx == NULL ) || ( key == NULL ) )
|
||||
if( ( ctx == NULL ) || ( key == NULL ) )
|
||||
{
|
||||
return( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
|
||||
}
|
||||
|
@ -224,7 +225,7 @@ int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx,
|
|||
const unsigned char nonce[12],
|
||||
uint32_t counter )
|
||||
{
|
||||
if ( ( ctx == NULL ) || ( nonce == NULL ) )
|
||||
if( ( ctx == NULL ) || ( nonce == NULL ) )
|
||||
{
|
||||
return( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
|
||||
}
|
||||
|
@ -253,20 +254,21 @@ int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx,
|
|||
size_t offset = 0U;
|
||||
size_t i;
|
||||
|
||||
if ( ctx == NULL )
|
||||
if( ctx == NULL )
|
||||
{
|
||||
return( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
|
||||
}
|
||||
else if ( ( size > 0U ) && ( ( input == NULL ) || ( output == NULL ) ) )
|
||||
else if( ( size > 0U ) && ( ( input == NULL ) || ( output == NULL ) ) )
|
||||
{
|
||||
/* input and output pointers are allowed to be NULL only if size == 0 */
|
||||
return( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
/* Use leftover keystream bytes, if available */
|
||||
while ( ( size > 0U ) && ( ctx->keystream_bytes_used < CHACHA20_BLOCK_SIZE_BYTES ) )
|
||||
while( size > 0U && ctx->keystream_bytes_used < CHACHA20_BLOCK_SIZE_BYTES )
|
||||
{
|
||||
output[offset] = input[offset] ^ ctx->keystream8[ctx->keystream_bytes_used];
|
||||
output[offset] = input[offset]
|
||||
^ ctx->keystream8[ctx->keystream_bytes_used];
|
||||
|
||||
ctx->keystream_bytes_used++;
|
||||
offset++;
|
||||
|
@ -274,22 +276,22 @@ int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx,
|
|||
}
|
||||
|
||||
/* Process full blocks */
|
||||
while ( size >= CHACHA20_BLOCK_SIZE_BYTES )
|
||||
while( size >= CHACHA20_BLOCK_SIZE_BYTES )
|
||||
{
|
||||
/* Generate new keystream block and increment counter */
|
||||
chacha20_block( ctx->state, ctx->keystream8 );
|
||||
ctx->state[CHACHA20_CTR_INDEX]++;
|
||||
|
||||
for ( i = 0U; i < 64U; i += 8U )
|
||||
for( i = 0U; i < 64U; i += 8U )
|
||||
{
|
||||
output[offset + i ] = input[offset + i ] ^ ctx->keystream8[i ];
|
||||
output[offset + i + 1U ] = input[offset + i + 1U ] ^ ctx->keystream8[i + 1U ];
|
||||
output[offset + i + 2U ] = input[offset + i + 2U ] ^ ctx->keystream8[i + 2U ];
|
||||
output[offset + i + 3U ] = input[offset + i + 3U ] ^ ctx->keystream8[i + 3U ];
|
||||
output[offset + i + 4U ] = input[offset + i + 4U ] ^ ctx->keystream8[i + 4U ];
|
||||
output[offset + i + 5U ] = input[offset + i + 5U ] ^ ctx->keystream8[i + 5U ];
|
||||
output[offset + i + 6U ] = input[offset + i + 6U ] ^ ctx->keystream8[i + 6U ];
|
||||
output[offset + i + 7U ] = input[offset + i + 7U ] ^ ctx->keystream8[i + 7U ];
|
||||
output[offset + i ] = input[offset + i ] ^ ctx->keystream8[i ];
|
||||
output[offset + i+1] = input[offset + i+1] ^ ctx->keystream8[i+1];
|
||||
output[offset + i+2] = input[offset + i+2] ^ ctx->keystream8[i+2];
|
||||
output[offset + i+3] = input[offset + i+3] ^ ctx->keystream8[i+3];
|
||||
output[offset + i+4] = input[offset + i+4] ^ ctx->keystream8[i+4];
|
||||
output[offset + i+5] = input[offset + i+5] ^ ctx->keystream8[i+5];
|
||||
output[offset + i+6] = input[offset + i+6] ^ ctx->keystream8[i+6];
|
||||
output[offset + i+7] = input[offset + i+7] ^ ctx->keystream8[i+7];
|
||||
}
|
||||
|
||||
