OpenCoverage

poly1305-donna.c

Absolute File Name:/home/opencoverage/opencoverage/guest-scripts/libressl/src/crypto/poly1305/poly1305-donna.c
Source codeSwitch to Preprocessed file
LineSourceCount
1/* $OpenBSD: poly1305-donna.c,v 1.3 2014/06/12 15:49:30 deraadt Exp $ */-
2/*-
3 * Public Domain poly1305 from Andrew Moon-
4 * Based on poly1305-donna.c, poly1305-donna-32.h and poly1305-donna.h from:-
5 * https://github.com/floodyberry/poly1305-donna-
6 */-
7-
8#include <stddef.h>-
9-
10static inline void poly1305_init(poly1305_context *ctx,-
11 const unsigned char key[32]);-
12static inline void poly1305_update(poly1305_context *ctx,-
13 const unsigned char *m, size_t bytes);-
14static inline void poly1305_finish(poly1305_context *ctx,-
15 unsigned char mac[16]);-
16-
17/*-
18 * poly1305 implementation using 32 bit * 32 bit = 64 bit multiplication-
19 * and 64 bit addition.-
20 */-
21-
22#define poly1305_block_size 16-
23-
24/* 17 + sizeof(size_t) + 14*sizeof(unsigned long) */-
25typedef struct poly1305_state_internal_t {-
26 unsigned long r[5];-
27 unsigned long h[5];-
28 unsigned long pad[4];-
29 size_t leftover;-
30 unsigned char buffer[poly1305_block_size];-
31 unsigned char final;-
32} poly1305_state_internal_t;-
33-
34/* interpret four 8 bit unsigned integers as a 32 bit unsigned integer in little endian */-
35static unsigned long-
36U8TO32(const unsigned char *p)-
37{-
38 return (((unsigned long)(p[0] & 0xff)) |
executed 22834 times by 4 tests: return (((unsigned long)(p[0] & 0xff)) | ((unsigned long)(p[1] & 0xff) << 8) | ((unsigned long)(p[2] & 0xff) << 16) | ((unsigned long)(p[3] & 0xff) << 24));
Executed by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
22834
39 ((unsigned long)(p[1] & 0xff) << 8) |
executed 22834 times by 4 tests: return (((unsigned long)(p[0] & 0xff)) | ((unsigned long)(p[1] & 0xff) << 8) | ((unsigned long)(p[2] & 0xff) << 16) | ((unsigned long)(p[3] & 0xff) << 24));
Executed by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
22834
40 ((unsigned long)(p[2] & 0xff) << 16) |
executed 22834 times by 4 tests: return (((unsigned long)(p[0] & 0xff)) | ((unsigned long)(p[1] & 0xff) << 8) | ((unsigned long)(p[2] & 0xff) << 16) | ((unsigned long)(p[3] & 0xff) << 24));
Executed by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
22834
41 ((unsigned long)(p[3] & 0xff) << 24));
executed 22834 times by 4 tests: return (((unsigned long)(p[0] & 0xff)) | ((unsigned long)(p[1] & 0xff) << 8) | ((unsigned long)(p[2] & 0xff) << 16) | ((unsigned long)(p[3] & 0xff) << 24));
Executed by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
22834
42}-
43-
44/* store a 32 bit unsigned integer as four 8 bit unsigned integers in little endian */-
45static void-
46U32TO8(unsigned char *p, unsigned long v)-
47{-
48 p[0] = (v) & 0xff;-
49 p[1] = (v >> 8) & 0xff;-
50 p[2] = (v >> 16) & 0xff;-
51 p[3] = (v >> 24) & 0xff;-
52}
executed 1704 times by 4 tests: end of block
Executed by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
1704
53-
54static inline void-
55poly1305_init(poly1305_context *ctx, const unsigned char key[32])-
56{-
57 poly1305_state_internal_t *st = (poly1305_state_internal_t *)ctx;-
58-
59 /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */-
60 st->r[0] = (U8TO32(&key[0])) & 0x3ffffff;-
61 st->r[1] = (U8TO32(&key[3]) >> 2) & 0x3ffff03;-
62 st->r[2] = (U8TO32(&key[6]) >> 4) & 0x3ffc0ff;-
63 st->r[3] = (U8TO32(&key[9]) >> 6) & 0x3f03fff;-
64 st->r[4] = (U8TO32(&key[12]) >> 8) & 0x00fffff;-
65-
66 /* h = 0 */-
