Module Name: src
Committed By: riastradh
Date: Fri Jul 26 18:25:03 UTC 2024
Modified Files:
src/sys/external/isc/libsodium/conf: files.libsodium
src/sys/external/isc/libsodium/src: sodium_module.c
src/sys/modules/sodium: Makefile.sodmod
src/sys/rump/kern/lib/libcrypto: Makefile
Added Files:
src/sys/crypto/sodium: sodium_selftest.h
src/sys/external/isc/libsodium/src: sodium_selftest.c
Log Message:
sys/crypto/sodium: Add a self-test for IETF ChaCha20/Poly1305 AEAD.
PR kern/58468
To generate a diff of this commit:
cvs rdiff -u -r0 -r1.1 src/sys/crypto/sodium/sodium_selftest.h
cvs rdiff -u -r1.6 -r1.7 src/sys/external/isc/libsodium/conf/files.libsodium
cvs rdiff -u -r1.1 -r1.2 src/sys/external/isc/libsodium/src/sodium_module.c
cvs rdiff -u -r0 -r1.1 src/sys/external/isc/libsodium/src/sodium_selftest.c
cvs rdiff -u -r1.3 -r1.4 src/sys/modules/sodium/Makefile.sodmod
cvs rdiff -u -r1.23 -r1.24 src/sys/rump/kern/lib/libcrypto/Makefile
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/external/isc/libsodium/conf/files.libsodium
diff -u src/sys/external/isc/libsodium/conf/files.libsodium:1.6 src/sys/external/isc/libsodium/conf/files.libsodium:1.7
--- src/sys/external/isc/libsodium/conf/files.libsodium:1.6 Sat Aug 21 09:09:39 2021
+++ src/sys/external/isc/libsodium/conf/files.libsodium Fri Jul 26 18:25:03 2024
@@ -1,4 +1,4 @@
-# $NetBSD: files.libsodium,v 1.6 2021/08/21 09:09:39 christos Exp $
+# $NetBSD: files.libsodium,v 1.7 2024/07/26 18:25:03 riastradh Exp $
define libsodium
@@ -12,6 +12,7 @@ makeoptions libsodium "CWARNFLAGS.libsod
makeoptions libsodium "CWARNFLAGS.libsodium"+="-Wno-unused-variable"
file external/isc/libsodium/src/sodium_module.c libsodium
+file external/isc/libsodium/src/sodium_selftest.c libsodium
file external/isc/libsodium/dist/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.c libsodium
file external/isc/libsodium/dist/src/libsodium/crypto_scalarmult/curve25519/scalarmult_curve25519.c libsodium
Index: src/sys/external/isc/libsodium/src/sodium_module.c
diff -u src/sys/external/isc/libsodium/src/sodium_module.c:1.1 src/sys/external/isc/libsodium/src/sodium_module.c:1.2
--- src/sys/external/isc/libsodium/src/sodium_module.c:1.1 Sat Aug 21 09:08:08 2021
+++ src/sys/external/isc/libsodium/src/sodium_module.c Fri Jul 26 18:25:03 2024
@@ -1,4 +1,4 @@
-/* $NetBSD: sodium_module.c,v 1.1 2021/08/21 09:08:08 christos Exp $ */
+/* $NetBSD: sodium_module.c,v 1.2 2024/07/26 18:25:03 riastradh Exp $ */
/*-
* Copyright (c) 2021 The NetBSD Foundation, Inc.