offset += CHACHA20_BLOCK_SIZE_BYTES;
|
||||
|
@ -297,13 +299,13 @@ int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx,
|
|||
}
|
||||
|
||||
/* Last (partial) block */
|
||||
if ( size > 0U )
|
||||
if( size > 0U )
|
||||
{
|
||||
/* Generate new keystream block and increment counter */
|
||||
chacha20_block( ctx->state, ctx->keystream8 );
|
||||
ctx->state[CHACHA20_CTR_INDEX]++;
|
||||
|
||||
for ( i = 0U; i < size; i++)
|
||||
for( i = 0U; i < size; i++)
|
||||
{
|
||||
output[offset + i] = input[offset + i] ^ ctx->keystream8[i];
|
||||
}
|
||||
|
@ -323,23 +325,23 @@ int mbedtls_chacha20_crypt( const unsigned char key[32],
|
|||
unsigned char* output )
|
||||
{
|
||||
mbedtls_chacha20_context ctx;
|
||||
int result;
|
||||
int ret;
|
||||
|
||||
mbedtls_chacha20_init( &ctx );
|
||||
|
||||
result = mbedtls_chacha20_setkey( &ctx, key );
|
||||
if ( result != 0 )
|
||||
ret = mbedtls_chacha20_setkey( &ctx, key );
|
||||
if( ret != 0 )
|
||||
goto cleanup;
|
||||
|
||||
result = mbedtls_chacha20_starts( &ctx, nonce, counter );
|
||||
if ( result != 0 )
|
||||
ret = mbedtls_chacha20_starts( &ctx, nonce, counter );
|
||||
if( ret != 0 )
|
||||
goto cleanup;
|
||||
|
||||
result = mbedtls_chacha20_update( &ctx, data_len, input, output );
|
||||
ret = mbedtls_chacha20_update( &ctx, data_len, input, output );
|
||||
|
||||
cleanup:
|
||||
mbedtls_chacha20_free( &ctx );
|
||||
return( result );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#endif /* !MBEDTLS_CHACHA20_ALT */
|
||||
|
@ -529,21 +531,21 @@ int mbedtls_chacha20_self_test( int verbose )
|
|||
{
|
||||
unsigned char output[381];
|
||||
unsigned i;
|
||||
int result;
|
||||
int ret;
|
||||
|
||||
for( i = 0U; i < 2U; i++ )
|
||||
{
|
||||
if( verbose != 0 )
|
||||
mbedtls_printf( " ChaCha20 test %u ", i );
|
||||
|
||||
result = mbedtls_chacha20_crypt( test_keys[i],
|
||||
test_nonces[i],
|
||||
test_counters[i],
|
||||
test_lengths[i],
|
||||
test_input[i],
|
||||
output );
|
||||
ret = mbedtls_chacha20_crypt( test_keys[i],
|
||||
test_nonces[i],
|
||||
test_counters[i],
|
||||
test_lengths[i],
|
||||
test_input[i],
|
||||
output );
|
||||
|
||||
ASSERT( 0 == result, ( "error code: %i\n", result ) );
|
||||
ASSERT( 0 == ret, ( "error code: %i\n", ret ) );
|
||||
|
||||
ASSERT( 0 == memcmp( output, test_output[i], test_lengths[i] ),
|
||||
( "failed (output)\n" ) );
|
||||
|
|
|
@ -50,7 +50,7 @@
|
|||
#define CHACHAPOLY_STATE_FINISHED ( 3 )
|
||||
|
||||
/**
|
||||
* \brief Adds padding bytes (zeroes) to pad the AAD for Poly1305.
|
||||
* \brief Adds nul bytes to pad the AAD for Poly1305.
|
||||
*
|
||||
* \param ctx The ChaCha20-Poly1305 context.
|
||||
*/
|
||||
|
@ -59,7 +59,7 @@ static void chachapoly_pad_aad( mbedtls_chachapoly_context *ctx )
|
|||
uint32_t partial_block_len = (uint32_t) ( ctx->aad_len % 16U );
|
||||
unsigned char zeroes[15];
|
||||
|
||||
if ( partial_block_len > 0U )
|
||||
if( partial_block_len > 0U )
|
||||
{
|
||||
memset( zeroes, 0, sizeof( zeroes ) );
|
||||
(void) mbedtls_poly1305_update( &ctx->poly1305_ctx,
|
||||
|
@ -69,7 +69,7 @@ static void chachapoly_pad_aad( mbedtls_chachapoly_context *ctx )
|
|||
}
|
||||
|
||||
/**
|
||||
* \brief Adds padding bytes (zeroes) to pad the ciphertext for Poly1305.
|
||||
* \brief Adds nul bytes to pad the ciphertext for Poly1305.
|
||||
*
|
||||
* \param ctx The ChaCha20-Poly1305 context.
