diff --git a/library/chacha20.c b/library/chacha20.c index f782e8c39..903f55f3b 100644 --- a/library/chacha20.c +++ b/library/chacha20.c @@ -55,7 +55,8 @@ | (uint32_t) ( (uint32_t) data[( offset ) + 3] << 24 ) \ ) -#define ROTL32( value, amount ) ( (uint32_t) ( value << amount ) | ( value >> ( 32 - amount ) ) ) +#define ROTL32( value, amount ) \ + ( (uint32_t) ( value << amount ) | ( value >> ( 32 - amount ) ) ) #define CHACHA20_CTR_INDEX ( 12U ) @@ -127,7 +128,7 @@ static void chacha20_inner_block( uint32_t state[16] ) /** * \brief Generates a keystream block. * - * \param initial_state The initial ChaCha20 state (containing the key, nonce, counter). + * \param initial_state The initial ChaCha20 state (key, nonce, counter). * \param keystream Generated keystream bytes are written to this buffer. */ static void chacha20_block( const uint32_t initial_state[16], @@ -140,19 +141,19 @@ static void chacha20_block( const uint32_t initial_state[16], initial_state, CHACHA20_BLOCK_SIZE_BYTES ); - for ( i = 0U; i < 10U; i++ ) + for( i = 0U; i < 10U; i++ ) chacha20_inner_block( working_state ); - working_state[0] += initial_state[0]; - working_state[1] += initial_state[1]; - working_state[2] += initial_state[2]; - working_state[3] += initial_state[3]; - working_state[4] += initial_state[4]; - working_state[5] += initial_state[5]; - working_state[6] += initial_state[6]; - working_state[7] += initial_state[7]; - working_state[8] += initial_state[8]; - working_state[9] += initial_state[9]; + working_state[ 0] += initial_state[ 0]; + working_state[ 1] += initial_state[ 1]; + working_state[ 2] += initial_state[ 2]; + working_state[ 3] += initial_state[ 3]; + working_state[ 4] += initial_state[ 4]; + working_state[ 5] += initial_state[ 5]; + working_state[ 6] += initial_state[ 6]; + working_state[ 7] += initial_state[ 7]; + working_state[ 8] += initial_state[ 8]; + working_state[ 9] += initial_state[ 9]; working_state[10] += initial_state[10]; working_state[11] += initial_state[11]; working_state[12] += initial_state[12]; @@ -160,14 +161,14 @@ static void chacha20_block( const uint32_t initial_state[16], working_state[14] += initial_state[14]; working_state[15] += initial_state[15]; - for ( i = 0U; i < 16; i++ ) + for( i = 0U; i < 16; i++ ) { size_t offset = i * 4U; - keystream[offset ] = (unsigned char) working_state[i]; - keystream[offset + 1U] = (unsigned char) ( working_state[i] >> 8 ); - keystream[offset + 2U] = (unsigned char) ( working_state[i] >> 16 ); - keystream[offset + 3U] = (unsigned char) ( working_state[i] >> 24 ); + keystream[offset ] = (unsigned char)( working_state[i] ); + keystream[offset + 1U] = (unsigned char)( working_state[i] >> 8 ); + keystream[offset + 2U] = (unsigned char)( working_state[i] >> 16 ); + keystream[offset + 3U] = (unsigned char)( working_state[i] >> 24 ); } mbedtls_platform_zeroize( working_state, sizeof( working_state ) ); @@ -175,7 +176,7 @@ static void chacha20_block( const uint32_t initial_state[16], void mbedtls_chacha20_init( mbedtls_chacha20_context *ctx ) { - if ( ctx != NULL ) + if( ctx != NULL ) { mbedtls_platform_zeroize( ctx->state, sizeof( ctx->state ) ); mbedtls_platform_zeroize( ctx->keystream8, sizeof( ctx->keystream8 ) ); @@ -187,7 +188,7 @@ void mbedtls_chacha20_init( mbedtls_chacha20_context *ctx ) void mbedtls_chacha20_free( mbedtls_chacha20_context *ctx ) { - if ( ctx != NULL ) + if( ctx != NULL ) { mbedtls_platform_zeroize( ctx, sizeof( mbedtls_chacha20_context ) ); } @@ -196,7 +197,7 @@ void mbedtls_chacha20_free( mbedtls_chacha20_context *ctx ) int mbedtls_chacha20_setkey( mbedtls_chacha20_context *ctx, const unsigned char key[32] ) { - if ( ( ctx == NULL ) || ( key == NULL ) ) + if( ( ctx == NULL ) || ( key == NULL ) ) { return( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA ); } @@ -224,7 +225,7 @@ int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx, const unsigned char nonce[12], uint32_t counter ) { - if ( ( ctx == NULL ) || ( nonce == NULL ) ) + if( ( ctx == NULL ) || ( nonce == NULL ) ) { return( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA ); } @@ -253,20 +254,21 @@ int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx, size_t offset = 0U; size_t i; - if ( ctx == NULL ) + if( ctx == NULL ) { return( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA ); } - else if ( ( size > 0U ) && ( ( input == NULL ) || ( output == NULL ) ) ) + else if( ( size > 0U ) && ( ( input == NULL ) || ( output == NULL ) ) ) { /* input and output pointers are allowed to be NULL only if size == 0 */ return( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA ); } /* Use leftover keystream bytes, if available */ - while ( ( size > 0U ) && ( ctx->keystream_bytes_used < CHACHA20_BLOCK_SIZE_BYTES ) ) + while( size > 0U && ctx->keystream_bytes_used < CHACHA20_BLOCK_SIZE_BYTES ) { - output[offset] = input[offset] ^ ctx->keystream8[ctx->keystream_bytes_used]; + output[offset] = input[offset] + ^ ctx->keystream8[ctx->keystream_bytes_used]; ctx->keystream_bytes_used++; offset++; @@ -274,22 +276,22 @@ int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx, } /* Process full blocks */ - while ( size >= CHACHA20_BLOCK_SIZE_BYTES ) + while( size >= CHACHA20_BLOCK_SIZE_BYTES ) { /* Generate new keystream block and increment counter */ chacha20_block( ctx->state, ctx->keystream8 ); ctx->state[CHACHA20_CTR_INDEX]++; - for ( i = 0U; i < 64U; i += 8U ) + for( i = 0U; i < 64U; i += 8U ) { - output[offset + i ] = input[offset + i ] ^ ctx->keystream8[i ]; - output[offset + i + 1U ] = input[offset + i + 1U ] ^ ctx->keystream8[i + 1U ]; - output[offset + i + 2U ] = input[offset + i + 2U ] ^ ctx->keystream8[i + 2U ]; - output[offset + i + 3U ] = input[offset + i + 3U ] ^ ctx->keystream8[i + 3U ]; - output[offset + i + 4U ] = input[offset + i + 4U ] ^ ctx->keystream8[i + 4U ]; - output[offset + i + 5U ] = input[offset + i + 5U ] ^ ctx->keystream8[i + 5U ]; - output[offset + i + 6U ] = input[offset + i + 6U ] ^ ctx->keystream8[i + 6U ]; - output[offset + i + 7U ] = input[offset + i + 7U ] ^ ctx->keystream8[i + 7U ]; + output[offset + i ] = input[offset + i ] ^ ctx->keystream8[i ]; + output[offset + i+1] = input[offset + i+1] ^ ctx->keystream8[i+1]; + output[offset + i+2] = input[offset + i+2] ^ ctx->keystream8[i+2]; + output[offset + i+3] = input[offset + i+3] ^ ctx->keystream8[i+3]; + output[offset + i+4] = input[offset + i+4] ^ ctx->keystream8[i+4]; + output[offset + i+5] = input[offset + i+5] ^ ctx->keystream8[i+5]; + output[offset + i+6] = input[offset + i+6] ^ ctx->keystream8[i+6]; + output[offset + i+7] = input[offset + i+7] ^ ctx->keystream8[i+7]; } offset += CHACHA20_BLOCK_SIZE_BYTES; @@ -297,13 +299,13 @@ int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx, } /* Last (partial) block */ - if ( size > 0U ) + if( size > 0U ) { /* Generate new keystream block and increment counter */ chacha20_block( ctx->state, ctx->keystream8 ); ctx->state[CHACHA20_CTR_INDEX]++; - for ( i = 0U; i < size; i++) + for( i = 0U; i < size; i++) { output[offset + i] = input[offset + i] ^ ctx->keystream8[i]; } @@ -323,23 +325,23 @@ int mbedtls_chacha20_crypt( const unsigned char key[32], unsigned char* output ) { mbedtls_chacha20_context ctx; - int result; + int ret; mbedtls_chacha20_init( &ctx ); - result = mbedtls_chacha20_setkey( &ctx, key ); - if ( result != 0 ) + ret = mbedtls_chacha20_setkey( &ctx, key ); + if( ret != 0 ) goto cleanup; - result = mbedtls_chacha20_starts( &ctx, nonce, counter ); - if ( result != 0 ) + ret = mbedtls_chacha20_starts( &ctx, nonce, counter ); + if( ret != 0 ) goto cleanup; - result = mbedtls_chacha20_update( &ctx, data_len, input, output ); + ret = mbedtls_chacha20_update( &ctx, data_len, input, output ); cleanup: mbedtls_chacha20_free( &ctx ); - return( result ); + return( ret ); } #endif /* !MBEDTLS_CHACHA20_ALT */ @@ -529,21 +531,21 @@ int mbedtls_chacha20_self_test( int verbose ) { unsigned char output[381]; unsigned i; - int result; + int ret; for( i = 0U; i < 2U; i++ ) { if( verbose != 0 ) mbedtls_printf( " ChaCha20 test %u ", i ); - result = mbedtls_chacha20_crypt( test_keys[i], - test_nonces[i], - test_counters[i], - test_lengths[i], - test_input[i], - output ); + ret = mbedtls_chacha20_crypt( test_keys[i], + test_nonces[i], + test_counters[i], + test_lengths[i], + test_input[i], + output ); - ASSERT( 0 == result, ( "error code: %i\n", result ) ); + ASSERT( 0 == ret, ( "error code: %i\n", ret ) ); ASSERT( 0 == memcmp( output, test_output[i], test_lengths[i] ), ( "failed (output)\n" ) ); diff --git a/library/chachapoly.c b/library/chachapoly.c index d0c35511a..12fce808f 100644 --- a/library/chachapoly.c +++ b/library/chachapoly.c @@ -50,7 +50,7 @@ #define CHACHAPOLY_STATE_FINISHED ( 3 ) /** - * \brief Adds padding bytes (zeroes) to pad the AAD for Poly1305. + * \brief Adds nul bytes to pad the AAD for Poly1305. * * \param ctx The ChaCha20-Poly1305 context. */ @@ -59,7 +59,7 @@ static void chachapoly_pad_aad( mbedtls_chachapoly_context *ctx ) uint32_t partial_block_len = (uint32_t) ( ctx->aad_len % 16U ); unsigned char zeroes[15]; - if ( partial_block_len > 0U ) + if( partial_block_len > 0U ) { memset( zeroes, 0, sizeof( zeroes ) ); (void) mbedtls_poly1305_update( &ctx->poly1305_ctx, @@ -69,7 +69,7 @@ static void chachapoly_pad_aad( mbedtls_chachapoly_context *ctx ) } /** - * \brief Adds padding bytes (zeroes) to pad the ciphertext for Poly1305. + * \brief Adds nul bytes to pad the ciphertext for Poly1305. * * \param ctx The ChaCha20-Poly1305 context. */ @@ -78,7 +78,7 @@ static void chachapoly_pad_ciphertext( mbedtls_chachapoly_context *ctx ) uint32_t partial_block_len = (uint32_t) ( ctx->ciphertext_len % 16U ); unsigned char zeroes[15]; - if ( partial_block_len > 0U ) + if( partial_block_len > 0U ) { memset( zeroes, 0, sizeof( zeroes ) ); (void) mbedtls_poly1305_update( &ctx->poly1305_ctx, @@ -89,7 +89,7 @@ static void chachapoly_pad_ciphertext( mbedtls_chachapoly_context *ctx ) void mbedtls_chachapoly_init( mbedtls_chachapoly_context *ctx ) { - if ( ctx != NULL ) + if( ctx != NULL ) { mbedtls_chacha20_init( &ctx->chacha20_ctx ); mbedtls_poly1305_init( &ctx->poly1305_ctx ); @@ -102,7 +102,7 @@ void mbedtls_chachapoly_init( mbedtls_chachapoly_context *ctx ) void mbedtls_chachapoly_free( mbedtls_chachapoly_context *ctx ) { - if ( ctx != NULL ) + if( ctx != NULL ) { mbedtls_chacha20_free( &ctx->chacha20_ctx ); mbedtls_poly1305_free( &ctx->poly1305_ctx ); @@ -116,49 +116,49 @@ void