poly1305_test.go 18 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585
  1. //
  2. // poly1305.go: Poly1305 MAC known answer tests.
  3. //
  4. // To the extent possible under law, Yawning Angel waived all copyright
  5. // and related or neighboring rights to poly1305, using the creative
  6. // commons "CC0" public domain dedication. See LICENSE or
  7. // <http://creativecommons.org/publicdomain/zero/1.0/> for full details.
  8. package poly1305
  9. import (
  10. "bytes"
  11. "testing"
  12. )
  13. // Shamelessly stolen from poly1305-donna.c:poly1305_power_on_self_test()
  14. func TestNaCl(t *testing.T) {
  15. var naclKey = []byte{
  16. 0xee, 0xa6, 0xa7, 0x25, 0x1c, 0x1e, 0x72, 0x91,
  17. 0x6d, 0x11, 0xc2, 0xcb, 0x21, 0x4d, 0x3c, 0x25,
  18. 0x25, 0x39, 0x12, 0x1d, 0x8e, 0x23, 0x4e, 0x65,
  19. 0x2d, 0x65, 0x1f, 0xa4, 0xc8, 0xcf, 0xf8, 0x80,
  20. }
  21. var naclMsg = []byte{
  22. 0x8e, 0x99, 0x3b, 0x9f, 0x48, 0x68, 0x12, 0x73,
  23. 0xc2, 0x96, 0x50, 0xba, 0x32, 0xfc, 0x76, 0xce,
  24. 0x48, 0x33, 0x2e, 0xa7, 0x16, 0x4d, 0x96, 0xa4,
  25. 0x47, 0x6f, 0xb8, 0xc5, 0x31, 0xa1, 0x18, 0x6a,
  26. 0xc0, 0xdf, 0xc1, 0x7c, 0x98, 0xdc, 0xe8, 0x7b,
  27. 0x4d, 0xa7, 0xf0, 0x11, 0xec, 0x48, 0xc9, 0x72,
  28. 0x71, 0xd2, 0xc2, 0x0f, 0x9b, 0x92, 0x8f, 0xe2,
  29. 0x27, 0x0d, 0x6f, 0xb8, 0x63, 0xd5, 0x17, 0x38,
  30. 0xb4, 0x8e, 0xee, 0xe3, 0x14, 0xa7, 0xcc, 0x8a,
  31. 0xb9, 0x32, 0x16, 0x45, 0x48, 0xe5, 0x26, 0xae,
  32. 0x90, 0x22, 0x43, 0x68, 0x51, 0x7a, 0xcf, 0xea,
  33. 0xbd, 0x6b, 0xb3, 0x73, 0x2b, 0xc0, 0xe9, 0xda,
  34. 0x99, 0x83, 0x2b, 0x61, 0xca, 0x01, 0xb6, 0xde,
  35. 0x56, 0x24, 0x4a, 0x9e, 0x88, 0xd5, 0xf9, 0xb3,
  36. 0x79, 0x73, 0xf6, 0x22, 0xa4, 0x3d, 0x14, 0xa6,
  37. 0x59, 0x9b, 0x1f, 0x65, 0x4c, 0xb4, 0x5a, 0x74,
  38. 0xe3, 0x55, 0xa5,
  39. }
  40. var naclMac = []byte{
  41. 0xf3, 0xff, 0xc7, 0x70, 0x3f, 0x94, 0x00, 0xe5,
  42. 0x2a, 0x7d, 0xfb, 0x4b, 0x3d, 0x33, 0x05, 0xd9,
  43. }
  44. // Oneshot
  45. h, err := New(naclKey[:])
  46. if err != nil {
  47. t.Fatal(err)
  48. }
  49. n, err := h.Write(naclMsg[:])
  50. if err != nil {
  51. t.Fatal(err)
  52. } else if n != len(naclMsg) {
  53. t.Fatalf("h.Write() returned unexpected length: %d", n)
  54. }
  55. mac := h.Sum(nil)
  56. if !bytes.Equal(mac, naclMac[:]) {
  57. t.Fatalf("mac != naclMac")
  58. }
  59. // Incremental
  60. h, err = New(naclKey[:])
  61. if err != nil {
  62. t.Fatal(err)
  63. }
  64. for i, s := range []struct{ off, sz int }{
  65. {0, 32},
  66. {32, 64},
  67. {96, 16},
  68. {112, 8},
  69. {120, 4},
  70. {124, 2},
  71. {126, 1},
  72. {127, 1},
  73. {128, 1},
  74. {129, 1},
  75. {130, 1},
  76. } {
  77. n, err := h.Write(naclMsg[s.off : s.off+s.sz])
  78. if err != nil {
  79. t.Fatalf("[%d]: h.Write(): %s", i, err)
  80. } else if n != s.sz {
  81. t.Fatalf("[%d]: h.Write(): %d (expected: %d)", i, n, s.sz)
  82. }
  83. }
  84. mac = h.Sum(nil)
  85. if !bytes.Equal(mac, naclMac[:]) {
  86. t.Fatalf("mac != naclMac")
  87. }
  88. }
  89. func TestWrap(t *testing.T) {
  90. // generates a final value of (2^130 - 2) == 3