|
||||
*/
|
||||
|
@ -78,7 +78,7 @@ static void chachapoly_pad_ciphertext( mbedtls_chachapoly_context *ctx )
|
|||
uint32_t partial_block_len = (uint32_t) ( ctx->ciphertext_len % 16U );
|
||||
unsigned char zeroes[15];
|
||||
|
||||
if ( partial_block_len > 0U )
|
||||
if( partial_block_len > 0U )
|
||||
{
|
||||
memset( zeroes, 0, sizeof( zeroes ) );
|
||||
(void) mbedtls_poly1305_update( &ctx->poly1305_ctx,
|
||||
|
@ -89,7 +89,7 @@ static void chachapoly_pad_ciphertext( mbedtls_chachapoly_context *ctx )
|
|||
|
||||
void mbedtls_chachapoly_init( mbedtls_chachapoly_context *ctx )
|
||||
{
|
||||
if ( ctx != NULL )
|
||||
if( ctx != NULL )
|
||||
{
|
||||
mbedtls_chacha20_init( &ctx->chacha20_ctx );
|
||||
mbedtls_poly1305_init( &ctx->poly1305_ctx );
|
||||
|
@ -102,7 +102,7 @@ void mbedtls_chachapoly_init( mbedtls_chachapoly_context *ctx )
|
|||
|
||||
void mbedtls_chachapoly_free( mbedtls_chachapoly_context *ctx )
|
||||
{
|
||||
if ( ctx != NULL )
|
||||
if( ctx != NULL )
|
||||
{
|
||||
mbedtls_chacha20_free( &ctx->chacha20_ctx );
|
||||
mbedtls_poly1305_free( &ctx->poly1305_ctx );
|
||||
|
@ -116,49 +116,49 @@ void mbedtls_chachapoly_free( mbedtls_chachapoly_context *ctx )
|
|||
int mbedtls_chachapoly_setkey( mbedtls_chachapoly_context *ctx,
|
||||
const unsigned char key[32] )
|
||||
{
|
||||
int result;
|
||||
int ret;
|
||||
|
||||
if ( ( ctx == NULL ) || ( key == NULL ) )
|
||||
if( ( ctx == NULL ) || ( key == NULL ) )
|
||||
{
|
||||
return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
result = mbedtls_chacha20_setkey( &ctx->chacha20_ctx, key );
|
||||
ret = mbedtls_chacha20_setkey( &ctx->chacha20_ctx, key );
|
||||
|
||||
return( result );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
int mbedtls_chachapoly_starts( mbedtls_chachapoly_context *ctx,
|
||||
const unsigned char nonce[12],
|
||||
mbedtls_chachapoly_mode_t mode )
|
||||
{
|
||||
int result;
|
||||
int ret;
|
||||
unsigned char poly1305_key[64];
|
||||
|
||||
if ( ( ctx == NULL ) || ( nonce == NULL ) )
|
||||
if( ( ctx == NULL ) || ( nonce == NULL ) )
|
||||
{
|
||||
return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
/* Set counter = 0, will be update to 1 when generating Poly1305 key */
|
||||
result = mbedtls_chacha20_starts( &ctx->chacha20_ctx, nonce, 0U );
|
||||
if ( result != 0 )
|
||||
ret = mbedtls_chacha20_starts( &ctx->chacha20_ctx, nonce, 0U );
|
||||
if( ret != 0 )
|
||||
goto cleanup;
|
||||
|
||||
/* Generate the Poly1305 key by getting the ChaCha20 keystream output with counter = 0.
|
||||
* This is the same as encrypting a buffer of zeroes.
|
||||
/* Generate the Poly1305 key by getting the ChaCha20 keystream output with
|
||||
* counter = 0. This is the same as encrypting a buffer of zeroes.
|
||||
* Only the first 256-bits (32 bytes) of the key is used for Poly1305.
|
||||
* The other 256 bits are discarded.
|
||||
*/
|
||||
memset( poly1305_key, 0, sizeof( poly1305_key ) );
|
||||
result = mbedtls_chacha20_update( &ctx->chacha20_ctx, sizeof( poly1305_key ),
|
||||
ret = mbedtls_chacha20_update( &ctx->chacha20_ctx, sizeof( poly1305_key ),
|
||||
poly1305_key, poly1305_key );
|
||||
if ( result != 0 )
|
||||
if( ret != 0 )
|
||||
goto cleanup;
|
||||
|
||||
result = mbedtls_poly1305_starts( &ctx->poly1305_ctx, poly1305_key );
|
||||
ret = mbedtls_poly1305_starts( &ctx->poly1305_ctx, poly1305_key );
|
||||
|
||||
if ( result == 0 )
|
||||
if( ret == 0 )
|
||||
{
|
||||
ctx->aad_len = 0U;
|
||||
ctx->ciphertext_len = 0U;
|
||||
|
@ -168,23 +168,23 @@ int mbedtls_chachapoly_starts( mbedtls_chachapoly_context *ctx,
|
|||
|
||||
cleanup:
|
||||
mbedtls_platform_zeroize( poly1305_key, 64U );
|
