X-Git-Url: https://git.distorted.org.uk/~mdw/catacomb/blobdiff_plain/8c5956c14f5834a072e1a9345ae1f356b14164ca..HEAD:/symm/poly1305.c

diff --git a/symm/poly1305.c b/symm/poly1305.c
index c4a88a84..39c832f8 100644
--- a/symm/poly1305.c
+++ b/symm/poly1305.c
@@ -679,9 +679,9 @@ void poly1305_concat(poly1305_ctx *ctx,
 #define BIT (1ul << (ULONG_BITS - 1))
   if (n) {
     i = ULONG_BITS;
-    while (!(n & BIT)) { n <<= 1; i--; }
+    while (!(n&BIT)) { n <<= 1; i--; }
     mul_r(prefix, x, x); n <<= 1; i--;
-    while (i--) { sqr(x, x); if (n & BIT) mul_r(prefix, x, x); n <<= 1; }
+    while (i--) { sqr(x, x); if (n&BIT) mul_r(prefix, x, x); n <<= 1; }
   }
 #undef BIT
   mul(x, prefix->u.P.h, x);
@@ -789,10 +789,10 @@ void poly1305_done(poly1305_ctx *ctx, void *h)
   /* Convert this mess back into 32-bit words.  We lose the top two bits,
    * but that's fine.
    */
-  h0 = (h0 >>  0) | ((h1 & 0x0000003f) << 26);
-  h1 = (h1 >>  6) | ((h2 & 0x00000fff) << 20);
-  h2 = (h2 >> 12) | ((h3 & 0x0003ffff) << 14);
-  h3 = (h3 >> 18) | ((h4 & 0x00ffffff) <<  8);
+  h0 = (h0 >>  0) | ((h1&0x0000003f) << 26);
+  h1 = (h1 >>  6) | ((h2&0x00000fff) << 20);
+  h2 = (h2 >> 12) | ((h3&0x0003ffff) << 14);
+  h3 = (h3 >> 18) | ((h4&0x00ffffff) <<  8);
 
   /* All done. */
   STORE32_L(p +  0, h0); STORE32_L(p +  4, h1);
@@ -861,6 +861,7 @@ void poly1305_done(poly1305_ctx *ctx, void *h)
 
 #ifdef TEST_RIG
 
+#include <mLib/macros.h>
 #include <mLib/testrig.h>
 
 #include "ct.h"
@@ -888,7 +889,7 @@ static int vrf_hash(dstr v[])
       poly1305_hash(&ctx, v[2].buf + j, v[2].len - j);
       poly1305_done(&ctx, t.buf);
       ct_remedy(t.buf, t.len);
-      if (memcmp(t.buf, v[3].buf, 16) != 0) {
+      if (MEMCMP(t.buf, !=, v[3].buf, 16)) {
 	fprintf(stderr, "failed...");
 	fprintf(stderr, "\n\tkey    = "); type_hex.dump(&v[0], stderr);
 	fprintf(stderr, "\n\tmask   = "); type_hex.dump(&v[1], stderr);
@@ -932,7 +933,7 @@ static int vrf_cat(dstr v[])
       poly1305_concat(&ctx, &ctx, &cc[2]);
     }
     poly1305_done(&ctx, t.buf);
-    if (memcmp(t.buf, v[5].buf, 16) != 0) {
+    if (MEMCMP(t.buf, !=, v[5].buf, 16)) {
       fprintf(stderr, "failed...");
       fprintf(stderr, "\n\tkey    = "); type_hex.dump(&v[0], stderr);
       fprintf(stderr, "\n\tmask   = "); type_hex.dump(&v[1], stderr);
@@ -955,27 +956,38 @@ static int vrf_cat(dstr v[])
 static int vrf_mct(dstr v[])
 {
   unsigned j, msz;
-  unsigned long i, niter;
+  unsigned long i, start_iter, end_iter;
   rijndael_ecbctx rij;
   poly1305_key key;
   poly1305_ctx mac;
-  dstr d = DSTR_INIT;
-  octet k[16], r[16], n[16], s[16], *t, m[MSZMAX] = { 0 };
+  dstr dk = DSTR_INIT, dr = DSTR_INIT, dn = DSTR_INIT,
+    dt = DSTR_INIT, dm = DSTR_INIT;
+  octet *k, *r, s[16], *n, *t, *m;
   int ok = 1;
 
