Start verifying that code which should be constant-time really is.

[catacomb] / symm / poly1305.c

diff --git a/symm/poly1305.c b/symm/poly1305.c
index 3a838a8..942aa38 100644 (file)
--- a/symm/poly1305.c
+++ b/symm/poly1305.c
@@ -875,6 +875,7 @@ void poly1305_done(poly1305_ctx *ctx, void *h)
 
 #include <mLib/testrig.h>
 
+#include "ct.h"
 #include "rijndael-ecb.h"
 
 static int vrf_hash(dstr v[])
@@ -889,6 +890,7 @@ static int vrf_hash(dstr v[])
   if (v[3].len != 16) { fprintf(stderr, "bad tag length\n"); exit(2); }
   dstr_ensure(&t, 16); t.len = 16;
 
+  ct_poison(v[0].buf, v[0].len);
   poly1305_keyinit(&k, v[0].buf, v[0].len);
   for (i = 0; i < v[2].len; i++) {
     for (j = i; j < v[2].len; j++) {
@@ -897,6 +899,7 @@ static int vrf_hash(dstr v[])
       poly1305_hash(&ctx, v[2].buf + i, j - i);
       poly1305_hash(&ctx, v[2].buf + j, v[2].len - j);
       poly1305_done(&ctx, t.buf);
+      ct_remedy(t.buf, t.len);
       if (memcmp(t.buf, v[3].buf, 16) != 0) {
        fprintf(stderr, "failed...");
        fprintf(stderr, "\n\tkey    = "); type_hex.dump(&v[0], stderr);