int poly1305_test(void)
{
#ifndef LTC_TEST
return CRYPT_NOP;
#else
/* https://tools.ietf.org/html/rfc7539#section-2.5.2 */
unsigned char k[] = { 0x85, 0xd6, 0xbe, 0x78, 0x57, 0x55, 0x6d, 0x33, 0x7f, 0x44, 0x52, 0xfe, 0x42, 0xd5, 0x06, 0xa8, 0x01, 0x03, 0x80, 0x8a, 0xfb, 0x0d, 0xb2, 0xfd, 0x4a, 0xbf, 0xf6, 0xaf, 0x41, 0x49, 0xf5, 0x1b };
unsigned char tag[] = { 0xA8, 0x06, 0x1D, 0xC1, 0x30, 0x51, 0x36, 0xC6, 0xC2, 0x2B, 0x8B, 0xAF, 0x0C, 0x01, 0x27, 0xA9 };
char m[] = "Cryptographic Forum Research Group";
unsigned long len = 16, mlen = strlen(m);
unsigned char out[1000];
poly1305_state st;
int err;
/* process piece by piece */
if ((err = poly1305_init(&st, k, 32)) != CRYPT_OK) return err;
if ((err = poly1305_process(&st, (unsigned char*)m, 5)) != CRYPT_OK) return err;
if ((err = poly1305_process(&st, (unsigned char*)m + 5, 4)) != CRYPT_OK) return err;
if ((err = poly1305_process(&st, (unsigned char*)m + 9, 3)) != CRYPT_OK) return err;
if ((err = poly1305_process(&st, (unsigned char*)m + 12, 2)) != CRYPT_OK) return err;
if ((err = poly1305_process(&st, (unsigned char*)m + 14, 1)) != CRYPT_OK) return err;
if ((err = poly1305_process(&st, (unsigned char*)m + 15, mlen - 15)) != CRYPT_OK) return err;
if ((err = poly1305_done(&st, out, &len)) != CRYPT_OK) return err;
if (compare_testvector(out, len, tag, sizeof(tag), "POLY1305-TV1", 1) != 0) return CRYPT_FAIL_TESTVECTOR;
/* process in one go */
if ((err = poly1305_init(&st, k, 32)) != CRYPT_OK) return err;
if ((err = poly1305_process(&st, (unsigned char*)m, mlen)) != CRYPT_OK) return err;
if ((err = poly1305_done(&st, out, &len)) != CRYPT_OK) return err;
if (compare_testvector(out, len, tag, sizeof(tag), "POLY1305-TV2", 1) != 0) return CRYPT_FAIL_TESTVECTOR;
return CRYPT_OK;
#endif
}
/**
POLY1305 a file
@param fname The name of the file you wish to POLY1305
@param key The secret key
@param keylen The length of the secret key
@param mac [out] The POLY1305 authentication tag
@param maclen [in/out] The max size and resulting size of the authentication tag
@return CRYPT_OK if successful, CRYPT_NOP if file support has been disabled
*/
int poly1305_file(const char *fname, const unsigned char *key, unsigned long keylen, unsigned char *mac, unsigned long *maclen)
{
#ifdef LTC_NO_FILE
LTC_UNUSED_PARAM(fname);
LTC_UNUSED_PARAM(key);
LTC_UNUSED_PARAM(keylen);
LTC_UNUSED_PARAM(mac);
LTC_UNUSED_PARAM(maclen);
return CRYPT_NOP;
#else
poly1305_state st;
FILE *in;
unsigned char *buf;
size_t x;
int err;
LTC_ARGCHK(fname != NULL);
LTC_ARGCHK(key != NULL);
LTC_ARGCHK(mac != NULL);
LTC_ARGCHK(maclen != NULL);
if ((buf = XMALLOC(LTC_FILE_READ_BUFSIZE)) == NULL) {
return CRYPT_MEM;
}
if ((err = poly1305_init(&st, key, keylen)) != CRYPT_OK) {
goto LBL_ERR;
}
in = fopen(fname, "rb");
if (in == NULL) {
err = CRYPT_FILE_NOTFOUND;
goto LBL_ERR;
}
do {
x = fread(buf, 1, LTC_FILE_READ_BUFSIZE, in);
if ((err = poly1305_process(&st, buf, (unsigned long)x)) != CRYPT_OK) {
fclose(in);
goto LBL_CLEANBUF;
}
} while (x == LTC_FILE_READ_BUFSIZE);
if (fclose(in) != 0) {
err = CRYPT_ERROR;
goto LBL_CLEANBUF;
}
err = poly1305_done(&st, mac, maclen);
LBL_CLEANBUF:
zeromem(buf, LTC_FILE_READ_BUFSIZE);
LBL_ERR:
#ifdef LTC_CLEAN_STACK
zeromem(&st, sizeof(poly1305_state));
#endif
XFREE(buf);
return err;
#endif
}
void
poly1305_auth(unsigned char mac[16], const unsigned char *m, size_t bytes, const unsigned char key[32]) {
poly1305_context ctx;
poly1305_init(&ctx, key);
poly1305_update(&ctx, m, bytes);
poly1305_finish(&ctx, mac);
}
/**
POLY1305 multiple blocks of memory to produce the authentication tag
@param key The secret key
@param keylen The length of the secret key (octets)
@param mac [out] Destination of the authentication tag
@param maclen [in/out] Max size and resulting size of authentication tag
@param in The data to POLY1305
@param inlen The length of the data to POLY1305 (octets)
@param ... tuples of (data,len) pairs to POLY1305, terminated with a (NULL,x) (x=don't care)
@return CRYPT_OK if successful
*/
int poly1305_memory_multi(const unsigned char *key, unsigned long keylen, unsigned char *mac, unsigned long *maclen, const unsigned char *in, unsigned long inlen, ...)
