1 /**
2 * \file poly1305.c
3 *
4 * \brief Poly1305 authentication algorithm.
5 *
6 * Copyright The Mbed TLS Contributors
7 * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
8 *
9 * This file is provided under the Apache License 2.0, or the
10 * GNU General Public License v2.0 or later.
11 *
12 * **********
13 * Apache License 2.0:
14 *
15 * Licensed under the Apache License, Version 2.0 (the "License"); you may
16 * not use this file except in compliance with the License.
17 * You may obtain a copy of the License at
18 *
19 * http://www.apache.org/licenses/LICENSE-2.0
20 *
21 * Unless required by applicable law or agreed to in writing, software
22 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
23 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
24 * See the License for the specific language governing permissions and
25 * limitations under the License.
26 *
27 * **********
28 *
29 * **********
30 * GNU General Public License v2.0 or later:
31 *
32 * This program is free software; you can redistribute it and/or modify
33 * it under the terms of the GNU General Public License as published by
34 * the Free Software Foundation; either version 2 of the License, or
35 * (at your option) any later version.
36 *
37 * This program is distributed in the hope that it will be useful,
38 * but WITHOUT ANY WARRANTY; without even the implied warranty of
39 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
40 * GNU General Public License for more details.
41 *
42 * You should have received a copy of the GNU General Public License along
43 * with this program; if not, write to the Free Software Foundation, Inc.,
44 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
45 *
46 * **********
47 */
48 #if !defined(MBEDTLS_CONFIG_FILE)
49 #include "mbedtls/config.h"
50 #else
51 #include MBEDTLS_CONFIG_FILE
52 #endif
53
54 #if defined(MBEDTLS_POLY1305_C)
55
56 #include "mbedtls/poly1305.h"
57 #include "mbedtls/platform_util.h"
58
59 #include <string.h>
60
61 #if defined(MBEDTLS_SELF_TEST)
62 #if defined(MBEDTLS_PLATFORM_C)
63 #include "mbedtls/platform.h"
64 #else
65 #include <stdio.h>
66 #define mbedtls_printf printf
67 #endif /* MBEDTLS_PLATFORM_C */
68 #endif /* MBEDTLS_SELF_TEST */
69
70 #if !defined(MBEDTLS_POLY1305_ALT)
71
72 #if ( defined(__ARMCC_VERSION) || defined(_MSC_VER) ) && \
73 !defined(inline) && !defined(__cplusplus)
74 #define inline __inline
75 #endif
76
77 /* Parameter validation macros */
78 #define POLY1305_VALIDATE_RET( cond ) \
79 MBEDTLS_INTERNAL_VALIDATE_RET( cond, MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA )
80 #define POLY1305_VALIDATE( cond ) \
81 MBEDTLS_INTERNAL_VALIDATE( cond )
82
83 #define POLY1305_BLOCK_SIZE_BYTES ( 16U )
84
85 #define BYTES_TO_U32_LE( data, offset ) \
86 ( (uint32_t) (data)[offset] \
87 | (uint32_t) ( (uint32_t) (data)[( offset ) + 1] << 8 ) \
88 | (uint32_t) ( (uint32_t) (data)[( offset ) + 2] << 16 ) \
89 | (uint32_t) ( (uint32_t) (data)[( offset ) + 3] << 24 ) \
90 )
91
92 /*
93 * Our implementation is tuned for 32-bit platforms with a 64-bit multiplier.
94 * However we provided an alternative for platforms without such a multiplier.
95 */
96 #if defined(MBEDTLS_NO_64BIT_MULTIPLICATION)
mul64(uint32_t a,uint32_t b)97 static uint64_t mul64( uint32_t a, uint32_t b )
98 {
99 /* a = al + 2**16 ah, b = bl + 2**16 bh */
100 const uint16_t al = (uint16_t) a;
101 const uint16_t bl = (uint16_t) b;
102 const uint16_t ah = a >> 16;
103 const uint16_t bh = b >> 16;
104
105 /* ab = al*bl + 2**16 (ah*bl + bl*bh) + 2**32 ah*bh */
106 const uint32_t lo = (uint32_t) al * bl;
107 const uint64_t me = (uint64_t)( (uint32_t) ah * bl ) + (uint32_t) al * bh;
108 const uint32_t hi = (uint32_t) ah * bh;
109
110 return( lo + ( me << 16 ) + ( (uint64_t) hi << 32 ) );
111 }
112 #else
mul64(uint32_t a,uint32_t b)113 static inline uint64_t mul64( uint32_t a, uint32_t b )
114 {
115 return( (uint64_t) a * b );
116 }
117 #endif
118
119
120 /**
121 * \brief Process blocks with Poly1305.