-  if (v[0].len != sizeof(k)) { fprintf(stderr, "AES key len\n"); exit(2); }
-  if (v[1].len != sizeof(r)) { fprintf(stderr, "poly key len\n"); exit(2); }
-  if (v[2].len != sizeof(n)) { fprintf(stderr, "nonce len\n"); exit(2); }
-  if (v[4].len != sizeof(n)) { fprintf(stderr, "result len\n"); exit(2); }
-  memcpy(k, v[0].buf, sizeof(k));
-  memcpy(r, v[1].buf, sizeof(k));
-  memcpy(n, v[2].buf, sizeof(k));
-  niter = *(unsigned long *)v[3].buf;
-  dstr_ensure(&d, 16); d.len = 16; t = (octet *)d.buf;
-
-  rijndael_ecbinit(&rij, k, sizeof(k), 0);
-  poly1305_keyinit(&key, r, sizeof(r));
-  for (i = 0; i < niter; i++) {
+  DENSURE(&dk, 16);     k = (octet *)dk.buf; dk.len = 16;
+  DENSURE(&dr, 16);     r = (octet *)dr.buf; dr.len = 16;
+  DENSURE(&dn, 16);     n = (octet *)dn.buf; dn.len = 16;
+  DENSURE(&dt, 16);     t = (octet *)dt.buf; dt.len = 16;
+  DENSURE(&dm, MSZMAX); m = (octet *)dm.buf; dm.len = MSZMAX;
+  memset(m, 0, MSZMAX);
+
+  if (v[0].len != 16)     { fprintf(stderr, "AES key len\n"); exit(2); }
+  if (v[1].len != 16)     { fprintf(stderr, "poly key len\n"); exit(2); }
+  if (v[2].len != 16)     { fprintf(stderr, "nonce len\n"); exit(2); }
+  if (v[3].len != MSZMAX) { fprintf(stderr, "msgbuf len\n"); exit(2); }
+  if (v[6].len != 16)     { fprintf(stderr, "result len\n"); exit(2); }
+  memcpy(k, v[0].buf, 16);
+  memcpy(r, v[1].buf, 16);
+  memcpy(n, v[2].buf, 16);
+  memcpy(m, v[3].buf, MSZMAX);
+  start_iter = *(unsigned long *)v[4].buf;
+  end_iter = *(unsigned long *)v[5].buf;
+  if (end_iter < start_iter) { fprintf(stderr, "iter bounds\n"); exit(2); }
+
+  rijndael_ecbinit(&rij, k, 16, 0);
+  poly1305_keyinit(&key, r, 16);
+  for (i = start_iter; i < end_iter; i++) {
     msz = 0;
     for (;;) {
       rijndael_ecbencrypt(&rij, n, s, 16);
@@ -987,29 +999,39 @@ static int vrf_mct(dstr v[])
       for (j = 0; j < 16; j++) n[j] ^= t[j];
       if (msz%2) {
 	for (j = 0; j < 16; j++) k[j] ^= t[j];
-	rijndael_ecbinit(&rij, k, sizeof(k), 0);
+	rijndael_ecbinit(&rij, k, 16, 0);
       }
       if (msz%3) {
 	for (j = 0; j < 16; j++) r[j] ^= t[j];
-	poly1305_keyinit(&key, r, sizeof(r));
+	poly1305_keyinit(&key, r, 16);
       }
       m[msz++] ^= t[0];
     }
   }
 
-  if (memcmp(t, v[4].buf, 16) != 0) {
+  if (MEMCMP(t, !=, v[6].buf, 16)) {
     ok = 0;
     fprintf(stderr, "failed...");
     fprintf(stderr, "\n\tinitial k = "); type_hex.dump(&v[0], stderr);
     fprintf(stderr, "\n\tinitial r = "); type_hex.dump(&v[1], stderr);
     fprintf(stderr, "\n\tinitial n = "); type_hex.dump(&v[2], stderr);
-    fprintf(stderr, "\n\titerations = %lu", niter);
-    fprintf(stderr, "\n\texpected = "); type_hex.dump(&v[4], stderr);
-    fprintf(stderr, "\n\tcalculated = "); type_hex.dump(&d, stderr);
+    fprintf(stderr, "\n\tinitial m = "); type_hex.dump(&v[3], stderr);
+    fprintf(stderr, "\n\tstart iter = %lu", start_iter);
+    fprintf(stderr, "\n\tend iter = %lu", end_iter);
+    fprintf(stderr, "\n\tfinal k = "); type_hex.dump(&dk, stderr);
+    fprintf(stderr, "\n\tfinal r = "); type_hex.dump(&dr, stderr);
+    fprintf(stderr, "\n\tfinal n = "); type_hex.dump(&dn, stderr);
+    fprintf(stderr, "\n\tfinal m = "); type_hex.dump(&dm, stderr);
+    fprintf(stderr, "\n\texpected = "); type_hex.dump(&v[6], stderr);
+    fprintf(stderr, "\n\tcalculated = "); type_hex.dump(&dt, stderr);
     fputc('\n', stderr);
   }
 
-  dstr_destroy(&d);
+  dstr_destroy(&dk);
+  dstr_destroy(&dr);
+  dstr_destroy(&dn);
+  dstr_destroy(&dt);
+  dstr_destroy(&dm);
   return (ok);
 }
 
@@ -1019,7 +1041,8 @@ static const struct test_chunk tests[] = {
   { "poly1305-cat", vrf_cat,
     { &type_hex, &type_hex, &type_hex, &type_hex, &type_hex, &type_hex } },
   { "poly1305-mct", vrf_mct,
-    { &type_hex, &type_hex, &type_hex, &type_ulong, &type_hex } },
+    { &type_hex, &type_hex, &type_hex, &type_hex,
+      &type_ulong, &type_ulong, &type_hex } },
   { 0, 0, { 0 } }
 };