symm/poly1305.c: Implement `flushzero' to zero-pad to a block boundary.

[catacomb] / symm / poly1305.c

diff --git a/symm/poly1305.c b/symm/poly1305.c
index 2788957..3a838a8 100644 (file)
--- a/symm/poly1305.c
+++ b/symm/poly1305.c
@@ -571,6 +571,7 @@ void poly1305_hash(poly1305_ctx *ctx, const void *p, size_t sz)
  *             far is a whole number of blocks.  Flushing is performed
  *             automatically by @poly1305_done@, but it may be necessary to
  *             force it by hand when using @poly1305_concat@.
+ *             (Alternatively, you might use @poly1305_flushzero@ instead.)
  *
  *             Flushing a partial block has an observable effect on the
  *             computation: the resulting state is (with high probability)
@@ -604,7 +605,29 @@ void poly1305_flush(poly1305_ctx *ctx)
 #endif
 
   mul_r(ctx, ctx->u.P.h, t);
-  ctx->count++;
+  ctx->nbuf = 0; ctx->count++;
+}
+
+/* --- @poly1305_flushzero@ --- *
+ *
+ * Arguments:  @poly1305_ctx *ctx@ = MAC context to flush
+ *
+ * Returns:    ---
+ *
+ * Use:                Forces any buffered message data in the context to be
+ *             processed, by hashing between zero and fifteen additional
+ *             zero bytes.  Like @poly1305_flush@, this has no effect if the
+ *             the message processed so far is a whole number of blocks.
+ *             Unlike @poly1305_flush@, the behaviour if the message is not
+ *             a whole number of blocks is equivalent to actually hashing
+ *             some extra data.
+ */
+
+void poly1305_flushzero(poly1305_ctx *ctx)
+{
+  if (!ctx->nbuf) return;
+  memset(ctx->buf + ctx->nbuf, 0, 16 - ctx->nbuf);
+  update_full(ctx, ctx->buf);
   ctx->nbuf = 0;
 }