{
poly1305_state st;
int err;
va_list args;
const unsigned char *curptr;
unsigned long curlen;
LTC_ARGCHK(key != NULL);
LTC_ARGCHK(in != NULL);
LTC_ARGCHK(mac != NULL);
LTC_ARGCHK(maclen != NULL);
va_start(args, inlen);
curptr = in;
curlen = inlen;
if ((err = poly1305_init(&st, key, keylen)) != CRYPT_OK) { goto LBL_ERR; }
for (;;) {
if ((err = poly1305_process(&st, curptr, curlen)) != CRYPT_OK) { goto LBL_ERR; }
curptr = va_arg(args, const unsigned char*);
if (curptr == NULL) break;
curlen = va_arg(args, unsigned long);
}
err = poly1305_done(&st, mac, maclen);
LBL_ERR:
#ifdef LTC_CLEAN_STACK
zeromem(&st, sizeof(poly1305_state));
#endif
va_end(args);
return err;
}
int
crypto_onetimeauth_poly1305_donna_init(crypto_onetimeauth_poly1305_state *state,
const unsigned char *key)
{
poly1305_init((poly1305_context *) state, key);
return 0;
}
void Poly1305::key_schedule(const byte key[], size_t)
{
m_buf_pos = 0;
m_buf.resize(16);
m_poly.resize(8);
poly1305_init(m_poly, key);
}
int
crypto_onetimeauth_poly1305_donna(unsigned char *out, const unsigned char *m,
unsigned long long inlen,
const unsigned char *key)
{
poly1305_context ctx;
poly1305_init(&ctx, key);
poly1305_update(&ctx, m, inlen);
poly1305_finish(&ctx, out);
return 0;
}
static inline void
poly1305aes_authenticate(uint8_t out[16],
const uint8_t kr[32],
const uint8_t nonce[16],
const uint8_t *msg,
size_t len)
{
struct poly1305 ctx;
uint8_t encno[16];
poly1305_setkey(&ctx, kr+16);
aes(encno, kr, nonce);
poly1305_init(&ctx, encno);
poly1305_update(&ctx, msg, len);
poly1305_mac(&ctx, out);
}
/**
Set IV + counter data to the ChaCha20Poly1305 state and reset the context
@param st The ChaCha20Poly1305 state
@param iv The IV data to add
@param ivlen The length of the IV (must be 12 or 8)
@return CRYPT_OK on success
*/
int chacha20poly1305_setiv(chacha20poly1305_state *st, const unsigned char *iv, unsigned long ivlen)
{
chacha_state tmp_st;
int i, err;
unsigned char polykey[32];
LTC_ARGCHK(st != NULL);
LTC_ARGCHK(iv != NULL);
LTC_ARGCHK(ivlen == 12 || ivlen == 8);
/* set IV for chacha20 */
if (ivlen == 12) {
/* IV 96bit */
if ((err = chacha_ivctr32(&st->chacha, iv, ivlen, 1)) != CRYPT_OK) return err;
}
else {
/* IV 64bit */
if ((err = chacha_ivctr64(&st->chacha, iv, ivlen, 1)) != CRYPT_OK) return err;
}
/* copy chacha20 key to temporary state */
for(i = 0; i < 12; i++) tmp_st.input[i] = st->chacha.input[i];
tmp_st.rounds = 20;
/* set IV */
if (ivlen == 12) {
/* IV 32bit */
if ((err = chacha_ivctr32(&tmp_st, iv, ivlen, 0)) != CRYPT_OK) return err;
}
else {
/* IV 64bit */
if ((err = chacha_ivctr64(&tmp_st, iv, ivlen, 0)) != CRYPT_OK) return err;
}
/* (re)generate new poly1305 key */
if ((err = chacha_keystream(&tmp_st, polykey, 32)) != CRYPT_OK) return err;
/* (re)initialise poly1305 */