@@ -27,12 +27,14 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: sodium_module.c,v 1.1 2021/08/21 09:08:08 christos Exp $");
+__KERNEL_RCSID(0, "$NetBSD: sodium_module.c,v 1.2 2024/07/26 18:25:03 riastradh Exp $");
#include <sys/param.h>
#include <sys/kernel.h>
#include <sys/module.h>
+#include <crypto/sodium/sodium_selftest.h>
+
MODULE(MODULE_CLASS_MISC, sodium, NULL);
static int
@@ -41,6 +43,10 @@ sodium_modcmd(modcmd_t cmd, void *arg)
switch (cmd) {
case MODULE_CMD_INIT:
+ if (sodium_selftest()) {
+ printf("sodium self-test failed\n");
+ return EIO;
+ }
break;
case MODULE_CMD_FINI:
Index: src/sys/modules/sodium/Makefile.sodmod
diff -u src/sys/modules/sodium/Makefile.sodmod:1.3 src/sys/modules/sodium/Makefile.sodmod:1.4
--- src/sys/modules/sodium/Makefile.sodmod:1.3 Sat Aug 21 09:07:08 2021
+++ src/sys/modules/sodium/Makefile.sodmod Fri Jul 26 18:25:03 2024
@@ -1,10 +1,11 @@
-# $NetBSD: Makefile.sodmod,v 1.3 2021/08/21 09:07:08 christos Exp $
+# $NetBSD: Makefile.sodmod,v 1.4 2024/07/26 18:25:03 riastradh Exp $
SODIUMDIR= ${S}/external/isc/libsodium
SODIUMSRCDIR= ${SODIUMDIR}/dist/src/libsodium
.PATH: ${SODIUMDIR}/src
SRCS+= sodium_module.c
+SRCS+= sodium_selftest.c
.PATH: ${SODIUMSRCDIR}/crypto_scalarmult/curve25519/ref10
SRCS+= x25519_ref10.c
Index: src/sys/rump/kern/lib/libcrypto/Makefile
diff -u src/sys/rump/kern/lib/libcrypto/Makefile:1.23 src/sys/rump/kern/lib/libcrypto/Makefile:1.24
--- src/sys/rump/kern/lib/libcrypto/Makefile:1.23 Sat Aug 21 09:08:55 2021
+++ src/sys/rump/kern/lib/libcrypto/Makefile Fri Jul 26 18:25:03 2024
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.23 2021/08/21 09:08:55 christos Exp $
+# $NetBSD: Makefile,v 1.24 2024/07/26 18:25:03 riastradh Exp $
#
S=${.CURDIR}/../../../..
@@ -81,6 +81,7 @@ SODIUM_SRCS+= aead_chacha20poly1305.c
SODIUM_SRCS+= core_hchacha20.c
SODIUM_SRCS+= ed25519_ref10.c
SODIUM_SRCS+= sodium_module.c
+SODIUM_SRCS+= sodium_selftest.c
SRCS+= ${SODIUM_SRCS}
Added files:
Index: src/sys/crypto/sodium/sodium_selftest.h
diff -u /dev/null src/sys/crypto/sodium/sodium_selftest.h:1.1
--- /dev/null Fri Jul 26 18:25:03 2024
+++ src/sys/crypto/sodium/sodium_selftest.h Fri Jul 26 18:25:03 2024
@@ -0,0 +1,36 @@
+/* $NetBSD: sodium_selftest.h,v 1.1 2024/07/26 18:25:03 riastradh Exp $ */
+
+/*-
+ * Copyright (c) 2024 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef _SYS_CRYPTO_SODIUM_SODIUM_SELFTEST_H_
+#define _SYS_CRYPTO_SODIUM_SODIUM_SELFTEST_H_
+
+int crypto_aead_chacha20poly1305_ietf_selftest(void);
+
+int sodium_selftest(void);
+
+#endif /* _SYS_CRYPTO_SODIUM_SODIUM_SELFTEST_H_ */
Index: src/sys/external/isc/libsodium/src/sodium_selftest.c
diff -u /dev/null src/sys/external/isc/libsodium/src/sodium_selftest.c:1.1
--- /dev/null Fri Jul 26 18:25:03 2024
+++ src/sys/external/isc/libsodium/src/sodium_selftest.c Fri Jul 26 18:25:03 2024
@@ -0,0 +1,340 @@
+/* $NetBSD: sodium_selftest.c,v 1.1 2024/07/26 18:25:03 riastradh Exp $ */
+
+/*-
+ * Copyright (c) 2024 The NetBSD Foundation, Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
+ * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
+ * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
+ * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifdef _KERNEL
+
+#include <sys/cdefs.h>
+__KERNEL_RCSID(0, "$NetBSD: sodium_selftest.c,v 1.1 2024/07/26 18:25:03 riastradh Exp $");
+
+#include <sys/types.h>
+
+#include <sys/systm.h>
+
+#include <lib/libkern/libkern.h>
+
+#else
+
+#include <sys/cdefs.h>
+__RCSID("$NetBSD: sodium_selftest.c,v 1.1 2024/07/26 18:25:03 riastradh Exp $");
+
+#include <stdint.h>
+#include <stdio.h>
+#include <string.h>
+
+static void
+hexdump(int (*prf)(const char *, ...) __printflike(1,2), const char *prefix,
+ const void *buf, size_t len)
+{
+ const uint8_t *p = buf;
+ size_t i;
+
+ (*prf)("%s (%zu bytes @ %p)\n", prefix, len, buf);
+ for (i = 0; i < len; i++) {
+ if (i % 16 == 8)
+ (*prf)(" ");
+ else
+ (*prf)(" ");
+ (*prf)("%02hhx", p[i]);
+ if ((i + 1) % 16 == 0)
+ (*prf)("\n");
+ }
+ if (i % 16)
+ (*prf)("\n");
+}
+
+#endif
+
+#include <crypto/sodium/crypto_aead_chacha20poly1305.h>
+#include <crypto/sodium/sodium_selftest.h>
+
+/*
+ * Test misalignments up to and including this. Would be nice to do
+ * this up to, say, 15, but that takes 16^5 = 2^20 ~ 1m trials, which
+ * is a bit steep as a self-test.
