#include <stdint.h>
#include <assert.h>

asm(".arch armv8.4-a");

void do_test(uint64_t value)
{
    uint64_t salt1, salt2;
    uint64_t encode, decode;

    /*
     * With TBI enabled and a 48-bit VA, there are 7 bits of auth,
     * and so a 1/128 chance of encode = pac(value,key,salt) producing
     * an auth for which leaves value unchanged.
     * Iterate until we find a salt for which encode != value.
     */
    for (salt1 = 1; ; salt1++) {
        asm volatile("pacda %0, %2" : "=r"(encode) : "0"(value), "r"(salt1));
        if (encode != value) {
            break;
        }
    }

    /* A valid salt must produce a valid authorization.  */
    asm volatile("autda %0, %2" : "=r"(decode) : "0"(encode), "r"(salt1));
    assert(decode == value);

    /*
     * An invalid salt usually fails authorization, but again there
     * is a chance of choosing another salt that works.
     * Iterate until we find another salt which does fail.
     */
    for (salt2 = salt1 + 1; ; salt2++) {
        asm volatile("autda %0, %2" : "=r"(decode) : "0"(encode), "r"(salt2));
        if (decode != value) {
            break;
        }
    }

    /* The VA bits, bit 55, and the TBI bits, should be unchanged.  */
    assert(((decode ^ value) & 0xff80ffffffffffffull) == 0);

    /*
     * Bits [54:53] are an error indicator based on the key used;
     * the DA key above is keynumber 0, so error == 0b01.  Otherwise
     * bit 55 of the original is sign-extended into the rest of the auth.
     */
    if ((value >> 55) & 1) {
        assert(((decode >> 48) & 0xff) == 0b10111111);
    } else {
        assert(((decode >> 48) & 0xff) == 0b00100000);
    }
}

int main()
{
    do_test(0);
    do_test(-1);
    do_test(0xda004acedeadbeefull);
    return 0;
}