||||
return( result );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
int mbedtls_chachapoly_update_aad( mbedtls_chachapoly_context *ctx,
|
||||
const unsigned char *aad,
|
||||
size_t aad_len )
|
||||
{
|
||||
if ( ctx == NULL )
|
||||
if( ctx == NULL )
|
||||
{
|
||||
return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
||||
}
|
||||
else if ( ( aad_len > 0U ) && ( aad == NULL ) )
|
||||
else if( ( aad_len > 0U ) && ( aad == NULL ) )
|
||||
{
|
||||
/* aad pointer is allowed to be NULL if aad_len == 0 */
|
||||
return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
||||
}
|
||||
else if ( ctx->state != CHACHAPOLY_STATE_AAD )
|
||||
else if( ctx->state != CHACHAPOLY_STATE_AAD )
|
||||
{
|
||||
return(MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
|
||||
}
|
||||
|
@ -199,22 +199,22 @@ int mbedtls_chachapoly_update( mbedtls_chachapoly_context *ctx,
|
|||
const unsigned char *input,
|
||||
unsigned char *output )
|
||||
{
|
||||
if ( ctx == NULL )
|
||||
if( ctx == NULL )
|
||||
{
|
||||
return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
||||
}
|
||||
else if ( ( len > 0U ) && ( ( input == NULL ) || ( output == NULL ) ) )
|
||||
else if( ( len > 0U ) && ( ( input == NULL ) || ( output == NULL ) ) )
|
||||
{
|
||||
/* input and output pointers are allowed to be NULL if len == 0 */
|
||||
return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
||||
}
|
||||
else if ( ( ctx->state != CHACHAPOLY_STATE_AAD ) &&
|
||||
else if( ( ctx->state != CHACHAPOLY_STATE_AAD ) &&
|
||||
( ctx->state != CHACHAPOLY_STATE_CIPHERTEXT ) )
|
||||
{
|
||||
return( MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
|
||||
}
|
||||
|
||||
if ( ctx->state == CHACHAPOLY_STATE_AAD )
|
||||
if( ctx->state == CHACHAPOLY_STATE_AAD )
|
||||
{
|
||||
ctx->state = CHACHAPOLY_STATE_CIPHERTEXT;
|
||||
|
||||
|
@ -223,11 +223,11 @@ int mbedtls_chachapoly_update( mbedtls_chachapoly_context *ctx,
|
|||
|
||||
ctx->ciphertext_len += len;
|
||||
|
||||
if ( ctx->mode == MBEDTLS_CHACHAPOLY_ENCRYPT )
|
||||
if( ctx->mode == MBEDTLS_CHACHAPOLY_ENCRYPT )
|
||||
{
|
||||
/* Note: the following functions return an error only if one or more of
|
||||
* the input pointers are NULL. Since we have checked their validity
|
||||
* above, we can safety ignore the return value.
|
||||
* the input pointers are NULL. Since we have checked their
|
||||
* validity above, we can safety ignore the return value.
|
||||
*/
|
||||
(void) mbedtls_chacha20_update( &ctx->chacha20_ctx, len, input, output );
|
||||
(void) mbedtls_poly1305_update( &ctx->poly1305_ctx, output, len );
|
||||
|
@ -246,20 +246,20 @@ int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,
|
|||
{
|
||||
unsigned char len_block[16];
|
||||
|
||||
if ( ( ctx == NULL ) || ( mac == NULL ) )
|
||||
if( ( ctx == NULL ) || ( mac == NULL ) )
|
||||
{
|
||||
return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
||||
}
|
||||
else if ( ctx->state == CHACHAPOLY_STATE_INIT )
|
||||
else if( ctx->state == CHACHAPOLY_STATE_INIT )
|
||||
{
|
||||
return( MBEDTLS_ERR_CHACHAPOLY_BAD_STATE );
|
||||
}
|
||||
|
||||
if ( ctx->state == CHACHAPOLY_STATE_AAD )
|
||||
if( ctx->state == CHACHAPOLY_STATE_AAD )
|
||||
{
|
||||
chachapoly_pad_aad( ctx );
|
||||
}
|
||||
else if ( ctx->state == CHACHAPOLY_STATE_CIPHERTEXT )
|
||||
else if( ctx->state == CHACHAPOLY_STATE_CIPHERTEXT )
|
||||
{
|
||||
chachapoly_pad_ciphertext( ctx );
|
||||
}
|
||||
|
@ -269,22 +269,22 @@ int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx,
|
|||
/* The lengths of the AAD and ciphertext are processed by
|
||||
* Poly1305 as the final 128-bit block, encoded as little-endian integers.