  91. wrapKey := [KeySize]byte{
  92. 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  93. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  94. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  95. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  96. }
  97. wrapMsg := []byte{
  98. 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  99. 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  100. }
  101. wrapMac := [Size]byte{
  102. 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  103. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  104. }
  105. var mac [Size]byte
  106. Sum(&mac, wrapMsg, &wrapKey)
  107. if !bytes.Equal(mac[:], wrapMac[:]) {
  108. t.Fatalf("mac != wrapMac")
  109. }
  110. }
  111. func TestTotal(t *testing.T) {
  112. // mac of the macs of messages of length 0 to 256, where the key and messages
  113. // have all their values set to the length
  114. totalKey := []byte{
  115. 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
  116. 0xff, 0xfe, 0xfd, 0xfc, 0xfb, 0xfa, 0xf9,
  117. 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  118. 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
  119. 0x00, 0x00, 0x00, 0x00,
  120. }
  121. totalMac := []byte{
  122. 0x64, 0xaf, 0xe2, 0xe8, 0xd6, 0xad, 0x7b, 0xbd,
  123. 0xd2, 0x87, 0xf9, 0x7c, 0x44, 0x62, 0x3d, 0x39,
  124. }
  125. var allKey [KeySize]byte
  126. allMsg := make([]byte, 256)
  127. totalCtx, err := New(totalKey[:])
  128. if err != nil {
  129. t.Fatal(err)
  130. }
  131. for i := 0; i < 256; i++ {
  132. // set key and message to 'i,i,i..'
  133. for j := range allKey {
  134. allKey[j] = byte(i)
  135. }
  136. for j := 0; j < i; j++ {
  137. allMsg[j] = byte(i)
  138. }
  139. var mac [Size]byte
  140. Sum(&mac, allMsg[:i], &allKey)
  141. n, err := totalCtx.Write(mac[:])
  142. if err != nil {
  143. t.Fatalf("[%d]: h.Write(): %s", i, err)
  144. } else if n != len(mac) {
  145. t.Fatalf("[%d]: h.Write(): %d (expected: %d)", i, n, len(mac))
  146. }
  147. }
  148. mac := totalCtx.Sum(nil)
  149. if !bytes.Equal(mac, totalMac[:]) {
  150. t.Fatalf("mac != totalMac")
  151. }
  152. }
  153. func TestIETFDraft(t *testing.T) {
  154. // Test vectors taken from:
  155. // https://www.ietf.org/id/draft-irtf-cfrg-chacha20-poly1305-07.txt
  156. vectors := []struct {
  157. key [KeySize]byte
  158. m []byte
  159. tag [Size]byte
  160. }{
  161. // Test Vector #1
  162. {
  163. [KeySize]byte{},
  164. []byte{
  165. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  166. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  167. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  168. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  169. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  170. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  171. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  172. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  173. },
  174. [Size]byte{},
  175. },
  176. // Test Vector #2
  177. {
  178. [KeySize]byte{