67 st->h[0] = 0;-
68 st->h[1] = 0;-
69 st->h[2] = 0;-
70 st->h[3] = 0;-
71 st->h[4] = 0;-
72-
73 /* save pad for later */-
74 st->pad[0] = U8TO32(&key[16]);-
75 st->pad[1] = U8TO32(&key[20]);-
76 st->pad[2] = U8TO32(&key[24]);-
77 st->pad[3] = U8TO32(&key[28]);-
78-
79 st->leftover = 0;-
80 st->final = 0;-
81}
executed 426 times by 4 tests: end of block
Executed by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
426
82-
83static void-
84poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, size_t bytes)-
85{-
86 const unsigned long hibit = (st->final) ? 0 : (1 << 24); /* 1 << 128 */
(st->final)Description
TRUEevaluated 242 times by 1 test
Evaluated by:
  • poly1305test
FALSEevaluated 1009 times by 4 tests
Evaluated by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
242-1009
87 unsigned long r0, r1, r2, r3, r4;-
88 unsigned long s1, s2, s3, s4;-
89 unsigned long h0, h1, h2, h3, h4;-
90 unsigned long long d0, d1, d2, d3, d4;-
91 unsigned long c;-
92-
93 r0 = st->r[0];-
94 r1 = st->r[1];-
95 r2 = st->r[2];-
96 r3 = st->r[3];-
97 r4 = st->r[4];-
98-
99 s1 = r1 * 5;-
100 s2 = r2 * 5;-
101 s3 = r3 * 5;-
102 s4 = r4 * 5;-
103-
104 h0 = st->h[0];-
105 h1 = st->h[1];-
106 h2 = st->h[2];-
107 h3 = st->h[3];-
108 h4 = st->h[4];-
109-
110 while (bytes >= poly1305_block_size) {
bytes >= 16Description
TRUEevaluated 3800 times by 4 tests
Evaluated by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
FALSEevaluated 1251 times by 4 tests
Evaluated by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
1251-3800
111 /* h += m[i] */-
112 h0 += (U8TO32(m + 0)) & 0x3ffffff;-
113 h1 += (U8TO32(m + 3) >> 2) & 0x3ffffff;-
114 h2 += (U8TO32(m + 6) >> 4) & 0x3ffffff;-
115 h3 += (U8TO32(m + 9) >> 6) & 0x3ffffff;-
116 h4 += (U8TO32(m + 12) >> 8) | hibit;-
117-
118 /* h *= r */-
119 d0 = ((unsigned long long)h0 * r0) +-
120 ((unsigned long long)h1 * s4) +-
121 ((unsigned long long)h2 * s3) +-
122 ((unsigned long long)h3 * s2) +-
123 ((unsigned long long)h4 * s1);-
124 d1 = ((unsigned long long)h0 * r1) +-
125 ((unsigned long long)h1 * r0) +-
126 ((unsigned long long)h2 * s4) +-
127 ((unsigned long long)h3 * s3) +-
128 ((unsigned long long)h4 * s2);-
129 d2 = ((unsigned long long)h0 * r2) +-
130 ((unsigned long long)h1 * r1) +-
131 ((unsigned long long)h2 * r0) +-
132 ((unsigned long long)h3 * s4) +-
133 ((unsigned long long)h4 * s3);-
134 d3 = ((unsigned long long)h0 * r3) +-
135 ((unsigned long long)h1 * r2) +-
136 ((unsigned long long)h2 * r1) +-
137 ((unsigned long long)h3 * r0) +-
138 ((unsigned long long)h4 * s4);-
139 d4 = ((unsigned long long)h0 * r4) +-
140 ((unsigned long long)h1 * r3) +-
141 ((unsigned long long)h2 * r2) +-
142 ((unsigned long long)h3 * r1) +-
143 ((unsigned long long)h4 * r0);-
144-
145 /* (partial) h %= p */-
146 c = (unsigned long)(d0 >> 26);-
147 h0 = (unsigned long)d0 & 0x3ffffff;-
148 d1 += c;-
149 c = (unsigned long)(d1 >> 26);-
150 h1 = (unsigned long)d1 & 0x3ffffff;-
151 d2 += c;-
152 c = (unsigned long)(d2 >> 26);-
153 h2 = (unsigned long)d2 & 0x3ffffff;-
154 d3 += c;-
155 c = (unsigned long)(d3 >> 26);-
156 h3 = (unsigned long)d3 & 0x3ffffff;-
157 d4 += c;-
158 c = (unsigned long)(d4 >> 26);-
159 h4 = (unsigned long)d4 & 0x3ffffff;-
160 h0 += c * 5;-
161 c = (h0 >> 26);-
162 h0 = h0 & 0x3ffffff;-
163 h1 += c;-
164-
165 m += poly1305_block_size;-
166 bytes -= poly1305_block_size;-
167 }
executed 3800 times by 4 tests: end of block
Executed by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
3800
168-
169 st->h[0] = h0;-