122 *
123 * \param ctx The Poly1305 context.
124 * \param nblocks Number of blocks to process. Note that this
125 * function only processes full blocks.
126 * \param input Buffer containing the input block(s).
127 * \param needs_padding Set to 0 if the padding bit has already been
128 * applied to the input data before calling this
129 * function. Otherwise, set this parameter to 1.
130 */
poly1305_process(mbedtls_poly1305_context * ctx,size_t nblocks,const unsigned char * input,uint32_t needs_padding)131 static void poly1305_process( mbedtls_poly1305_context *ctx,
132 size_t nblocks,
133 const unsigned char *input,
134 uint32_t needs_padding )
135 {
136 uint64_t d0, d1, d2, d3;
137 uint32_t acc0, acc1, acc2, acc3, acc4;
138 uint32_t r0, r1, r2, r3;
139 uint32_t rs1, rs2, rs3;
140 size_t offset = 0U;
141 size_t i;
142
143 r0 = ctx->r[0];
144 r1 = ctx->r[1];
145 r2 = ctx->r[2];
146 r3 = ctx->r[3];
147
148 rs1 = r1 + ( r1 >> 2U );
149 rs2 = r2 + ( r2 >> 2U );
150 rs3 = r3 + ( r3 >> 2U );
151
152 acc0 = ctx->acc[0];
153 acc1 = ctx->acc[1];
154 acc2 = ctx->acc[2];
155 acc3 = ctx->acc[3];
156 acc4 = ctx->acc[4];
157
158 /* Process full blocks */
159 for( i = 0U; i < nblocks; i++ )
160 {
161 /* The input block is treated as a 128-bit little-endian integer */
162 d0 = BYTES_TO_U32_LE( input, offset + 0 );
163 d1 = BYTES_TO_U32_LE( input, offset + 4 );
164 d2 = BYTES_TO_U32_LE( input, offset + 8 );
165 d3 = BYTES_TO_U32_LE( input, offset + 12 );
166
167 /* Compute: acc += (padded) block as a 130-bit integer */
168 d0 += (uint64_t) acc0;
169 d1 += (uint64_t) acc1 + ( d0 >> 32U );
170 d2 += (uint64_t) acc2 + ( d1 >> 32U );
171 d3 += (uint64_t) acc3 + ( d2 >> 32U );
172 acc0 = (uint32_t) d0;
173 acc1 = (uint32_t) d1;
174 acc2 = (uint32_t) d2;
175 acc3 = (uint32_t) d3;
176 acc4 += (uint32_t) ( d3 >> 32U ) + needs_padding;
177
178 /* Compute: acc *= r */
179 d0 = mul64( acc0, r0 ) +
180 mul64( acc1, rs3 ) +
181 mul64( acc2, rs2 ) +
182 mul64( acc3, rs1 );
183 d1 = mul64( acc0, r1 ) +
184 mul64( acc1, r0 ) +
185 mul64( acc2, rs3 ) +
186 mul64( acc3, rs2 ) +
187 mul64( acc4, rs1 );
188 d2 = mul64( acc0, r2 ) +
189 mul64( acc1, r1 ) +
190 mul64( acc2, r0 ) +
191 mul64( acc3, rs3 ) +
192 mul64( acc4, rs2 );
193 d3 = mul64( acc0, r3 ) +
194 mul64( acc1, r2 ) +
195 mul64( acc2, r1 ) +
196 mul64( acc3, r0 ) +
197 mul64( acc4, rs3 );
198 acc4 *= r0;
199
200 /* Compute: acc %= (2^130 - 5) (partial remainder) */
201 d1 += ( d0 >> 32 );
202 d2 += ( d1 >> 32 );
203 d3 += ( d2 >> 32 );
204 acc0 = (uint32_t) d0;
205 acc1 = (uint32_t) d1;
206 acc2 = (uint32_t) d2;
207 acc3 = (uint32_t) d3;
208 acc4 = (uint32_t) ( d3 >> 32 ) + acc4;
209
210 d0 = (uint64_t) acc0 + ( acc4 >> 2 ) + ( acc4 & 0xFFFFFFFCU );
