X-Git-Url: https://git.distorted.org.uk/~mdw/catacomb/blobdiff_plain/47af781c8f727c45d0f74584f5f67521a4cbdfcb..35b1eba81a20fa0b93db161001ad8a46cd0cdc7b:/symm/poly1305.c

diff --git a/symm/poly1305.c b/symm/poly1305.c
index 27889574..d237d4e7 100644
--- a/symm/poly1305.c
+++ b/symm/poly1305.c
@@ -183,7 +183,7 @@ static void mul_r(const poly1305_ctx *ctx, felt z, const felt x)
 
 #endif
 
-/*----- Low-level implementation for 32/64-bit targets --------------------*/
+/*----- Low-level implementation for 16/32-bit targets --------------------*/
 
 #ifndef POLY1305_IMPL
 #  define POLY1305_IMPL 11
@@ -571,6 +571,7 @@ void poly1305_hash(poly1305_ctx *ctx, const void *p, size_t sz)
  *		far is a whole number of blocks.  Flushing is performed
  *		automatically by @poly1305_done@, but it may be necessary to
  *		force it by hand when using @poly1305_concat@.
+ *		(Alternatively, you might use @poly1305_flushzero@ instead.)
  *
  *		Flushing a partial block has an observable effect on the
  *		computation: the resulting state is (with high probability)
@@ -604,7 +605,29 @@ void poly1305_flush(poly1305_ctx *ctx)
 #endif
 
   mul_r(ctx, ctx->u.P.h, t);
-  ctx->count++;
+  ctx->nbuf = 0; ctx->count++;
+}
+
+/* --- @poly1305_flushzero@ --- *
+ *
+ * Arguments:	@poly1305_ctx *ctx@ = MAC context to flush
+ *
+ * Returns:	---
+ *
+ * Use:		Forces any buffered message data in the context to be
+ *		processed, by hashing between zero and fifteen additional
+ *		zero bytes.  Like @poly1305_flush@, this has no effect if the
+ *		the message processed so far is a whole number of blocks.
+ *		Unlike @poly1305_flush@, the behaviour if the message is not
+ *		a whole number of blocks is equivalent to actually hashing
+ *		some extra data.
+ */
+
+void poly1305_flushzero(poly1305_ctx *ctx)
+{
+  if (!ctx->nbuf) return;
+  memset(ctx->buf + ctx->nbuf, 0, 16 - ctx->nbuf);
+  update_full(ctx, ctx->buf);
   ctx->nbuf = 0;
 }
 
@@ -852,6 +875,7 @@ void poly1305_done(poly1305_ctx *ctx, void *h)
 
 #include <mLib/testrig.h>
 
+#include "ct.h"
 #include "rijndael-ecb.h"
 
 static int vrf_hash(dstr v[])
@@ -866,6 +890,7 @@ static int vrf_hash(dstr v[])
   if (v[3].len != 16) { fprintf(stderr, "bad tag length\n"); exit(2); }
   dstr_ensure(&t, 16); t.len = 16;
 
+  ct_poison(v[0].buf, v[0].len);
   poly1305_keyinit(&k, v[0].buf, v[0].len);
   for (i = 0; i < v[2].len; i++) {
     for (j = i; j < v[2].len; j++) {
@@ -874,6 +899,7 @@ static int vrf_hash(dstr v[])
       poly1305_hash(&ctx, v[2].buf + i, j - i);
       poly1305_hash(&ctx, v[2].buf + j, v[2].len - j);
       poly1305_done(&ctx, t.buf);
+      ct_remedy(t.buf, t.len);
       if (memcmp(t.buf, v[3].buf, 16) != 0) {
 	fprintf(stderr, "failed...");
 	fprintf(stderr, "\n\tkey    = "); type_hex.dump(&v[0], stderr);