|
||||
*/
|
||||
len_block[0] = (unsigned char) ctx->aad_len;
|
||||
len_block[1] = (unsigned char) ( ctx->aad_len >> 8 );
|
||||
len_block[2] = (unsigned char) ( ctx->aad_len >> 16 );
|
||||
len_block[3] = (unsigned char) ( ctx->aad_len >> 24 );
|
||||
len_block[4] = (unsigned char) ( ctx->aad_len >> 32 );
|
||||
len_block[5] = (unsigned char) ( ctx->aad_len >> 40 );
|
||||
len_block[6] = (unsigned char) ( ctx->aad_len >> 48 );
|
||||
len_block[7] = (unsigned char) ( ctx->aad_len >> 56 );
|
||||
len_block[8] = (unsigned char) ctx->ciphertext_len;
|
||||
len_block[9] = (unsigned char) ( ctx->ciphertext_len >> 8 );
|
||||
len_block[10] = (unsigned char) ( ctx->ciphertext_len >> 16 );
|
||||
len_block[11] = (unsigned char) ( ctx->ciphertext_len >> 24 );
|
||||
len_block[12] = (unsigned char) ( ctx->ciphertext_len >> 32 );
|
||||
len_block[13] = (unsigned char) ( ctx->ciphertext_len >> 40 );
|
||||
len_block[14] = (unsigned char) ( ctx->ciphertext_len >> 48 );
|
||||
len_block[15] = (unsigned char) ( ctx->ciphertext_len >> 56 );
|
||||
len_block[ 0] = (unsigned char)( ctx->aad_len );
|
||||
len_block[ 1] = (unsigned char)( ctx->aad_len >> 8 );
|
||||
len_block[ 2] = (unsigned char)( ctx->aad_len >> 16 );
|
||||
len_block[ 3] = (unsigned char)( ctx->aad_len >> 24 );
|
||||
len_block[ 4] = (unsigned char)( ctx->aad_len >> 32 );
|
||||
len_block[ 5] = (unsigned char)( ctx->aad_len >> 40 );
|
||||
len_block[ 6] = (unsigned char)( ctx->aad_len >> 48 );
|
||||
len_block[ 7] = (unsigned char)( ctx->aad_len >> 56 );
|
||||
len_block[ 8] = (unsigned char)( ctx->ciphertext_len );
|
||||
len_block[ 9] = (unsigned char)( ctx->ciphertext_len >> 8 );
|
||||
len_block[10] = (unsigned char)( ctx->ciphertext_len >> 16 );
|
||||
len_block[11] = (unsigned char)( ctx->ciphertext_len >> 24 );
|
||||
len_block[12] = (unsigned char)( ctx->ciphertext_len >> 32 );
|
||||
len_block[13] = (unsigned char)( ctx->ciphertext_len >> 40 );
|
||||
len_block[14] = (unsigned char)( ctx->ciphertext_len >> 48 );
|
||||
len_block[15] = (unsigned char)( ctx->ciphertext_len >> 56 );
|
||||
|
||||
(void) mbedtls_poly1305_update( &ctx->poly1305_ctx, len_block, 16U );
|
||||
(void) mbedtls_poly1305_finish( &ctx->poly1305_ctx, mac );
|
||||
|
@ -302,24 +302,24 @@ int mbedtls_chachapoly_crypt_and_tag( mbedtls_chachapoly_context *ctx,
|
|||
unsigned char *output,
|
||||
unsigned char tag[16] )
|
||||
{
|
||||
int result;
|
||||
int ret;
|
||||
|
||||
result = mbedtls_chachapoly_starts( ctx, nonce, mode );
|
||||
if ( result != 0 )
|
||||
ret = mbedtls_chachapoly_starts( ctx, nonce, mode );
|
||||
if( ret != 0 )
|
||||
goto cleanup;
|
||||
|
||||
result = mbedtls_chachapoly_update_aad( ctx, aad, aad_len );
|
||||
if ( result != 0 )
|
||||
goto cleanup;
|
||||
ret = mbedtls_chachapoly_update_aad( ctx, aad, aad_len );
|
||||
if( ret != 0 )
|
||||
goto cleanup;
|
||||
|
||||
result = mbedtls_chachapoly_update( ctx, length, input, output );
|
||||
if ( result != 0 )
|
||||
goto cleanup;
|
||||
ret = mbedtls_chachapoly_update( ctx, length, input, output );
|
||||
if( ret != 0 )
|
||||
goto cleanup;
|
||||
|
||||
result = mbedtls_chachapoly_finish( ctx, tag );
|
||||
ret = mbedtls_chachapoly_finish( ctx, tag );
|
||||
|
||||
cleanup:
|
||||
return( result );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
int mbedtls_chachapoly_auth_decrypt( mbedtls_chachapoly_context *ctx,
|
||||
|
@ -466,7 +466,7 @@ int mbedtls_chachapoly_self_test( int verbose )
|
|||
{
|
||||
mbedtls_chachapoly_context ctx;
|
||||
unsigned i;
|
||||
int result;
|
||||
int ret;
|
||||
unsigned char output[200];