170 st->h[1] = h1;-
171 st->h[2] = h2;-
172 st->h[3] = h3;-
173 st->h[4] = h4;-
174}
executed 1251 times by 4 tests: end of block
Executed by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
1251
175-
176static inline void-
177poly1305_update(poly1305_context *ctx, const unsigned char *m, size_t bytes)-
178{-
179 poly1305_state_internal_t *st = (poly1305_state_internal_t *)ctx;-
180 size_t i;-
181-
182 /* handle leftover */-
183 if (st->leftover) {
st->leftoverDescription
TRUEevaluated 381 times by 4 tests
Evaluated by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
FALSEevaluated 1017 times by 4 tests
Evaluated by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
381-1017
184 size_t want = (poly1305_block_size - st->leftover);-
185 if (want > bytes)
want > bytesDescription
TRUEevaluated 5 times by 1 test
Evaluated by:
  • poly1305test
FALSEevaluated 376 times by 4 tests
Evaluated by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
5-376
186 want = bytes;
executed 5 times by 1 test: want = bytes;
Executed by:
  • poly1305test
5
187 for (i = 0; i < want; i++)
i < wantDescription
TRUEevaluated 2420 times by 4 tests
Evaluated by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
FALSEevaluated 381 times by 4 tests
Evaluated by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
381-2420
188 st->buffer[st->leftover + i] = m[i];
executed 2420 times by 4 tests: st->buffer[st->leftover + i] = m[i];
Executed by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
2420
189 bytes -= want;-
190 m += want;-
191 st->leftover += want;-
192 if (st->leftover < poly1305_block_size)
st->leftover < 16Description
TRUEevaluated 5 times by 1 test
Evaluated by:
  • poly1305test
FALSEevaluated 376 times by 4 tests
Evaluated by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
5-376
193 return;
executed 5 times by 1 test: return;
Executed by:
  • poly1305test
5
194 poly1305_blocks(st, st->buffer, poly1305_block_size);-
195 st->leftover = 0;-
196 }
executed 376 times by 4 tests: end of block
Executed by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
376
197-
198 /* process full blocks */-
199 if (bytes >= poly1305_block_size) {
bytes >= 16Description
TRUEevaluated 633 times by 4 tests
Evaluated by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
FALSEevaluated 760 times by 4 tests
Evaluated by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
633-760
200 size_t want = (bytes & ~(poly1305_block_size - 1));-
201 poly1305_blocks(st, m, want);-
202 m += want;-
203 bytes -= want;-
204 }
executed 633 times by 4 tests: end of block
Executed by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
633
205-
206 /* store leftover */-
207 if (bytes) {
bytesDescription
TRUEevaluated 618 times by 4 tests
Evaluated by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
FALSEevaluated 775 times by 4 tests
Evaluated by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
618-775
208 for (i = 0; i < bytes; i++)
i < bytesDescription
TRUEevaluated 5522 times by 4 tests
Evaluated by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
FALSEevaluated 618 times by 4 tests
Evaluated by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
618-5522
209 st->buffer[st->leftover + i] = m[i];
executed 5522 times by 4 tests: st->buffer[st->leftover + i] = m[i];
Executed by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
5522
210 st->leftover += bytes;-
211 }
executed 618 times by 4 tests: end of block
Executed by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
618