211 acc4 &= 3U;
212 acc0 = (uint32_t) d0;
213 d0 = (uint64_t) acc1 + ( d0 >> 32U );
214 acc1 = (uint32_t) d0;
215 d0 = (uint64_t) acc2 + ( d0 >> 32U );
216 acc2 = (uint32_t) d0;
217 d0 = (uint64_t) acc3 + ( d0 >> 32U );
218 acc3 = (uint32_t) d0;
219 d0 = (uint64_t) acc4 + ( d0 >> 32U );
220 acc4 = (uint32_t) d0;
221
222 offset += POLY1305_BLOCK_SIZE_BYTES;
223 }
224
225 ctx->acc[0] = acc0;
226 ctx->acc[1] = acc1;
227 ctx->acc[2] = acc2;
228 ctx->acc[3] = acc3;
229 ctx->acc[4] = acc4;
230 }
231
232 /**
233 * \brief Compute the Poly1305 MAC
234 *
235 * \param ctx The Poly1305 context.
236 * \param mac The buffer to where the MAC is written. Must be
237 * big enough to contain the 16-byte MAC.
238 */
poly1305_compute_mac(const mbedtls_poly1305_context * ctx,unsigned char mac[16])239 static void poly1305_compute_mac( const mbedtls_poly1305_context *ctx,
240 unsigned char mac[16] )
241 {
242 uint64_t d;
243 uint32_t g0, g1, g2, g3, g4;
244 uint32_t acc0, acc1, acc2, acc3, acc4;
245 uint32_t mask;
246 uint32_t mask_inv;
247
248 acc0 = ctx->acc[0];
249 acc1 = ctx->acc[1];
250 acc2 = ctx->acc[2];
251 acc3 = ctx->acc[3];
252 acc4 = ctx->acc[4];
253
254 /* Before adding 's' we ensure that the accumulator is mod 2^130 - 5.
255 * We do this by calculating acc - (2^130 - 5), then checking if
256 * the 131st bit is set. If it is, then reduce: acc -= (2^130 - 5)
257 */
258
259 /* Calculate acc + -(2^130 - 5) */
260 d = ( (uint64_t) acc0 + 5U );
261 g0 = (uint32_t) d;
262 d = ( (uint64_t) acc1 + ( d >> 32 ) );
263 g1 = (uint32_t) d;
264 d = ( (uint64_t) acc2 + ( d >> 32 ) );
265 g2 = (uint32_t) d;
266 d = ( (uint64_t) acc3 + ( d >> 32 ) );
267 g3 = (uint32_t) d;
268 g4 = acc4 + (uint32_t) ( d >> 32U );
269
270 /* mask == 0xFFFFFFFF if 131st bit is set, otherwise mask == 0 */
271 mask = (uint32_t) 0U - ( g4 >> 2U );
272 mask_inv = ~mask;
273
274 /* If 131st bit is set then acc=g, otherwise, acc is unmodified */
275 acc0 = ( acc0 & mask_inv ) | ( g0 & mask );
276 acc1 = ( acc1 & mask_inv ) | ( g1 & mask );
277 acc2 = ( acc2 & mask_inv ) | ( g2 & mask );
278 acc3 = ( acc3 & mask_inv ) | ( g3 & mask );
279
280 /* Add 's' */
281 d = (uint64_t) acc0 + ctx->s[0];
282 acc0 = (uint32_t) d;
283 d = (uint64_t) acc1 + ctx->s[1] + ( d >> 32U );
284 acc1 = (uint32_t) d;
285 d = (uint64_t) acc2 + ctx->s[2] + ( d >> 32U );
286 acc2 = (uint32_t) d;
287 acc3 += ctx->s[3] + (uint32_t) ( d >> 32U );
288
289 /* Compute MAC (128 least significant bits of the accumulator) */
290 mac[ 0] = (unsigned char)( acc0 );
291 mac[ 1] = (unsigned char)( acc0 >> 8 );
292 mac[ 2] = (unsigned char)( acc0 >> 16 );
293 mac[ 3] = (unsigned char)( acc0 >> 24 );
294 mac[ 4] = (unsigned char)( acc1 );