  179. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  180. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  181. 0x36, 0xe5, 0xf6, 0xb5, 0xc5, 0xe0, 0x60, 0x70,
  182. 0xf0, 0xef, 0xca, 0x96, 0x22, 0x7a, 0x86, 0x3e,
  183. },
  184. []byte{
  185. 0x41, 0x6e, 0x79, 0x20, 0x73, 0x75, 0x62, 0x6d,
  186. 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x20, 0x74,
  187. 0x6f, 0x20, 0x74, 0x68, 0x65, 0x20, 0x49, 0x45,
  188. 0x54, 0x46, 0x20, 0x69, 0x6e, 0x74, 0x65, 0x6e,
  189. 0x64, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x74,
  190. 0x68, 0x65, 0x20, 0x43, 0x6f, 0x6e, 0x74, 0x72,
  191. 0x69, 0x62, 0x75, 0x74, 0x6f, 0x72, 0x20, 0x66,
  192. 0x6f, 0x72, 0x20, 0x70, 0x75, 0x62, 0x6c, 0x69,
  193. 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x61,
  194. 0x73, 0x20, 0x61, 0x6c, 0x6c, 0x20, 0x6f, 0x72,
  195. 0x20, 0x70, 0x61, 0x72, 0x74, 0x20, 0x6f, 0x66,
  196. 0x20, 0x61, 0x6e, 0x20, 0x49, 0x45, 0x54, 0x46,
  197. 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65,
  198. 0x74, 0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x20,
  199. 0x6f, 0x72, 0x20, 0x52, 0x46, 0x43, 0x20, 0x61,
  200. 0x6e, 0x64, 0x20, 0x61, 0x6e, 0x79, 0x20, 0x73,
  201. 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e, 0x74,
  202. 0x20, 0x6d, 0x61, 0x64, 0x65, 0x20, 0x77, 0x69,
  203. 0x74, 0x68, 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65,
  204. 0x20, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74,
  205. 0x20, 0x6f, 0x66, 0x20, 0x61, 0x6e, 0x20, 0x49,
  206. 0x45, 0x54, 0x46, 0x20, 0x61, 0x63, 0x74, 0x69,
  207. 0x76, 0x69, 0x74, 0x79, 0x20, 0x69, 0x73, 0x20,
  208. 0x63, 0x6f, 0x6e, 0x73, 0x69, 0x64, 0x65, 0x72,
  209. 0x65, 0x64, 0x20, 0x61, 0x6e, 0x20, 0x22, 0x49,
  210. 0x45, 0x54, 0x46, 0x20, 0x43, 0x6f, 0x6e, 0x74,
  211. 0x72, 0x69, 0x62, 0x75, 0x74, 0x69, 0x6f, 0x6e,
  212. 0x22, 0x2e, 0x20, 0x53, 0x75, 0x63, 0x68, 0x20,
  213. 0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
  214. 0x74, 0x73, 0x20, 0x69, 0x6e, 0x63, 0x6c, 0x75,
  215. 0x64, 0x65, 0x20, 0x6f, 0x72, 0x61, 0x6c, 0x20,
  216. 0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
  217. 0x74, 0x73, 0x20, 0x69, 0x6e, 0x20, 0x49, 0x45,
  218. 0x54, 0x46, 0x20, 0x73, 0x65, 0x73, 0x73, 0x69,
  219. 0x6f, 0x6e, 0x73, 0x2c, 0x20, 0x61, 0x73, 0x20,
  220. 0x77, 0x65, 0x6c, 0x6c, 0x20, 0x61, 0x73, 0x20,
  221. 0x77, 0x72, 0x69, 0x74, 0x74, 0x65, 0x6e, 0x20,
  222. 0x61, 0x6e, 0x64, 0x20, 0x65, 0x6c, 0x65, 0x63,
  223. 0x74, 0x72, 0x6f, 0x6e, 0x69, 0x63, 0x20, 0x63,
  224. 0x6f, 0x6d, 0x6d, 0x75, 0x6e, 0x69, 0x63, 0x61,
  225. 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20, 0x6d, 0x61,
  226. 0x64, 0x65, 0x20, 0x61, 0x74, 0x20, 0x61, 0x6e,
  227. 0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x20, 0x6f,
  228. 0x72, 0x20, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x2c,
  229. 0x20, 0x77, 0x68, 0x69, 0x63, 0x68, 0x20, 0x61,
  230. 0x72, 0x65, 0x20, 0x61, 0x64, 0x64, 0x72, 0x65,
  231. 0x73, 0x73, 0x65, 0x64, 0x20, 0x74, 0x6f,
  232. },
  233. [Size]byte{
  234. 0x36, 0xe5, 0xf6, 0xb5, 0xc5, 0xe0, 0x60, 0x70,