212}
executed 1393 times by 4 tests: end of block
Executed by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
1393
213-
214static inline void-
215poly1305_finish(poly1305_context *ctx, unsigned char mac[16])-
216{-
217 poly1305_state_internal_t *st = (poly1305_state_internal_t *)ctx;-
218 unsigned long h0, h1, h2, h3, h4, c;-
219 unsigned long g0, g1, g2, g3, g4;-
220 unsigned long long f;-
221 unsigned long mask;-
222-
223 /* process the remaining block */-
224 if (st->leftover) {
st->leftoverDescription
TRUEevaluated 242 times by 1 test
Evaluated by:
  • poly1305test
FALSEevaluated 184 times by 4 tests
Evaluated by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
184-242
225 size_t i = st->leftover;-
226 st->buffer[i++] = 1;-
227 for (; i < poly1305_block_size; i++)
i < 16Description
TRUEevaluated 1704 times by 1 test
Evaluated by:
  • poly1305test
FALSEevaluated 242 times by 1 test
Evaluated by:
  • poly1305test
242-1704
228 st->buffer[i] = 0;
executed 1704 times by 1 test: st->buffer[i] = 0;
Executed by:
  • poly1305test
1704
229 st->final = 1;-
230 poly1305_blocks(st, st->buffer, poly1305_block_size);-
231 }
executed 242 times by 1 test: end of block
Executed by:
  • poly1305test
242
232-
233 /* fully carry h */-
234 h0 = st->h[0];-
235 h1 = st->h[1];-
236 h2 = st->h[2];-
237 h3 = st->h[3];-
238 h4 = st->h[4];-
239-
240 c = h1 >> 26;-
241 h1 = h1 & 0x3ffffff;-
242 h2 += c;-
243 c = h2 >> 26;-
244 h2 = h2 & 0x3ffffff;-
245 h3 += c;-
246 c = h3 >> 26;-
247 h3 = h3 & 0x3ffffff;-
248 h4 += c;-
249 c = h4 >> 26;-
250 h4 = h4 & 0x3ffffff;-
251 h0 += c * 5;-
252 c = h0 >> 26;-
253 h0 = h0 & 0x3ffffff;-
254 h1 += c;-
255-
256 /* compute h + -p */-
257 g0 = h0 + 5;-
258 c = g0 >> 26;-
259 g0 &= 0x3ffffff;-
260 g1 = h1 + c;-
261 c = g1 >> 26;-
262 g1 &= 0x3ffffff;-
263 g2 = h2 + c;-
264 c = g2 >> 26;-
265 g2 &= 0x3ffffff;-
266 g3 = h3 + c;-
267 c = g3 >> 26;-
268 g3 &= 0x3ffffff;-
269 g4 = h4 + c - (1 << 26);-
270-
271 /* select h if h < p, or h + -p if h >= p */-
272 mask = (g4 >> ((sizeof(unsigned long) * 8) - 1)) - 1;-
273 g0 &= mask;-
274 g1 &= mask;-
275 g2 &= mask;-
276 g3 &= mask;-
277 g4 &= mask;-
278 mask = ~mask;-
279 h0 = (h0 & mask) | g0;-
280 h1 = (h1 & mask) | g1;-
281 h2 = (h2 & mask) | g2;-
282 h3 = (h3 & mask) | g3;-
283 h4 = (h4 & mask) | g4;-
284-
285 /* h = h % (2^128) */-
286 h0 = ((h0) | (h1 << 26)) & 0xffffffff;-
287 h1 = ((h1 >> 6) | (h2 << 20)) & 0xffffffff;-
288 h2 = ((h2 >> 12) | (h3 << 14)) & 0xffffffff;-
289 h3 = ((h3 >> 18) | (h4 << 8)) & 0xffffffff;-
290-
291 /* mac = (h + pad) % (2^128) */-
292 f = (unsigned long long)h0 + st->pad[0];-
293 h0 = (unsigned long)f;-
294 f = (unsigned long long)h1 + st->pad[1] + (f >> 32);-
295 h1 = (unsigned long)f;-
296 f = (unsigned long long)h2 + st->pad[2] + (f >> 32);-
297 h2 = (unsigned long)f;-
298 f = (unsigned long long)h3 + st->pad[3] + (f >> 32);-
299 h3 = (unsigned long)f;-
300-
301 U32TO8(mac + 0, h0);-
302 U32TO8(mac + 4, h1);-
303 U32TO8(mac + 8, h2);-
304 U32TO8(mac + 12, h3);-
305-
306 /* zero out the state */-
307 st->h[0] = 0;-
308 st->h[1] = 0;-
309 st->h[2] = 0;-
310 st->h[3] = 0;-
311 st->h[4] = 0;-
312 st->r[0] = 0;-
313 st->r[1] = 0;-
314 st->r[2] = 0;-
315 st->r[3] = 0;-
316 st->r[4] = 0;-
317 st->pad[0] = 0;-
318 st->pad[1] = 0;-
319 st->pad[2] = 0;-
320 st->pad[3] = 0;-
321}
executed 426 times by 4 tests: end of block
Executed by:
  • aeadtest
  • poly1305test
  • ssltest
  • tlstest
426
Source codeSwitch to Preprocessed file
Generated by Squish Coco 4.2.2