mbedtls_chachapoly_free( mbedtls_chachapoly_context *ctx ) int mbedtls_chachapoly_setkey( mbedtls_chachapoly_context *ctx, const unsigned char key[32] ) { - int result; + int ret; - if ( ( ctx == NULL ) || ( key == NULL ) ) + if( ( ctx == NULL ) || ( key == NULL ) ) { return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA ); } - result = mbedtls_chacha20_setkey( &ctx->chacha20_ctx, key ); + ret = mbedtls_chacha20_setkey( &ctx->chacha20_ctx, key ); - return( result ); + return( ret ); } int mbedtls_chachapoly_starts( mbedtls_chachapoly_context *ctx, const unsigned char nonce[12], mbedtls_chachapoly_mode_t mode ) { - int result; + int ret; unsigned char poly1305_key[64]; - if ( ( ctx == NULL ) || ( nonce == NULL ) ) + if( ( ctx == NULL ) || ( nonce == NULL ) ) { return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA ); } /* Set counter = 0, will be update to 1 when generating Poly1305 key */ - result = mbedtls_chacha20_starts( &ctx->chacha20_ctx, nonce, 0U ); - if ( result != 0 ) + ret = mbedtls_chacha20_starts( &ctx->chacha20_ctx, nonce, 0U ); + if( ret != 0 ) goto cleanup; - /* Generate the Poly1305 key by getting the ChaCha20 keystream output with counter = 0. - * This is the same as encrypting a buffer of zeroes. + /* Generate the Poly1305 key by getting the ChaCha20 keystream output with + * counter = 0. This is the same as encrypting a buffer of zeroes. * Only the first 256-bits (32 bytes) of the key is used for Poly1305. * The other 256 bits are discarded. */ memset( poly1305_key, 0, sizeof( poly1305_key ) ); - result = mbedtls_chacha20_update( &ctx->chacha20_ctx, sizeof( poly1305_key ), + ret = mbedtls_chacha20_update( &ctx->chacha20_ctx, sizeof( poly1305_key ), poly1305_key, poly1305_key ); - if ( result != 0 ) + if( ret != 0 ) goto cleanup; - result = mbedtls_poly1305_starts( &ctx->poly1305_ctx, poly1305_key ); + ret = mbedtls_poly1305_starts( &ctx->poly1305_ctx, poly1305_key ); - if ( result == 0 ) + if( ret == 0 ) { ctx->aad_len = 0U; ctx->ciphertext_len = 0U; @@ -168,23 +168,23 @@ int mbedtls_chachapoly_starts( mbedtls_chachapoly_context *ctx, cleanup: mbedtls_platform_zeroize( poly1305_key, 64U ); - return( result ); + return( ret ); } int mbedtls_chachapoly_update_aad( mbedtls_chachapoly_context *ctx, const unsigned char *aad, size_t aad_len ) { - if ( ctx == NULL ) + if( ctx == NULL ) { return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA ); } - else if ( ( aad_len > 0U ) && ( aad == NULL ) ) + else if( ( aad_len > 0U ) && ( aad == NULL ) ) { /* aad pointer is allowed to be NULL if aad_len == 0 */ return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA ); } - else if ( ctx->state != CHACHAPOLY_STATE_AAD ) + else if( ctx->state != CHACHAPOLY_STATE_AAD ) { return(MBEDTLS_ERR_CHACHAPOLY_BAD_STATE ); } @@ -199,22 +199,22 @@ int mbedtls_chachapoly_update( mbedtls_chachapoly_context *ctx, const unsigned char *input, unsigned char *output ) { - if ( ctx == NULL ) + if( ctx == NULL ) { return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA ); } - else if ( ( len > 0U ) && ( ( input == NULL ) || ( output == NULL ) ) ) + else if( ( len > 0U ) && ( ( input == NULL ) || ( output == NULL ) ) ) { /* input and output pointers are allowed to be NULL if len == 0 */ return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA ); } - else if ( ( ctx->state != CHACHAPOLY_STATE_AAD ) && + else if( ( ctx->state != CHACHAPOLY_STATE_AAD ) && ( ctx->state != CHACHAPOLY_STATE_CIPHERTEXT ) ) { return( MBEDTLS_ERR_CHACHAPOLY_BAD_STATE ); } - if ( ctx->state == CHACHAPOLY_STATE_AAD ) + if( ctx->state == CHACHAPOLY_STATE_AAD ) { ctx->state = CHACHAPOLY_STATE_CIPHERTEXT; @@ -223,11 +223,11 @@ int mbedtls_chachapoly_update( mbedtls_chachapoly_context *ctx, ctx->ciphertext_len += len; - if ( ctx->mode == MBEDTLS_CHACHAPOLY_ENCRYPT ) + if( ctx->mode == MBEDTLS_CHACHAPOLY_ENCRYPT ) { /* Note: the following functions return an error only if one or more of - * the input pointers are NULL. Since we have checked their validity - * above, we can safety ignore the return value. + * the input pointers are NULL. Since we have checked their + * validity above, we can safety ignore the return value. */ (void) mbedtls_chacha20_update( &ctx->chacha20_ctx, len, input, output ); (void) mbedtls_poly1305_update( &ctx->poly1305_ctx, output, len ); @@ -246,20 +246,20 @@ int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx, { unsigned char len_block[16]; - if ( ( ctx == NULL ) || ( mac == NULL ) ) + if( ( ctx == NULL ) || ( mac == NULL ) ) { return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA ); } - else if ( ctx->state == CHACHAPOLY_STATE_INIT ) + else if( ctx->state == CHACHAPOLY_STATE_INIT ) { return( MBEDTLS_ERR_CHACHAPOLY_BAD_STATE ); } - if ( ctx->state == CHACHAPOLY_STATE_AAD ) + if( ctx->state == CHACHAPOLY_STATE_AAD ) { chachapoly_pad_aad( ctx ); } - else if ( ctx->state == CHACHAPOLY_STATE_CIPHERTEXT ) + else if( ctx->state == CHACHAPOLY_STATE_CIPHERTEXT ) { chachapoly_pad_ciphertext( ctx ); } @@ -269,22 +269,22 @@ int mbedtls_chachapoly_finish( mbedtls_chachapoly_context *ctx, /* The lengths of the AAD and ciphertext are processed by * Poly1305 as the final 128-bit block, encoded as little-endian integers. */ - len_block[0] = (unsigned char) ctx->aad_len; - len_block[1] = (unsigned char) ( ctx->aad_len >> 8 ); - len_block[2] = (unsigned char) ( ctx->aad_len >> 16 ); - len_block[3] = (unsigned char) ( ctx->aad_len >> 24 ); - len_block[4] = (unsigned char) ( ctx->aad_len >> 32 ); - len_block[5] = (unsigned char) ( ctx->aad_len >> 40 ); - len_block[6] = (unsigned char) ( ctx->aad_len >> 48 ); - len_block[7] = (unsigned char) ( ctx->aad_len >> 56 ); - len_block[8] = (unsigned char) ctx->ciphertext_len; - len_block[9] = (unsigned char) ( ctx->ciphertext_len >> 8 ); - len_block[10] = (unsigned char) ( ctx->ciphertext_len >> 16 ); - len_block[11] = (unsigned char) ( ctx->ciphertext_len >> 24 ); - len_block[12] = (unsigned char) ( ctx->ciphertext_len >> 32 ); - len_block[13] = (unsigned char) ( ctx->ciphertext_len >> 40 ); - len_block[14] = (unsigned char) ( ctx->ciphertext_len >> 48 ); - len_block[15] = (unsigned char) ( ctx->ciphertext_len >> 56 ); + len_block[ 0] = (unsigned char)( ctx->aad_len ); + len_block[ 1] = (unsigned char)( ctx->aad_len >> 8 ); + len_block[ 2] = (unsigned char)( ctx->aad_len >> 16 ); + len_block[ 3] = (unsigned char)( ctx->aad_len >> 24 ); + len_block[ 4] = (unsigned char)( ctx->aad_len >> 32 ); + len_block[ 5] = (unsigned char)( ctx->aad_len >> 40 ); + len_block[ 6] = (unsigned char)( ctx->aad_len >> 48 ); + len_block[ 7] = (unsigned char)( ctx->aad_len >> 56 ); + len_block[ 8] = (unsigned char)( ctx->ciphertext_len ); + len_block[ 9] = (unsigned char)( ctx->ciphertext_len >> 8 ); + len_block[10] = (unsigned char)( ctx->ciphertext_len >> 16 ); + len_block[11] = (unsigned char)( ctx->ciphertext_len >> 24 ); + len_block[12] = (unsigned char)( ctx->ciphertext_len >> 32 ); + len_block[13] = (unsigned