  235. 0xf0, 0xef, 0xca, 0x96, 0x22, 0x7a, 0x86, 0x3e,
  236. },
  237. },
  238. // Test Vector #3
  239. {
  240. [KeySize]byte{
  241. 0x36, 0xe5, 0xf6, 0xb5, 0xc5, 0xe0, 0x60, 0x70,
  242. 0xf0, 0xef, 0xca, 0x96, 0x22, 0x7a, 0x86, 0x3e,
  243. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  244. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  245. },
  246. []byte{
  247. 0x41, 0x6e, 0x79, 0x20, 0x73, 0x75, 0x62, 0x6d,
  248. 0x69, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x20, 0x74,
  249. 0x6f, 0x20, 0x74, 0x68, 0x65, 0x20, 0x49, 0x45,
  250. 0x54, 0x46, 0x20, 0x69, 0x6e, 0x74, 0x65, 0x6e,
  251. 0x64, 0x65, 0x64, 0x20, 0x62, 0x79, 0x20, 0x74,
  252. 0x68, 0x65, 0x20, 0x43, 0x6f, 0x6e, 0x74, 0x72,
  253. 0x69, 0x62, 0x75, 0x74, 0x6f, 0x72, 0x20, 0x66,
  254. 0x6f, 0x72, 0x20, 0x70, 0x75, 0x62, 0x6c, 0x69,
  255. 0x63, 0x61, 0x74, 0x69, 0x6f, 0x6e, 0x20, 0x61,
  256. 0x73, 0x20, 0x61, 0x6c, 0x6c, 0x20, 0x6f, 0x72,
  257. 0x20, 0x70, 0x61, 0x72, 0x74, 0x20, 0x6f, 0x66,
  258. 0x20, 0x61, 0x6e, 0x20, 0x49, 0x45, 0x54, 0x46,
  259. 0x20, 0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x65,
  260. 0x74, 0x2d, 0x44, 0x72, 0x61, 0x66, 0x74, 0x20,
  261. 0x6f, 0x72, 0x20, 0x52, 0x46, 0x43, 0x20, 0x61,
  262. 0x6e, 0x64, 0x20, 0x61, 0x6e, 0x79, 0x20, 0x73,
  263. 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e, 0x74,
  264. 0x20, 0x6d, 0x61, 0x64, 0x65, 0x20, 0x77, 0x69,
  265. 0x74, 0x68, 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65,
  266. 0x20, 0x63, 0x6f, 0x6e, 0x74, 0x65, 0x78, 0x74,
  267. 0x20, 0x6f, 0x66, 0x20, 0x61, 0x6e, 0x20, 0x49,
  268. 0x45, 0x54, 0x46, 0x20, 0x61, 0x63, 0x74, 0x69,
  269. 0x76, 0x69, 0x74, 0x79, 0x20, 0x69, 0x73, 0x20,
  270. 0x63, 0x6f, 0x6e, 0x73, 0x69, 0x64, 0x65, 0x72,
  271. 0x65, 0x64, 0x20, 0x61, 0x6e, 0x20, 0x22, 0x49,
  272. 0x45, 0x54, 0x46, 0x20, 0x43, 0x6f, 0x6e, 0x74,
  273. 0x72, 0x69, 0x62, 0x75, 0x74, 0x69, 0x6f, 0x6e,
  274. 0x22, 0x2e, 0x20, 0x53, 0x75, 0x63, 0x68, 0x20,
  275. 0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
  276. 0x74, 0x73, 0x20, 0x69, 0x6e, 0x63, 0x6c, 0x75,
  277. 0x64, 0x65, 0x20, 0x6f, 0x72, 0x61, 0x6c, 0x20,
  278. 0x73, 0x74, 0x61, 0x74, 0x65, 0x6d, 0x65, 0x6e,
  279. 0x74, 0x73, 0x20, 0x69, 0x6e, 0x20, 0x49, 0x45,
  280. 0x54, 0x46, 0x20, 0x73, 0x65, 0x73, 0x73, 0x69,
  281. 0x6f, 0x6e, 0x73, 0x2c, 0x20, 0x61, 0x73, 0x20,
  282. 0x77, 0x65, 0x6c, 0x6c, 0x20, 0x61, 0x73, 0x20,
  283. 0x77, 0x72, 0x69, 0x74, 0x74, 0x65, 0x6e, 0x20,
  284. 0x61, 0x6e, 0x64, 0x20, 0x65, 0x6c, 0x65, 0x63,
  285. 0x74, 0x72, 0x6f, 0x6e, 0x69, 0x63, 0x20, 0x63,
  286. 0x6f, 0x6d, 0x6d, 0x75, 0x6e, 0x69, 0x63, 0x61,
  287. 0x74, 0x69, 0x6f, 0x6e, 0x73, 0x20, 0x6d, 0x61,
  288. 0x64, 0x65, 0x20, 0x61, 0x74, 0x20, 0x61, 0x6e,
  289. 0x79, 0x20, 0x74, 0x69, 0x6d, 0x65, 0x20, 0x6f,
  290. 0x72, 0x20, 0x70, 0x6c, 0x61, 0x63, 0x65, 0x2c,
  291. 0x20, 0x77, 0x68, 0x69, 0x63, 0x68, 0x20, 0x61,
  292. 0x72, 0x65, 0x20, 0x61, 0x64, 0x64, 0x72, 0x65,
  293. 0x73, 0x73, 0x65, 0x64, 0x20, 0x74, 0x6f,
  294. },
  295. [Size]byte{