+ */
+#define TESTALIGN 1
+
+int
+crypto_aead_chacha20poly1305_ietf_selftest(void)
+{
+ /* https://datatracker.ietf.org/doc/html/rfc8439#section-2.8.2 */
+ static const uint8_t plaintext[] = {
+ 0x4c,0x61,0x64,0x69, 0x65,0x73,0x20,0x61,
+ 0x6e,0x64,0x20,0x47, 0x65,0x6e,0x74,0x6c,
+ 0x65,0x6d,0x65,0x6e, 0x20,0x6f,0x66,0x20,
+ 0x74,0x68,0x65,0x20, 0x63,0x6c,0x61,0x73,
+ 0x73,0x20,0x6f,0x66, 0x20,0x27,0x39,0x39,
+ 0x3a,0x20,0x49,0x66, 0x20,0x49,0x20,0x63,
+ 0x6f,0x75,0x6c,0x64, 0x20,0x6f,0x66,0x66,
+ 0x65,0x72,0x20,0x79, 0x6f,0x75,0x20,0x6f,
+ 0x6e,0x6c,0x79,0x20, 0x6f,0x6e,0x65,0x20,
+ 0x74,0x69,0x70,0x20, 0x66,0x6f,0x72,0x20,
+ 0x74,0x68,0x65,0x20, 0x66,0x75,0x74,0x75,
+ 0x72,0x65,0x2c,0x20, 0x73,0x75,0x6e,0x73,
+ 0x63,0x72,0x65,0x65, 0x6e,0x20,0x77,0x6f,
+ 0x75,0x6c,0x64,0x20, 0x62,0x65,0x20,0x69,
+ 0x74,0x2e,
+ };
+ static const uint8_t aad[] = {
+ 0x50,0x51,0x52,0x53, 0xc0,0xc1,0xc2,0xc3,
+ 0xc4,0xc5,0xc6,0xc7,
+ };
+ static const uint8_t key[] = {
+ 0x80,0x81,0x82,0x83, 0x84,0x85,0x86,0x87,
+ 0x88,0x89,0x8a,0x8b, 0x8c,0x8d,0x8e,0x8f,
+ 0x90,0x91,0x92,0x93, 0x94,0x95,0x96,0x97,
+ 0x98,0x99,0x9a,0x9b, 0x9c,0x9d,0x9e,0x9f,
+ };
+ static const uint8_t nonce[] = {
+ 0x07,0x00,0x00,0x00,
+ 0x40,0x41,0x42,0x43, 0x44,0x45,0x46,0x47,
+ };
+ static const uint8_t ciphertext[] = {
+ 0xd3,0x1a,0x8d,0x34, 0x64,0x8e,0x60,0xdb,
+ 0x7b,0x86,0xaf,0xbc, 0x53,0xef,0x7e,0xc2,
+ 0xa4,0xad,0xed,0x51, 0x29,0x6e,0x08,0xfe,
+ 0xa9,0xe2,0xb5,0xa7, 0x36,0xee,0x62,0xd6,
+ 0x3d,0xbe,0xa4,0x5e, 0x8c,0xa9,0x67,0x12,
+ 0x82,0xfa,0xfb,0x69, 0xda,0x92,0x72,0x8b,
+ 0x1a,0x71,0xde,0x0a, 0x9e,0x06,0x0b,0x29,
+ 0x05,0xd6,0xa5,0xb6, 0x7e,0xcd,0x3b,0x36,
+ 0x92,0xdd,0xbd,0x7f, 0x2d,0x77,0x8b,0x8c,
+ 0x98,0x03,0xae,0xe3, 0x28,0x09,0x1b,0x58,
+ 0xfa,0xb3,0x24,0xe4, 0xfa,0xd6,0x75,0x94,
+ 0x55,0x85,0x80,0x8b, 0x48,0x31,0xd7,0xbc,
+ 0x3f,0xf4,0xde,0xf0, 0x8e,0x4b,0x7a,0x9d,
+ 0xe5,0x76,0xd2,0x65, 0x86,0xce,0xc6,0x4b,
+ 0x61,0x16,
+
+ 0x1a,0xe1,0x0b,0x59, 0x4f,0x09,0xe2,0x6a,
+ 0x7e,0x90,0x2e,0xcb, 0xd0,0x60,0x06,0x91,
+ };
+ uint8_t inbuf[sizeof(ciphertext) + TESTALIGN];
+ uint8_t outbuf[sizeof(ciphertext) + TESTALIGN];
+ uint8_t aadbuf[sizeof(aad) + TESTALIGN];
+ uint8_t noncebuf[sizeof(nonce) + TESTALIGN];
+ uint8_t keybuf[sizeof(key) + TESTALIGN];
+ unsigned i, j, k, L, M;
+
+ /*
+ * Iterate over alignment and misalignment of all four inputs
+ * (plaintext/ciphertext, associated data, nonce, and key), and
+ * the output (ciphertext/plaintext).