|
||||
unsigned char mac[16];
|
||||
|
||||
|
@ -477,20 +477,20 @@ int mbedtls_chachapoly_self_test( int verbose )
|
|||
|
||||
mbedtls_chachapoly_init( &ctx );
|
||||
|
||||
result = mbedtls_chachapoly_setkey( &ctx, test_key[i] );
|
||||
ASSERT( 0 == result, ( "setkey() error code: %i\n", result ) );
|
||||
ret = mbedtls_chachapoly_setkey( &ctx, test_key[i] );
|
||||
ASSERT( 0 == ret, ( "setkey() error code: %i\n", ret ) );
|
||||
|
||||
result = mbedtls_chachapoly_crypt_and_tag( &ctx,
|
||||
MBEDTLS_CHACHAPOLY_ENCRYPT,
|
||||
test_input_len[i],
|
||||
test_nonce[i],
|
||||
test_aad[i],
|
||||
test_aad_len[i],
|
||||
test_input[i],
|
||||
output,
|
||||
mac );
|
||||
ret = mbedtls_chachapoly_crypt_and_tag( &ctx,
|
||||
MBEDTLS_CHACHAPOLY_ENCRYPT,
|
||||
test_input_len[i],
|
||||
test_nonce[i],
|
||||
test_aad[i],
|
||||
test_aad_len[i],
|
||||
test_input[i],
|
||||
output,
|
||||
mac );
|
||||
|
||||
ASSERT( 0 == result, ( "crypt_and_tag() error code: %i\n", result ) );
|
||||
ASSERT( 0 == ret, ( "crypt_and_tag() error code: %i\n", ret ) );
|
||||
|
||||
ASSERT( 0 == memcmp( output, test_output[i], test_input_len[i] ),
|
||||
( "failure (wrong output)\n" ) );
|
||||
|
|
|
@ -57,12 +57,12 @@
|
|||
* \brief Process blocks with Poly1305.
|
||||
*
|
||||
* \param ctx The Poly1305 context.
|
||||
* \param nblocks Number of blocks to process. Note that this function
|
||||
* only processes full blocks.
|
||||
* \param nblocks Number of blocks to process. Note that this
|
||||
* function only processes full blocks.
|
||||
* \param input Buffer containing the input block(s).
|
||||
* \param needs_padding Set to 0 if the padding bit has already been applied
|
||||
* to the input data before calling this function.
|
||||
* Otherwise, set this parameter to 1.
|
||||
* \param needs_padding Set to 0 if the padding bit has already been
|
||||
* applied to the input data before calling this
|
||||
* function. Otherwise, set this parameter to 1.
|
||||
*/
|
||||
static void poly1305_process( mbedtls_poly1305_context *ctx,
|
||||
size_t nblocks,
|
||||
|
@ -92,14 +92,19 @@ static void poly1305_process( mbedtls_poly1305_context *ctx,
|
|||
acc4 = ctx->acc[4];
|
||||
|
||||
/* Process full blocks */
|
||||
for ( i = 0U; i < nblocks; i++ )
|
||||
for( i = 0U; i < nblocks; i++ )
|
||||
{
|
||||
/* Compute: acc += block */
|
||||
/* Note that the input block is treated as a 128-bit little-endian integer */
|
||||
d0 = (uint64_t) acc0 + BYTES_TO_U32_LE( input, offset + 0 );
|
||||
d1 = (uint64_t) acc1 + BYTES_TO_U32_LE( input, offset + 4 ) + ( d0 >> 32U );
|
||||
d2 = (uint64_t) acc2 + BYTES_TO_U32_LE( input, offset + 8 ) + ( d1 >> 32U );
|
||||
d3 = (uint64_t) acc3 + BYTES_TO_U32_LE( input, offset + 12 ) + ( d2 >> 32U );
|
||||
/* The input block is treated as a 128-bit little-endian integer */
|
||||
d0 = BYTES_TO_U32_LE( input, offset + 0 );
|
||||
d1 = BYTES_TO_U32_LE( input, offset + 4 );
|
||||
d2 = BYTES_TO_U32_LE( input, offset + 8 );
|
||||
d3 = BYTES_TO_U32_LE( input, offset + 12 );
|
||||
|
||||
/* Compute: acc += (padded) block as a 130-bit integer */
|
||||
d0 += (uint64_t) acc0;
|
||||
d1 += (uint64_t) acc1 + ( d0 >> 32U );
|
||||
d2 += (uint64_t) acc2 + ( d1 >> 32U );
|
||||
d3 += (uint64_t) acc3 + ( d2 >> 32U );
|
||||
acc0 = (uint32_t) d0;
|
||||
acc1 = (uint32_t) d1;
|
||||
acc2 = (uint32_t) d2;
|
||||
|
@ -182,7 +187,7 @@ static void poly1305_compute_mac( const mbedtls_poly1305_context *ctx,
|
|||
acc3 = ctx->acc[3];
|
||||
acc4 = ctx->acc[4];
|
||||
|
||||
/* Before adding 's' we need to ensure that the accumulator is mod 2^130 - 5.