295 mac[ 5] = (unsigned char)( acc1 >> 8 );
296 mac[ 6] = (unsigned char)( acc1 >> 16 );
297 mac[ 7] = (unsigned char)( acc1 >> 24 );
298 mac[ 8] = (unsigned char)( acc2 );
299 mac[ 9] = (unsigned char)( acc2 >> 8 );
300 mac[10] = (unsigned char)( acc2 >> 16 );
301 mac[11] = (unsigned char)( acc2 >> 24 );
302 mac[12] = (unsigned char)( acc3 );
303 mac[13] = (unsigned char)( acc3 >> 8 );
304 mac[14] = (unsigned char)( acc3 >> 16 );
305 mac[15] = (unsigned char)( acc3 >> 24 );
306 }
307
mbedtls_poly1305_init(mbedtls_poly1305_context * ctx)308 void mbedtls_poly1305_init( mbedtls_poly1305_context *ctx )
309 {
310 POLY1305_VALIDATE( ctx != NULL );
311
312 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_poly1305_context ) );
313 }
314
mbedtls_poly1305_free(mbedtls_poly1305_context * ctx)315 void mbedtls_poly1305_free( mbedtls_poly1305_context *ctx )
316 {
317 if( ctx == NULL )
318 return;
319
320 mbedtls_platform_zeroize( ctx, sizeof( mbedtls_poly1305_context ) );
321 }
322
mbedtls_poly1305_starts(mbedtls_poly1305_context * ctx,const unsigned char key[32])323 int mbedtls_poly1305_starts( mbedtls_poly1305_context *ctx,
324 const unsigned char key[32] )
325 {
326 POLY1305_VALIDATE_RET( ctx != NULL );
327 POLY1305_VALIDATE_RET( key != NULL );
328
329 /* r &= 0x0ffffffc0ffffffc0ffffffc0fffffff */
330 ctx->r[0] = BYTES_TO_U32_LE( key, 0 ) & 0x0FFFFFFFU;
331 ctx->r[1] = BYTES_TO_U32_LE( key, 4 ) & 0x0FFFFFFCU;
332 ctx->r[2] = BYTES_TO_U32_LE( key, 8 ) & 0x0FFFFFFCU;
333 ctx->r[3] = BYTES_TO_U32_LE( key, 12 ) & 0x0FFFFFFCU;
334
335 ctx->s[0] = BYTES_TO_U32_LE( key, 16 );
336 ctx->s[1] = BYTES_TO_U32_LE( key, 20 );
337 ctx->s[2] = BYTES_TO_U32_LE( key, 24 );
338 ctx->s[3] = BYTES_TO_U32_LE( key, 28 );
339
340 /* Initial accumulator state */
341 ctx->acc[0] = 0U;
342 ctx->acc[1] = 0U;
343 ctx->acc[2] = 0U;
344 ctx->acc[3] = 0U;
345 ctx->acc[4] = 0U;
346
347 /* Queue initially empty */
348 mbedtls_platform_zeroize( ctx->queue, sizeof( ctx->queue ) );
349 ctx->queue_len = 0U;
350
351 return( 0 );
352 }
353
mbedtls_poly1305_update(mbedtls_poly1305_context * ctx,const unsigned char * input,size_t ilen)354 int mbedtls_poly1305_update( mbedtls_poly1305_context *ctx,
355 const unsigned char *input,
356 size_t ilen )
357 {
358 size_t offset = 0U;
359 size_t remaining = ilen;
360 size_t queue_free_len;
361 size_t nblocks;
362 POLY1305_VALIDATE_RET( ctx != NULL );
363 POLY1305_VALIDATE_RET( ilen == 0 || input != NULL );
364
365 if( ( remaining > 0U ) && ( ctx->queue_len > 0U ) )
366 {
367 queue_free_len = ( POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len );
368
369 if( ilen < queue_free_len )
370 {
371 /* Not enough data to complete the block.