+ *
+ * With apologies for the quirky nonindentation here -- it just
+ * gets nested a little too much.
+ */
+ for (i = 0; i <= TESTALIGN; i++) {
+ for (j = 0; j <= TESTALIGN; j++) {
+ for (k = 0; k <= TESTALIGN; k++) {
+ for (L = 0; L <= TESTALIGN; L++) {
+ for (M = 0; M <= TESTALIGN; M++) {
+ unsigned long long outsize = 0;
+ int error;
+ char t[128];
+ unsigned u;
+
+ /*
+ * Verify encryption produces the expected ciphertext.
+ */
+ memset(inbuf, 0, sizeof(inbuf));
+ memset(aadbuf, 0, sizeof(aadbuf));
+ memset(noncebuf, 0, sizeof(noncebuf));
+ memset(keybuf, 0, sizeof(keybuf));
+ memset(outbuf, 0, sizeof(outbuf));
+
+ memcpy(inbuf + i, plaintext, sizeof(plaintext));
+ memcpy(aadbuf + j, aad, sizeof(aad));
+ memcpy(noncebuf + k, nonce, sizeof(nonce));
+ memcpy(keybuf + L, key, sizeof(key));
+
+ error = crypto_aead_chacha20poly1305_ietf_encrypt(outbuf + M,
+ &outsize,
+ inbuf + i, sizeof(plaintext),
+ aadbuf + j, sizeof(aad),
+ NULL, /* secret nonce, not supported */
+ noncebuf + k,
+ keybuf + L);
+ if (error) {
+ snprintf(t, sizeof(t),
+ "%s: %s i=%u j=%u k=%u L=%u M=%u",
+ __func__, "encrypt", i, j, k, L, M);
+ printf("%s: encrypt error=%d\n", t, error);
+ return -1;
+ }
+ if (outsize != sizeof(ciphertext)) {
+ snprintf(t, sizeof(t),
+ "%s: %s i=%u j=%u k=%u L=%u M=%u",
+ __func__, "encrypt", i, j, k, L, M);
+ printf("%s: outsize=%llu is not %zu\n", t,
+ outsize, sizeof(ciphertext));
+ return -1;
+ }
+ if (memcmp(outbuf + M, ciphertext, sizeof(ciphertext)) != 0) {
+ snprintf(t, sizeof(t),
+ "%s: %s i=%u j=%u k=%u L=%u M=%u",
+ __func__, "encrypt", i, j, k, L, M);
+ hexdump(printf, t, outbuf + M, sizeof(ciphertext));
+ return -1;
+ }
+
+ /*
+ * Verify decryption of the valid ciphertext succeeds
+ * and produces the expected plaintext.
