+#define MSZMAX 1000
+
+static int vrf_mct(dstr v[])
+{
+ unsigned j, msz;
+ unsigned long i, start_iter, end_iter;
+ rijndael_ecbctx rij;
+ poly1305_key key;
+ poly1305_ctx mac;
+ dstr dk = DSTR_INIT, dr = DSTR_INIT, dn = DSTR_INIT,
+ dt = DSTR_INIT, dm = DSTR_INIT;
+ octet *k, *r, s[16], *n, *t, *m;
+ int ok = 1;
+
+ DENSURE(&dk, 16); k = (octet *)dk.buf; dk.len = 16;
+ DENSURE(&dr, 16); r = (octet *)dr.buf; dr.len = 16;
+ DENSURE(&dn, 16); n = (octet *)dn.buf; dn.len = 16;
+ DENSURE(&dt, 16); t = (octet *)dt.buf; dt.len = 16;
+ DENSURE(&dm, MSZMAX); m = (octet *)dm.buf; dm.len = MSZMAX;
+ memset(m, 0, MSZMAX);
+
+ if (v[0].len != 16) { fprintf(stderr, "AES key len\n"); exit(2); }
+ if (v[1].len != 16) { fprintf(stderr, "poly key len\n"); exit(2); }
+ if (v[2].len != 16) { fprintf(stderr, "nonce len\n"); exit(2); }
+ if (v[3].len != MSZMAX) { fprintf(stderr, "msgbuf len\n"); exit(2); }
+ if (v[6].len != 16) { fprintf(stderr, "result len\n"); exit(2); }
+ memcpy(k, v[0].buf, 16);
+ memcpy(r, v[1].buf, 16);
+ memcpy(n, v[2].buf, 16);
+ memcpy(m, v[3].buf, MSZMAX);
+ start_iter = *(unsigned long *)v[4].buf;
+ end_iter = *(unsigned long *)v[5].buf;
+ if (end_iter < start_iter) { fprintf(stderr, "iter bounds\n"); exit(2); }
+
+ rijndael_ecbinit(&rij, k, 16, 0);
+ poly1305_keyinit(&key, r, 16);
+ for (i = start_iter; i < end_iter; i++) {
+ msz = 0;
+ for (;;) {
+ rijndael_ecbencrypt(&rij, n, s, 16);
+ poly1305_macinit(&mac, &key, s);
+ poly1305_hash(&mac, m, msz);
+ poly1305_done(&mac, t);
+ if (msz >= MSZMAX) break;
+ n[0] ^= i&0xff;
+ for (j = 0; j < 16; j++) n[j] ^= t[j];
+ if (msz%2) {
+ for (j = 0; j < 16; j++) k[j] ^= t[j];
+ rijndael_ecbinit(&rij, k, 16, 0);
+ }
+ if (msz%3) {
+ for (j = 0; j < 16; j++) r[j] ^= t[j];
+ poly1305_keyinit(&key, r, 16);
+ }
+ m[msz++] ^= t[0];
+ }
+ }
+
+ if (MEMCMP(t, !=, v[6].buf, 16)) {
+ ok = 0;
+ fprintf(stderr, "failed...");
+ fprintf(stderr, "\n\tinitial k = "); type_hex.dump(&v[0], stderr);
+ fprintf(stderr, "\n\tinitial r = "); type_hex.dump(&v[1], stderr);
+ fprintf(stderr, "\n\tinitial n = "); type_hex.dump(&v[2], stderr);
+ fprintf(stderr, "\n\tinitial m = "); type_hex.dump(&v[3], stderr);
+ fprintf(stderr, "\n\tstart iter = %lu", start_iter);
+ fprintf(stderr, "\n\tend iter = %lu", end_iter);
+ fprintf(stderr, "\n\tfinal k = "); type_hex.dump(&dk, stderr);
+ fprintf(stderr, "\n\tfinal r = "); type_hex.dump(&dr, stderr);
+ fprintf(stderr, "\n\tfinal n = "); type_hex.dump(&dn, stderr);
+ fprintf(stderr, "\n\tfinal m = "); type_hex.dump(&dm, stderr);
+ fprintf(stderr, "\n\texpected = "); type_hex.dump(&v[6], stderr);
+ fprintf(stderr, "\n\tcalculated = "); type_hex.dump(&dt, stderr);
+ fputc('\n', stderr);
+ }
+
+ dstr_destroy(&dk);
+ dstr_destroy(&dr);
+ dstr_destroy(&dn);
+ dstr_destroy(&dt);
+ dstr_destroy(&dm);
+ return (ok);
+}
+