|
||||
/* Before adding 's' we ensure that the accumulator is mod 2^130 - 5.
|
||||
* We do this by calculating acc - (2^130 - 5), then checking if
|
||||
* the 131st bit is set. If it is, then reduce: acc -= (2^130 - 5)
|
||||
*/
|
||||
|
@ -218,27 +223,27 @@ static void poly1305_compute_mac( const mbedtls_poly1305_context *ctx,
|
|||
acc3 += ctx->s[3] + (uint32_t) ( d >> 32U );
|
||||
|
||||
/* Compute MAC (128 least significant bits of the accumulator) */
|
||||
mac[0] = (unsigned char) acc0;
|
||||
mac[1] = (unsigned char) ( acc0 >> 8 );
|
||||
mac[2] = (unsigned char) ( acc0 >> 16 );
|
||||
mac[3] = (unsigned char) ( acc0 >> 24 );
|
||||
mac[4] = (unsigned char) acc1;
|
||||
mac[5] = (unsigned char) ( acc1 >> 8 );
|
||||
mac[6] = (unsigned char) ( acc1 >> 16 );
|
||||
mac[7] = (unsigned char) ( acc1 >> 24 );
|
||||
mac[8] = (unsigned char) acc2;
|
||||
mac[9] = (unsigned char) ( acc2 >> 8 );
|
||||
mac[10] = (unsigned char) ( acc2 >> 16 );
|
||||
mac[11] = (unsigned char) ( acc2 >> 24 );
|
||||
mac[12] = (unsigned char) acc3;
|
||||
mac[13] = (unsigned char) ( acc3 >> 8 );
|
||||
mac[14] = (unsigned char) ( acc3 >> 16 );
|
||||
mac[15] = (unsigned char) ( acc3 >> 24 );
|
||||
mac[ 0] = (unsigned char)( acc0 );
|
||||
mac[ 1] = (unsigned char)( acc0 >> 8 );
|
||||
mac[ 2] = (unsigned char)( acc0 >> 16 );
|
||||
mac[ 3] = (unsigned char)( acc0 >> 24 );
|
||||
mac[ 4] = (unsigned char)( acc1 );
|
||||
mac[ 5] = (unsigned char)( acc1 >> 8 );
|
||||
mac[ 6] = (unsigned char)( acc1 >> 16 );
|
||||
mac[ 7] = (unsigned char)( acc1 >> 24 );
|
||||
mac[ 8] = (unsigned char)( acc2 );
|
||||
mac[ 9] = (unsigned char)( acc2 >> 8 );
|
||||
mac[10] = (unsigned char)( acc2 >> 16 );
|
||||
mac[11] = (unsigned char)( acc2 >> 24 );
|
||||
mac[12] = (unsigned char)( acc3 );
|
||||
mac[13] = (unsigned char)( acc3 >> 8 );
|
||||
mac[14] = (unsigned char)( acc3 >> 16 );
|
||||
mac[15] = (unsigned char)( acc3 >> 24 );
|
||||
}
|
||||
|
||||
void mbedtls_poly1305_init( mbedtls_poly1305_context *ctx )
|
||||
{
|
||||
if ( ctx != NULL )
|
||||
if( ctx != NULL )
|
||||
{
|
||||
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_poly1305_context ) );
|
||||
}
|
||||
|
@ -246,7 +251,7 @@ void mbedtls_poly1305_init( mbedtls_poly1305_context *ctx )
|
|||
|
||||
void mbedtls_poly1305_free( mbedtls_poly1305_context *ctx )
|
||||
{
|
||||
if ( ctx != NULL )
|
||||
if( ctx != NULL )
|
||||
{
|
||||
mbedtls_platform_zeroize( ctx, sizeof( mbedtls_poly1305_context ) );
|
||||
}
|
||||
|
@ -255,7 +260,7 @@ void mbedtls_poly1305_free( mbedtls_poly1305_context *ctx )
|
|||
int mbedtls_poly1305_starts( mbedtls_poly1305_context *ctx,
|
||||
const unsigned char key[32] )
|
||||
{
|
||||
if ( ctx == NULL || key == NULL )
|
||||
if( ctx == NULL || key == NULL )
|
||||
{
|
||||
return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
||||
}
|
||||
|
@ -294,21 +299,21 @@ int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx,
|
|||
size_t queue_free_len;
|
||||
size_t nblocks;
|
||||
|
||||
if ( ctx == NULL )
|
||||
if( ctx == NULL )
|
||||
{
|
||||
return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
||||
}
|
||||
else if ( ( ilen > 0U ) && ( input == NULL ) )
|
||||
else if( ( ilen > 0U ) && ( input == NULL ) )
|
||||
{
|
||||
/* input pointer is allowed to be NULL only if ilen == 0 */
|
||||
return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
if ( ( remaining > 0U ) && ( ctx->queue_len > 0U ) )
|
||||
if( ( remaining > 0U ) && ( ctx->queue_len > 0U ) )
|
||||
{
|
||||
queue_free_len = ( POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len );
|
||||
|
||||
if ( ilen < queue_free_len )
|
||||
if( ilen < queue_free_len )
|
||||
{
|
||||
/* Not enough data to complete the block.