+ */
+ memset(inbuf, 0, sizeof(inbuf));
+ memset(aadbuf, 0, sizeof(aadbuf));
+ memset(noncebuf, 0, sizeof(noncebuf));
+ memset(keybuf, 0, sizeof(keybuf));
+ memset(outbuf, 0, sizeof(outbuf));
+
+ memcpy(inbuf + i, ciphertext, sizeof(ciphertext));
+ memcpy(aadbuf + j, aad, sizeof(aad));
+ memcpy(noncebuf + k, nonce, sizeof(nonce));
+ memcpy(keybuf + L, key, sizeof(key));
+
+ error = crypto_aead_chacha20poly1305_ietf_decrypt(outbuf + M,
+ &outsize,
+ NULL, /* secret nonce, not supported */
+ inbuf + i, sizeof(ciphertext),
+ aadbuf + j, sizeof(aad),
+ noncebuf + k,
+ keybuf + L);
+ if (error) {
+ snprintf(t, sizeof(t),
+ "%s: %s i=%u j=%u k=%u L=%u M=%u",
+ __func__, "decrypt", i, j, k, L, M);
+ printf("%s: decrypt error=%d\n", t, error);
+ return -1;
+ }
+ if (outsize != sizeof(plaintext)) {
+ snprintf(t, sizeof(t),
+ "%s: %s i=%u j=%u k=%u L=%u M=%u",
+ __func__, "decrypt", i, j, k, L, M);
+ printf("%s: outsize=%llu is not %zu\n", t,
+ outsize, sizeof(plaintext));
+ return -1;
+ }
+ if (memcmp(outbuf + M, plaintext, sizeof(plaintext)) != 0) {
+ snprintf(t, sizeof(t),
+ "%s: %s i=%u j=%u k=%u L=%u M=%u",
+ __func__, "decrypt", i, j, k, L, M);
+ hexdump(printf, t, outbuf + M, sizeof(ciphertext));
+ return -1;
+ }
+
+ /*
+ * Verify decryption of a corrupted ciphertext fails
+ * and produces all-zero output.
+ */
+ memset(outbuf, 0x5a, sizeof(outbuf));
+ inbuf[i] ^= 0x80;
+ error = crypto_aead_chacha20poly1305_ietf_decrypt(outbuf + M,
+ &outsize,
+ NULL, /* secret nonce, not supported */
+ inbuf + i, sizeof(ciphertext),
+ aadbuf + j, sizeof(aad),
+ noncebuf + k,
+ keybuf + L);
+ inbuf[i] ^= 0x80;
+ if (error == 0) {
+ snprintf(t, sizeof(t),
+ "%s: %s i=%u j=%u k=%u L=%u M=%u",
+ __func__, "msg forgery", i, j, k, L, M);
+ printf("%s: wrongly accepted\n", t);
+ return -1;
+ }
+ for (u = 0; u < sizeof(plaintext); u++) {
+ if (outbuf[M + u] != 0) {
+ snprintf(t, sizeof(t),
+ "%s: %s i=%u j=%u k=%u L=%u M=%u",
+ __func__, "msg forgery", i, j, k, L, M);
+ hexdump(printf, t, outbuf + M,
+ sizeof(plaintext));
+ return -1;
+ }
+ }
+
+ /*
+ * Verify decryption with corrupted associated data
+ * fails and produces all-zero output.
+ */
+ memset(outbuf, 0xac, sizeof(outbuf));
+ aadbuf[j] ^= 0x80;
+ error = crypto_aead_chacha20poly1305_ietf_decrypt(outbuf + M,
+ &outsize,
+ NULL, /* secret nonce, not supported */
+ inbuf + i, sizeof(ciphertext),
+ aadbuf + j, sizeof(aad),
+ noncebuf + k,
+ keybuf + L);
+ aadbuf[j] ^= 0x80;
+ if (error == 0) {
+ snprintf(t, sizeof(t),
+ "%s: %s i=%u j=%u k=%u L=%u M=%u",
+ __func__, "aad forgery", i, j, k, L, M);
+ printf("%s: wrongly accepted\n", t);
+ return -1;
+ }
+ for (u = 0; u < sizeof(plaintext); u++) {
+ if (outbuf[M + u] != 0) {
+ snprintf(t, sizeof(t),
+ "%s: %s i=%u j=%u k=%u L=%u M=%u",
+ __func__, "aad forgery", i, j, k, L, M);
+ hexdump(printf, t, outbuf + M,
+ sizeof(plaintext));
+ return -1;
+ }
+ }
+ }
+ }
+ }
+ }
+ }
+
+ return 0;
+}
+
+int
+sodium_selftest(void)
+{
+ int result = 0;
+
+ result |= crypto_aead_chacha20poly1305_ietf_selftest();
+
+ return result;
+}
+
+#ifdef SODIUM_SELFTEST_MAIN
+int
+main(void)
+{
+
+ return sodium_selftest();
+}
+#endif