  296. 0xf3, 0x47, 0x7e, 0x7c, 0xd9, 0x54, 0x17, 0xaf,
  297. 0x89, 0xa6, 0xb8, 0x79, 0x4c, 0x31, 0x0c, 0xf0,
  298. },
  299. },
  300. // Test Vector #4
  301. {
  302. [KeySize]byte{
  303. 0x1c, 0x92, 0x40, 0xa5, 0xeb, 0x55, 0xd3, 0x8a,
  304. 0xf3, 0x33, 0x88, 0x86, 0x04, 0xf6, 0xb5, 0xf0,
  305. 0x47, 0x39, 0x17, 0xc1, 0x40, 0x2b, 0x80, 0x09,
  306. 0x9d, 0xca, 0x5c, 0xbc, 0x20, 0x70, 0x75, 0xc0,
  307. },
  308. []byte{
  309. 0x27, 0x54, 0x77, 0x61, 0x73, 0x20, 0x62, 0x72,
  310. 0x69, 0x6c, 0x6c, 0x69, 0x67, 0x2c, 0x20, 0x61,
  311. 0x6e, 0x64, 0x20, 0x74, 0x68, 0x65, 0x20, 0x73,
  312. 0x6c, 0x69, 0x74, 0x68, 0x79, 0x20, 0x74, 0x6f,
  313. 0x76, 0x65, 0x73, 0x0a, 0x44, 0x69, 0x64, 0x20,
  314. 0x67, 0x79, 0x72, 0x65, 0x20, 0x61, 0x6e, 0x64,
  315. 0x20, 0x67, 0x69, 0x6d, 0x62, 0x6c, 0x65, 0x20,
  316. 0x69, 0x6e, 0x20, 0x74, 0x68, 0x65, 0x20, 0x77,
  317. 0x61, 0x62, 0x65, 0x3a, 0x0a, 0x41, 0x6c, 0x6c,
  318. 0x20, 0x6d, 0x69, 0x6d, 0x73, 0x79, 0x20, 0x77,
  319. 0x65, 0x72, 0x65, 0x20, 0x74, 0x68, 0x65, 0x20,
  320. 0x62, 0x6f, 0x72, 0x6f, 0x67, 0x6f, 0x76, 0x65,
  321. 0x73, 0x2c, 0x0a, 0x41, 0x6e, 0x64, 0x20, 0x74,
  322. 0x68, 0x65, 0x20, 0x6d, 0x6f, 0x6d, 0x65, 0x20,
  323. 0x72, 0x61, 0x74, 0x68, 0x73, 0x20, 0x6f, 0x75,
  324. 0x74, 0x67, 0x72, 0x61, 0x62, 0x65, 0x2e,
  325. },
  326. [Size]byte{
  327. 0x45, 0x41, 0x66, 0x9a, 0x7e, 0xaa, 0xee, 0x61,
  328. 0xe7, 0x08, 0xdc, 0x7c, 0xbc, 0xc5, 0xeb, 0x62,
  329. },
  330. },
  331. // Test Vector #5
  332. //
  333. // If one uses 130-bit partial reduction, does the code handle the case
  334. // where partially reduced final result is not fully reduced?
  335. {
  336. [KeySize]byte{
  337. // R
  338. 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  339. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  340. // S
  341. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  342. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  343. },
  344. []byte{
  345. 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
  346. 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
  347. },
  348. [Size]byte{
  349. 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  350. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  351. },
  352. },
  353. // Test Vector #6
  354. //
  355. // What happens if addition of s overflows modulo 2^128?
  356. {
  357. [KeySize]byte{
  358. // R
  359. 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  360. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  361. // S
  362. 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
  363. 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
  364. },
  365. []byte{
  366. 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  367. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  368. },
  369. [Size]byte{
  370. 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  371. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  372. },
  373. },
  374. // Test Vector #7
  375. //
  376. // What happens if data limb is all ones and there is carry from lower
  377. // limb?