372 * Store this data with the other leftovers.
373 */
374 memcpy( &ctx->queue[ctx->queue_len],
375 input,
376 ilen );
377
378 ctx->queue_len += ilen;
379
380 remaining = 0U;
381 }
382 else
383 {
384 /* Enough data to produce a complete block */
385 memcpy( &ctx->queue[ctx->queue_len],
386 input,
387 queue_free_len );
388
389 ctx->queue_len = 0U;
390
391 poly1305_process( ctx, 1U, ctx->queue, 1U ); /* add padding bit */
392
393 offset += queue_free_len;
394 remaining -= queue_free_len;
395 }
396 }
397
398 if( remaining >= POLY1305_BLOCK_SIZE_BYTES )
399 {
400 nblocks = remaining / POLY1305_BLOCK_SIZE_BYTES;
401
402 poly1305_process( ctx, nblocks, &input[offset], 1U );
403
404 offset += nblocks * POLY1305_BLOCK_SIZE_BYTES;
405 remaining %= POLY1305_BLOCK_SIZE_BYTES;
406 }
407
408 if( remaining > 0U )
409 {
410 /* Store partial block */
411 ctx->queue_len = remaining;
412 memcpy( ctx->queue, &input[offset], remaining );
413 }
414
415 return( 0 );
416 }
417
mbedtls_poly1305_finish(mbedtls_poly1305_context * ctx,unsigned char mac[16])418 int mbedtls_poly1305_finish( mbedtls_poly1305_context *ctx,
419 unsigned char mac[16] )
420 {
421 POLY1305_VALIDATE_RET( ctx != NULL );
422 POLY1305_VALIDATE_RET( mac != NULL );
423
424 /* Process any leftover data */
425 if( ctx->queue_len > 0U )
426 {
427 /* Add padding bit */
428 ctx->queue[ctx->queue_len] = 1U;
429 ctx->queue_len++;
430
431 /* Pad with zeroes */
432 memset( &ctx->queue[ctx->queue_len],
433 0,
434 POLY1305_BLOCK_SIZE_BYTES - ctx->queue_len );
435
436 poly1305_process( ctx, 1U, /* Process 1 block */
437 ctx->queue, 0U ); /* Already padded above */
438 }
439
440 poly1305_compute_mac( ctx, mac );
441
442 return( 0 );
443 }
444
mbedtls_poly1305_mac(const unsigned char key[32],const unsigned char * input,size_t ilen,unsigned char mac[16])445 int mbedtls_poly1305_mac( const unsigned char key[32],
446 const unsigned char *input,
447 size_t ilen,
448 unsigned char mac[16] )
449 {
450 mbedtls_poly1305_context ctx;
451 int ret;
452 POLY1305_VALIDATE_RET( key != NULL );
453 POLY1305_VALIDATE_RET( mac != NULL );
454 POLY1305_VALIDATE_RET( ilen == 0 || input != NULL );
455
456 mbedtls_poly1305_init( &ctx );
457
458 ret = mbedtls_poly1305_starts( &ctx, key );
459 if( ret != 0 )
460 goto cleanup;
461
462 ret = mbedtls_poly1305_update( &ctx, input, ilen );
463 if( ret != 0 )
464 goto cleanup;
465
466 ret = mbedtls_poly1305_finish( &ctx, mac );
467
468 cleanup:
469 mbedtls_poly1305_free( &ctx );
470 return( ret );
471 }
472
473 #endif /* MBEDTLS_POLY1305_ALT */
474
475 #if defined(MBEDTLS_SELF_TEST)
476
477 static const unsigned char test_keys[2][32] =
478 {
479 {
480 0x85, 0xd6, 0xbe, 0x78, 0x57, 0x55, 0x6d, 0x33,
481 0x7f, 0x44, 0x52, 0xfe, 0x42, 0xd5, 0x06, 0xa8,
482 0x01, 0x03, 0x80, 0x8a, 0xfb, 0x0d, 0xb2, 0xfd,
