X-Git-Url: https://git.distorted.org.uk/~mdw/catacomb/blobdiff_plain/57e7040b318f0ffc5ab43c3fb62df9a2bef42ac7..d9d419b020ab2b6fc1b7bdfc8db24735c7f7b6fb:/symm/poly1305.c diff --git a/symm/poly1305.c b/symm/poly1305.c index 55fe3711..3a838a83 100644 --- a/symm/poly1305.c +++ b/symm/poly1305.c @@ -571,6 +571,7 @@ void poly1305_hash(poly1305_ctx *ctx, const void *p, size_t sz) * far is a whole number of blocks. Flushing is performed * automatically by @poly1305_done@, but it may be necessary to * force it by hand when using @poly1305_concat@. + * (Alternatively, you might use @poly1305_flushzero@ instead.) * * Flushing a partial block has an observable effect on the * computation: the resulting state is (with high probability) @@ -604,7 +605,29 @@ void poly1305_flush(poly1305_ctx *ctx) #endif mul_r(ctx, ctx->u.P.h, t); - ctx->count++; + ctx->nbuf = 0; ctx->count++; +} + +/* --- @poly1305_flushzero@ --- * + * + * Arguments: @poly1305_ctx *ctx@ = MAC context to flush + * + * Returns: --- + * + * Use: Forces any buffered message data in the context to be + * processed, by hashing between zero and fifteen additional + * zero bytes. Like @poly1305_flush@, this has no effect if the + * the message processed so far is a whole number of blocks. + * Unlike @poly1305_flush@, the behaviour if the message is not + * a whole number of blocks is equivalent to actually hashing + * some extra data. + */ + +void poly1305_flushzero(poly1305_ctx *ctx) +{ + if (!ctx->nbuf) return; + memset(ctx->buf + ctx->nbuf, 0, 16 - ctx->nbuf); + update_full(ctx, ctx->buf); ctx->nbuf = 0; } @@ -852,6 +875,8 @@ void poly1305_done(poly1305_ctx *ctx, void *h) #include +#include "rijndael-ecb.h" + static int vrf_hash(dstr v[]) { poly1305_key k; @@ -934,11 +959,76 @@ static int vrf_cat(dstr v[]) return (ok); } +#define MSZMAX 1000 + +static int vrf_mct(dstr v[]) +{ + unsigned j, msz; + unsigned long i, niter; + rijndael_ecbctx rij; + poly1305_key key; + poly1305_ctx mac; + dstr d = DSTR_INIT; + octet k[16], r[16], n[16], s[16], *t, m[MSZMAX] = { 0 }; + int ok = 1; + + if (v[0].len != sizeof(k)) { fprintf(stderr, "AES key len\n"); exit(2); } + if (v[1].len != sizeof(r)) { fprintf(stderr, "poly key len\n"); exit(2); } + if (v[2].len != sizeof(n)) { fprintf(stderr, "nonce len\n"); exit(2); } + if (v[4].len != sizeof(n)) { fprintf(stderr, "result len\n"); exit(2); } + memcpy(k, v[0].buf, sizeof(k)); + memcpy(r, v[1].buf, sizeof(k)); + memcpy(n, v[2].buf, sizeof(k)); + niter = *(unsigned long *)v[3].buf; + dstr_ensure(&d, 16); d.len = 16; t = (octet *)d.buf; + + rijndael_ecbinit(&rij, k, sizeof(k), 0); + poly1305_keyinit(&key, r, sizeof(r)); + for (i = 0; i < niter; i++) { + msz = 0; + for (;;) { + rijndael_ecbencrypt(&rij, n, s, 16); + poly1305_macinit(&mac, &key, s); + poly1305_hash(&mac, m, msz); + poly1305_done(&mac, t); + if (msz >= MSZMAX) break; + n[0] ^= i&0xff; + for (j = 0; j < 16; j++) n[j] ^= t[j]; + if (msz%2) { + for (j = 0; j < 16; j++) k[j] ^= t[j]; + rijndael_ecbinit(&rij, k, sizeof(k), 0); + } + if (msz%3) { + for (j = 0; j < 16; j++) r[j] ^= t[j]; + poly1305_keyinit(&key, r, sizeof(r)); + } + m[msz++] ^= t[0]; + } + } + + if (memcmp(t, v[4].buf, 16) != 0) { + ok = 0; + fprintf(stderr, "failed..."); + fprintf(stderr, "\n\tinitial k = "); type_hex.dump(&v[0], stderr); + fprintf(stderr, "\n\tinitial r = "); type_hex.dump(&v[1], stderr); + fprintf(stderr, "\n\tinitial n = "); type_hex.dump(&v[2], stderr); + fprintf(stderr, "\n\titerations = %lu", niter); + fprintf(stderr, "\n\texpected = "); type_hex.dump(&v[4], stderr); + fprintf(stderr, "\n\tcalculated = "); type_hex.dump(&d, stderr); + fputc('\n', stderr); + } + + dstr_destroy(&d); + return (ok); +} + static const struct test_chunk tests[] = { { "poly1305-hash", vrf_hash, { &type_hex, &type_hex, &type_hex, &type_hex } }, { "poly1305-cat", vrf_cat, { &type_hex, &type_hex, &type_hex, &type_hex, &type_hex, &type_hex } }, + { "poly1305-mct", vrf_mct, + { &type_hex, &type_hex, &type_hex, &type_ulong, &type_hex } }, { 0, 0, { 0 } } };