  378. {
  379. [KeySize]byte{
  380. // R
  381. 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  382. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  383. // S
  384. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  385. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  386. },
  387. []byte{
  388. 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
  389. 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
  390. 0xF0, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
  391. 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
  392. 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  393. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  394. },
  395. [Size]byte{
  396. 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  397. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  398. },
  399. },
  400. // Test Vector #8
  401. //
  402. // What happens if final result from polynomial part is exactly
  403. // 2^130-5?
  404. {
  405. [KeySize]byte{
  406. // R
  407. 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  408. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  409. // S
  410. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  411. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  412. },
  413. []byte{
  414. 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
  415. 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
  416. 0xFB, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE,
  417. 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE, 0xFE,
  418. 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
  419. 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
  420. },
  421. [Size]byte{
  422. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  423. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  424. },
  425. },
  426. // Test Vector #9
  427. //
  428. // What happens if final result from polynomial part is exactly
  429. // 2^130-6?
  430. {
  431. [KeySize]byte{
  432. // R
  433. 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  434. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  435. // S
  436. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  437. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  438. },
  439. []byte{
  440. 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
  441. 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
  442. },
  443. [Size]byte{
  444. 0xFA, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
  445. 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
  446. },
  447. },
  448. // Test Vector #10
  449. //
  450. // What happens if 5*H+L-type reduction produces 131-bit intermediate
  451. // result?
  452. {
  453. [KeySize]byte{
  454. // R
  455. 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  456. 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  457. // S
  458. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  459. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  460. },
  461. []byte{
  462. 0xE3, 0x35, 0x94, 0xD7, 0x50, 0x5E, 0x43, 0xB9,
  463. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  464. 0x33, 0x94, 0xD7, 0x50, 0x5E, 0x43, 0x79, 0xCD,
  465. 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  466. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  467. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  468. 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  469. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  470. },
  471. [Size]byte{
  472. 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  473. 0x55, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  474. },
  475. },
  476. // Test Vector #11
  477. //
  478. // What happens if 5*H+L-type reduction produces 131-bit final result?
  479. {
  480. [KeySize]byte{
  481. // R
  482. 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  483. 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  484. // S
  485. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  486. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  487. },
  488. []byte{
  489. 0xE3, 0x35, 0x94, 0xD7, 0x50, 0x5E, 0x43, 0xB9,
  490. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  491. 0x33, 0x94, 0xD7, 0x50, 0x5E, 0x43, 0x79, 0xCD,
  492. 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  493. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  494. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  495. },
  496. [Size]byte{
  497. 0x13, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  498. 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
  499. },
  500. },
  501. }
  502. for i, vec := range vectors {
  503. var mac [Size]byte
  504. Sum(&mac, vec.m, &vec.key)
  505. if !bytes.Equal(mac[:], vec.tag[:]) {
  506. t.Errorf("[%d]: mac != vec.tag", i)
  507. }
  508. if !Verify(&vec.tag, vec.m, &vec.key) {
  509. t.Errorf("[%d]: Verify(tag, m, key) returned false", i)
  510. }
  511. }
  512. }
  513. func TestIETFDraftForceByteswap(t *testing.T) {
  514. if !isLittleEndian {
  515. t.Skipf("not little endian, slow path already taken")
  516. } else {
  517. isLittleEndian = false
  518. TestIETFDraft(t)
  519. isLittleEndian = true
  520. }
  521. }
  522. // Swiped from golang.org/x/crypto/poly1305/poly1305_test.go.
  523. func Benchmark64(b *testing.B) {
  524. b.StopTimer()
  525. var mac [Size]byte
  526. var key [KeySize]byte
  527. m := make([]byte, 64)
  528. b.SetBytes(int64(len(m)))
  529. b.StartTimer()
  530. for i := 0; i < b.N; i++ {
  531. Sum(&mac, m, &key)
  532. }
  533. }
  534. func Benchmark1k(b *testing.B) {
  535. b.StopTimer()
  536. var mac [Size]byte
  537. var key [KeySize]byte
  538. m := make([]byte, 1024)
  539. b.SetBytes(int64(len(m)))
  540. b.StartTimer()
  541. for i := 0; i < b.N; i++ {
  542. Sum(&mac, m, &key)
  543. }
  544. }