483 0x4a, 0xbf, 0xf6, 0xaf, 0x41, 0x49, 0xf5, 0x1b
484 },
485 {
486 0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a,
487 0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0,
488 0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09,
489 0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0
490 }
491 };
492
493 static const unsigned char test_data[2][127] =
494 {
495 {
496 0x43, 0x72, 0x79, 0x70, 0x74, 0x6f, 0x67, 0x72,
497 0x61, 0x70, 0x68, 0x69, 0x63, 0x20, 0x46, 0x6f,
498 0x72, 0x75, 0x6d, 0x20, 0x52, 0x65, 0x73, 0x65,
499 0x61, 0x72, 0x63, 0x68, 0x20, 0x47, 0x72, 0x6f,
500 0x75, 0x70
501 },
502 {
503 0x27, 0x54, 0x77, 0x61, 0x73, 0x20, 0x62, 0x72,
504 0x69, 0x6c, 0x6c, 0x69, 0x67, 0x2c, 0x20, 0x61,
505 0x6e, 0x64, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
506 0x6c, 0x69, 0x74, 0x68, 0x79, 0x20, 0x74, 0x6f,
507 0x76, 0x65, 0x73, 0x0a, 0x44, 0x69, 0x64, 0x20,
508 0x67, 0x79, 0x72, 0x65, 0x20, 0x61, 0x6e, 0x64,
509 0x20, 0x67, 0x69, 0x6d, 0x62, 0x6c, 0x65, 0x20,
510 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x77,
511 0x61, 0x62, 0x65, 0x3a, 0x0a, 0x41, 0x6c, 0x6c,
512 0x20, 0x6d, 0x69, 0x6d, 0x73, 0x79, 0x20, 0x77,
513 0x65, 0x72, 0x65, 0x20, 0x74, 0x68, 0x65, 0x20,
514 0x62, 0x6f, 0x72, 0x6f, 0x67, 0x6f, 0x76, 0x65,
515 0x73, 0x2c, 0x0a, 0x41, 0x6e, 0x64, 0x20, 0x74,
516 0x68, 0x65, 0x20, 0x6d, 0x6f, 0x6d, 0x65, 0x20,
517 0x72, 0x61, 0x74, 0x68, 0x73, 0x20, 0x6f, 0x75,
518 0x74, 0x67, 0x72, 0x61, 0x62, 0x65, 0x2e
519 }
520 };
521
522 static const size_t test_data_len[2] =
523 {
524 34U,
525 127U
526 };
527
528 static const unsigned char test_mac[2][16] =
529 {
530 {
531 0xa8, 0x06, 0x1d, 0xc1, 0x30, 0x51, 0x36, 0xc6,
532 0xc2, 0x2b, 0x8b, 0xaf, 0x0c, 0x01, 0x27, 0xa9
533 },
534 {
535 0x45, 0x41, 0x66, 0x9a, 0x7e, 0xaa, 0xee, 0x61,
536 0xe7, 0x08, 0xdc, 0x7c, 0xbc, 0xc5, 0xeb, 0x62
537 }
538 };
539
540 #define ASSERT( cond, args ) \
541 do \
542 { \
543 if( ! ( cond ) ) \
544 { \
545 if( verbose != 0 ) \
546 mbedtls_printf args; \
547 \
548 return( -1 ); \
549 } \
550 } \
551 while( 0 )
552
mbedtls_poly1305_self_test(int verbose)553 int mbedtls_poly1305_self_test( int verbose )
554 {
555 unsigned char mac[16];
556 unsigned i;
557 int ret;
558
559 for( i = 0U; i < 2U; i++ )
560 {
561 if( verbose != 0 )
562 mbedtls_printf( " Poly1305 test %u ", i );
563
564 ret = mbedtls_poly1305_mac( test_keys[i],
565 test_data[i],
566 test_data_len[i],
567 mac );
568 ASSERT( 0 == ret, ( "error code: %i\n", ret ) );
569
570 ASSERT( 0 == memcmp( mac, test_mac[i], 16U ), ( "failed (mac)\n" ) );
571
572 if( verbose != 0 )
573 mbedtls_printf( "passed\n" );
574 }
575
576 if( verbose != 0 )
577 mbedtls_printf( "\n" );
578
579 return( 0 );
580 }
581
582 #endif /* MBEDTLS_SELF_TEST */
583
584 #endif /* MBEDTLS_POLY1305_C */
585