char)( ctx->ciphertext_len >> 40 ); + len_block[14] = (unsigned char)( ctx->ciphertext_len >> 48 ); + len_block[15] = (unsigned char)( ctx->ciphertext_len >> 56 ); (void) mbedtls_poly1305_update( &ctx->poly1305_ctx, len_block, 16U ); (void) mbedtls_poly1305_finish( &ctx->poly1305_ctx, mac ); @@ -302,24 +302,24 @@ int mbedtls_chachapoly_crypt_and_tag( mbedtls_chachapoly_context *ctx, unsigned char *output, unsigned char tag[16] ) { - int result; + int ret; - result = mbedtls_chachapoly_starts( ctx, nonce, mode ); - if ( result != 0 ) + ret = mbedtls_chachapoly_starts( ctx, nonce, mode ); + if( ret != 0 ) goto cleanup; - result = mbedtls_chachapoly_update_aad( ctx, aad, aad_len ); - if ( result != 0 ) - goto cleanup; + ret = mbedtls_chachapoly_update_aad( ctx, aad, aad_len ); + if( ret != 0 ) + goto cleanup; - result = mbedtls_chachapoly_update( ctx, length, input, output ); - if ( result != 0 ) - goto cleanup; + ret = mbedtls_chachapoly_update( ctx, length, input, output ); + if( ret != 0 ) + goto cleanup; - result = mbedtls_chachapoly_finish( ctx, tag ); + ret = mbedtls_chachapoly_finish( ctx, tag ); cleanup: - return( result ); + return( ret ); } int mbedtls_chachapoly_auth_decrypt( mbedtls_chachapoly_context *ctx, @@ -466,7 +466,7 @@ int mbedtls_chachapoly_self_test( int verbose ) { mbedtls_chachapoly_context ctx; unsigned i; - int result; + int ret; unsigned char output[200]; unsigned char mac[16]; @@ -477,20 +477,20 @@ int mbedtls_chachapoly_self_test( int verbose ) mbedtls_chachapoly_init( &ctx ); - result = mbedtls_chachapoly_setkey( &ctx, test_key[i] ); - ASSERT( 0 == result, ( "setkey() error code: %i\n", result ) ); + ret = mbedtls_chachapoly_setkey( &ctx, test_key[i] ); + ASSERT( 0 == ret, ( "setkey() error code: %i\n", ret ) ); - result = mbedtls_chachapoly_crypt_and_tag( &ctx, - MBEDTLS_CHACHAPOLY_ENCRYPT, - test_input_len[i], - test_nonce[i], - test_aad[i], - test_aad_len[i], - test_input[i], - output, - mac ); + ret = mbedtls_chachapoly_crypt_and_tag( &ctx, + MBEDTLS_CHACHAPOLY_ENCRYPT, + test_input_len[i], + test_nonce[i], + test_aad[i], + test_aad_len[i], + test_input[i], + output, + mac ); - ASSERT( 0 == result, ( "crypt_and_tag() error code: %i\n", result ) ); + ASSERT( 0 == ret, ( "crypt_and_tag() error code: %i\n", ret ) ); ASSERT( 0 == memcmp( output, test_output[i], test_input_len[i] ), ( "failure (wrong output)\n" ) ); diff --git a/library/poly1305.c b/library/poly1305.c index 091684e19..41e83f3f3 100644 --- a/library/poly1305.c +++ b/library/poly1305.c @@ -57,12 +57,12 @@ * \brief Process blocks with Poly1305. * * \param ctx The Poly1305 context. - * \param nblocks Number of blocks to process. Note that this function - * only processes full blocks. + * \param nblocks Number of blocks to process. Note that this + * function only processes full blocks. * \param input Buffer containing the input block(s). - * \param needs_padding Set to 0 if the padding bit has already been applied - * to the input data before calling this function. - * Otherwise, set this parameter to 1. + * \param needs_padding Set to 0 if the padding bit has already been + * applied to the input data before calling this + * function. Otherwise, set this parameter to 1. */ static void poly1305_process( mbedtls_poly1305_context *ctx, size_t nblocks, @@ -92,14 +92,19 @@ static void poly1305_process( mbedtls_poly1305_context *ctx, acc4 = ctx->acc[4]; /* Process full blocks */ - for ( i = 0U; i < nblocks; i++ ) + for( i = 0U; i < nblocks; i++ ) { - /* Compute: acc += block */ - /* Note that the input block is treated as a 128-bit little-endian integer */ - d0 = (uint64_t) acc0 + BYTES_TO_U32_LE( input, offset + 0 ); - d1 = (uint64_t) acc1 + BYTES_TO_U32_LE( input, offset + 4 ) + ( d0 >> 32U ); - d2 = (uint64_t) acc2 + BYTES_TO_U32_LE( input, offset + 8 ) + ( d1 >> 32U ); - d3 = (uint64_t) acc3 + BYTES_TO_U32_LE( input, offset + 12 ) + ( d2 >> 32U ); + /* The input block is treated as a 128-bit little-endian integer */ + d0 = BYTES_TO_U32_LE( input, offset + 0 ); + d1 = BYTES_TO_U32_LE( input, offset + 4 ); + d2 = BYTES_TO_U32_LE( input, offset + 8 ); + d3 = BYTES_TO_U32_LE( input, offset + 12 ); + + /* Compute: acc += (padded) block as a 130-bit integer */ + d0 += (uint64_t) acc0; + d1 += (uint64_t) acc1 + ( d0 >> 32U ); + d2 += (uint64_t) acc2 + ( d1 >> 32U ); + d3 += (uint64_t) acc3 + ( d2 >> 32U ); acc0 = (uint32_t) d0; acc1 = (uint32_t) d1; acc2 = (uint32_t) d2; @@ -182,7 +187,7 @@ static void poly1305_compute_mac( const mbedtls_poly1305_context *ctx, acc3 = ctx->acc[3]; acc4 = ctx->acc[4]; - /* Before adding 's' we need to ensure that the accumulator is mod 2^130 - 5. + /* Before adding 's' we ensure that the accumulator is mod 2^130 - 5. * We do this by calculating acc - (2^130 - 5), then checking if * the 131st bit is set. If it is, then reduce: acc -= (2^130 - 5) */ @@ -218,27 +223,27 @@ static void poly1305_compute_mac( const mbedtls_poly1305_context *ctx, acc3 += ctx->s[3] + (uint32_t) ( d >> 32U ); /* Compute MAC (128 least significant bits of the accumulator) */ - mac[0] = (unsigned char) acc0; - mac[1] = (unsigned char) ( acc0 >> 8 ); - mac[2] = (unsigned char) ( acc0 >> 16 ); - mac[3] = (unsigned char) ( acc0 >> 24 ); - mac[4] = (unsigned char) acc1; - mac[5] = (unsigned char) ( acc1 >> 8 ); - mac[6] = (unsigned char) ( acc1 >> 16 ); - mac[7] = (unsigned char) ( acc1 >> 24 ); - mac[8] = (unsigned char) acc2; - mac[9] = (unsigned char) ( acc2 >> 8 ); - mac[10] = (unsigned char) ( acc2 >> 16 ); - mac[11] = (unsigned char) ( acc2 >> 24 ); - mac[12] = (unsigned char) acc3; - mac[13] = (unsigned char) ( acc3 >> 8 ); - mac[14] = (unsigned char) ( acc3 >> 16 ); - mac[15] = (unsigned char) ( acc3 >> 24 ); + mac[ 0] = (unsigned char)( acc0 ); + mac[ 1] = (unsigned char)( acc0 >> 8 ); + mac[ 2] = (unsigned char)( acc0 >> 16 ); + mac[ 3] = (unsigned char)( acc0 >> 24 ); + mac[ 4] = (unsigned char)( acc1 ); + mac[ 5] = (unsigned char)( acc1 >> 8 ); + mac[ 6] = (unsigned char)( acc1 >> 16 ); + mac[ 7] = (unsigned char)( acc1 >> 24 ); + mac[ 8] = (unsigned char)( acc2 ); + mac[ 9] = (unsigned char)( acc2 >> 8 ); + mac[10] = (unsigned char)( acc2 >> 16 ); + mac[11] = (unsigned char)( acc2 >> 24 ); + mac[12] = (unsigned char)( acc3 ); + mac[13] = (unsigned char)( acc3 >> 8 ); + mac[14] = (unsigned char)( acc3 >> 16 ); + mac[15] = (unsigned char)( acc3 >> 24 ); } void mbedtls_poly1305_init( mbedtls_poly1305_context *ctx ) { - if ( ctx != NULL ) + if( ctx != NULL ) { mbedtls_platform_zeroize( ctx, sizeof( mbedtls_poly1305_context ) ); } @@ -246,7 +251,7 @@ void mbedtls_poly1305_init( mbedtls_poly1305_context *ctx ) void mbedtls_poly1305_free( mbedtls_poly1305_context *ctx ) { - if ( ctx != NULL ) + if( ctx != NULL ) { mbedtls_platform_zeroize( ctx, sizeof( mbedtls_poly1305_context ) ); } @@ -255,7 +260,7 @@ void mbedtls_poly1305_free( mbedtls_poly1305_context *ctx ) int mbedtls_poly1305_starts( mbedtls_poly1305_context *ctx, const unsigned char key[32] ) { - if ( ctx == NULL || key == NULL ) + if( ctx == NULL || key == NULL ) { return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA ); } @@ -294,21 +299,21 @@ int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx, size_t queue_free_len; size_t nblocks; - if ( ctx == NULL ) + if( ctx == NULL ) { return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA ); } - else if ( ( ilen > 0U ) && ( input == NULL ) ) + else if( ( ilen > 0U ) && ( input == NULL ) ) { /* input pointer is allowed to be NULL only if ilen == 0 */ return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA ); } - if ( ( remaining > 0U ) && ( ctx->queue_len > 0U ) ) + if( ( remaining > 0U ) && ( ctx->queue_len > 0U ) ) { queue_free_len = ( POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len ); - if ( ilen < queue_free_len ) + if( ilen < queue_free_len ) { /* Not enough data to complete the block. * Store this data with the other leftovers. @@ -337,7 +342,7 @@ int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx, } } - if ( remaining >= POLY1305_BLOCK_SIZE_BYTES ) + if( remaining >= POLY1305_BLOCK_SIZE_BYTES ) { nblocks = remaining / POLY1305_BLOCK_SIZE_BYTES; @@ -347,7 +352,7 @@ int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx, remaining %= POLY1305_BLOCK_SIZE_BYTES; } - if ( remaining > 0U ) + if( remaining > 0U ) { /* Store partial block */ ctx->queue_len = remaining; @@ -360,13 +365,13 @@ int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx, int mbedtls_poly1305_finish( mbedtls_poly1305_context *ctx, unsigned char mac[16] ) { - if ( ( ctx == NULL ) || ( mac == NULL ) ) + if( ( ctx == NULL ) || ( mac == NULL ) ) { return( MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA ); } /* Process any leftover data */ - if ( ctx->queue_len > 0U ) + if( ctx->queue_len > 0U ) { /* Add padding bit */ ctx->queue[ctx->queue_len] = 1U; @@ -378,7 +383,7 @@ int mbedtls_poly1305_finish( mbedtls_poly1305_context *ctx, POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len ); poly1305_process( ctx, 1U, /* Process 1 block */ - ctx->queue, 0U ); /* Don't add padding bit (it was just added above) */ + ctx->queue, 0U ); /* Already padded above */ } poly1305_compute_mac( ctx, mac ); @@ -392,23 +397,23 @@ int mbedtls_poly1305_mac( const unsigned char key[32], unsigned char mac[16] ) { mbedtls_poly1305_context ctx; - int result; + int ret; mbedtls_poly1305_init( &ctx ); - result = mbedtls_poly1305_starts( &ctx, key ); - if ( result != 0 ) + ret = mbedtls_poly1305_starts( &ctx, key ); + if( ret != 0 ) goto cleanup; - result = mbedtls_poly1305_update( &ctx, input, ilen ); - if ( result != 0 ) + ret = mbedtls_poly1305_update( &ctx, input, ilen ); + if( ret != 0 ) goto cleanup; - result = mbedtls_poly1305_finish( &ctx, mac ); + ret = mbedtls_poly1305_finish( &ctx, mac ); cleanup: mbedtls_poly1305_free( &ctx ); - return( result ); + return( ret ); } #endif /* MBEDTLS_POLY1305_ALT */ @@ -495,18 +500,18 @@ int mbedtls_poly1305_self_test( int verbose ) { unsigned char mac[16]; unsigned i; - int result; + int ret; for( i = 0U; i < 2U; i++ ) { if( verbose != 0 ) mbedtls_printf( " Poly1305 test %u ", i ); - result = mbedtls_poly1305_mac( test_keys[i], - test_data[i], - test_data_len[i], - mac ); - ASSERT( 0 == result, ( "error code: %i\n", result ) ); + ret = mbedtls_poly1305_mac( test_keys[i], + test_data[i], + test_data_len[i], + mac ); + ASSERT( 0 == ret, ( "error code: %i\n", ret ) ); ASSERT( 0 == memcmp( mac, test_mac[i], 16U ), ( "failed (mac)\n" ) );