|
||||
* Store this data with the other leftovers.
|
||||
|
@ -337,7 +342,7 @@ int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx,
|
|||
}
|
||||
}
|
||||
|
||||
if ( remaining >= POLY1305_BLOCK_SIZE_BYTES )
|
||||
if( remaining >= POLY1305_BLOCK_SIZE_BYTES )
|
||||
{
|
||||
nblocks = remaining / POLY1305_BLOCK_SIZE_BYTES;
|
||||
|
||||
|
@ -347,7 +352,7 @@ int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx,
|
|||
remaining %= POLY1305_BLOCK_SIZE_BYTES;
|
||||
}
|
||||
|
||||
if ( remaining > 0U )
|
||||
if( remaining > 0U )
|
||||
{
|
||||
/* Store partial block */
|
||||
ctx->queue_len = remaining;
|
||||
|
@ -360,13 +365,13 @@ int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx,
|
|||
int mbedtls_poly1305_finish( mbedtls_poly1305_context *ctx,
|
||||
unsigned char mac[16] )
|
||||
{
|
||||
if ( ( ctx == NULL ) || ( mac == NULL ) )
|
||||
if( ( ctx == NULL ) || ( mac == NULL ) )
|
||||
{
|
||||
return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA );
|
||||
}
|
||||
|
||||
/* Process any leftover data */
|
||||
if ( ctx->queue_len > 0U )
|
||||
if( ctx->queue_len > 0U )
|
||||
{
|
||||
/* Add padding bit */
|
||||
ctx->queue[ctx->queue_len] = 1U;
|
||||
|
@ -378,7 +383,7 @@ int mbedtls_poly1305_finish( mbedtls_poly1305_context *ctx,
|
|||
POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len );
|
||||
|
||||
poly1305_process( ctx, 1U, /* Process 1 block */
|
||||
ctx->queue, 0U ); /* Don't add padding bit (it was just added above) */
|
||||
ctx->queue, 0U ); /* Already padded above */
|
||||
}
|
||||
|
||||
poly1305_compute_mac( ctx, mac );
|
||||
|
@ -392,23 +397,23 @@ int mbedtls_poly1305_mac( const unsigned char key[32],
|
|||
unsigned char mac[16] )
|
||||
{
|
||||
mbedtls_poly1305_context ctx;
|
||||
int result;
|
||||
int ret;
|
||||
|
||||
mbedtls_poly1305_init( &ctx );
|
||||
|
||||
result = mbedtls_poly1305_starts( &ctx, key );
|
||||
if ( result != 0 )
|
||||
ret = mbedtls_poly1305_starts( &ctx, key );
|
||||
if( ret != 0 )
|
||||
goto cleanup;
|
||||
|
||||
result = mbedtls_poly1305_update( &ctx, input, ilen );
|
||||
if ( result != 0 )
|
||||
ret = mbedtls_poly1305_update( &ctx, input, ilen );
|
||||
if( ret != 0 )
|
||||
goto cleanup;
|
||||
|
||||
result = mbedtls_poly1305_finish( &ctx, mac );
|
||||
ret = mbedtls_poly1305_finish( &ctx, mac );
|
||||
|
||||
cleanup:
|
||||
mbedtls_poly1305_free( &ctx );
|
||||
return( result );
|
||||
return( ret );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_POLY1305_ALT */
|
||||
|
@ -495,18 +500,18 @@ int mbedtls_poly1305_self_test( int verbose )
|
|||
{
|
||||
unsigned char mac[16];
|
||||
unsigned i;
|
||||
int result;
|
||||
int ret;
|
||||
|
||||
for( i = 0U; i < 2U; i++ )
|
||||
{
|
||||
if( verbose != 0 )
|
||||
mbedtls_printf( " Poly1305 test %u ", i );
|
||||
|
||||
result = mbedtls_poly1305_mac( test_keys[i],
|
||||
test_data[i],
|
||||
test_data_len[i],
|
||||
mac );
|
||||
ASSERT( 0 == result, ( "error code: %i\n", result ) );
|
||||
ret = mbedtls_poly1305_mac( test_keys[i],
|
||||
test_data[i],
|
||||
test_data_len[i],
|
||||
mac );
|
||||
ASSERT( 0 == ret, ( "error code: %i\n", ret ) );
|
||||
|
||||
ASSERT( 0 == memcmp( mac, test_mac[i], 16U ), ( "failed (mac)\n" ) );
|
||||
|
||||
|
|
Loading…
Reference in a new issue