if ((err = poly1305_init(&st->poly, polykey, 32)) != CRYPT_OK) return err;
st->ctlen = 0;
st->aadlen = 0;
st->aadflg = 1;
return CRYPT_OK;
}
void
CRYPTO_poly1305_init(poly1305_context *ctx, const unsigned char key[32])
{
poly1305_init(ctx, key);
}
/* test a few basic operations */
int
poly1305_power_on_self_test(void) {
/* example from nacl */
static const unsigned char nacl_key[32] = {
0xee,0xa6,0xa7,0x25,0x1c,0x1e,0x72,0x91,
0x6d,0x11,0xc2,0xcb,0x21,0x4d,0x3c,0x25,
0x25,0x39,0x12,0x1d,0x8e,0x23,0x4e,0x65,
0x2d,0x65,0x1f,0xa4,0xc8,0xcf,0xf8,0x80,
};
static const unsigned char nacl_msg[131] = {
0x8e,0x99,0x3b,0x9f,0x48,0x68,0x12,0x73,
0xc2,0x96,0x50,0xba,0x32,0xfc,0x76,0xce,
0x48,0x33,0x2e,0xa7,0x16,0x4d,0x96,0xa4,
0x47,0x6f,0xb8,0xc5,0x31,0xa1,0x18,0x6a,
0xc0,0xdf,0xc1,0x7c,0x98,0xdc,0xe8,0x7b,
0x4d,0xa7,0xf0,0x11,0xec,0x48,0xc9,0x72,
0x71,0xd2,0xc2,0x0f,0x9b,0x92,0x8f,0xe2,
0x27,0x0d,0x6f,0xb8,0x63,0xd5,0x17,0x38,
0xb4,0x8e,0xee,0xe3,0x14,0xa7,0xcc,0x8a,
0xb9,0x32,0x16,0x45,0x48,0xe5,0x26,0xae,
0x90,0x22,0x43,0x68,0x51,0x7a,0xcf,0xea,
0xbd,0x6b,0xb3,0x73,0x2b,0xc0,0xe9,0xda,
0x99,0x83,0x2b,0x61,0xca,0x01,0xb6,0xde,
0x56,0x24,0x4a,0x9e,0x88,0xd5,0xf9,0xb3,
0x79,0x73,0xf6,0x22,0xa4,0x3d,0x14,0xa6,
0x59,0x9b,0x1f,0x65,0x4c,0xb4,0x5a,0x74,
0xe3,0x55,0xa5
};
static const unsigned char nacl_mac[16] = {
0xf3,0xff,0xc7,0x70,0x3f,0x94,0x00,0xe5,
0x2a,0x7d,0xfb,0x4b,0x3d,0x33,0x05,0xd9
};
/* generates a final value of (2^130 - 2) == 3 */
static const unsigned char wrap_key[32] = {
0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
};
static const unsigned char wrap_msg[16] = {
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff
};
static const unsigned char wrap_mac[16] = {
0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
};
/*
mac of the macs of messages of length 0 to 256, where the key and messages
have all their values set to the length
*/
static const unsigned char total_key[32] = {
0x01,0x02,0x03,0x04,0x05,0x06,0x07,
0xff,0xfe,0xfd,0xfc,0xfb,0xfa,0xf9,
0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0xff,0xff
};
static const unsigned char total_mac[16] = {
0x64,0xaf,0xe2,0xe8,0xd6,0xad,0x7b,0xbd,
0xd2,0x87,0xf9,0x7c,0x44,0x62,0x3d,0x39
};
poly1305_context ctx;
poly1305_context total_ctx;
unsigned char all_key[32];
unsigned char all_msg[256];
unsigned char mac[16];
size_t i, j;
int result = 1;
for (i = 0; i < sizeof(mac); i++)
mac[i] = 0;
poly1305_auth(mac, nacl_msg, sizeof(nacl_msg), nacl_key);
result &= poly1305_verify(nacl_mac, mac);
for (i = 0; i < sizeof(mac); i++)
mac[i] = 0;
poly1305_init(&ctx, nacl_key);
poly1305_update(&ctx, nacl_msg + 0, 32);
poly1305_update(&ctx, nacl_msg + 32, 64);
poly1305_update(&ctx, nacl_msg + 96, 16);
poly1305_update(&ctx, nacl_msg + 112, 8);
poly1305_update(&ctx, nacl_msg + 120, 4);
poly1305_update(&ctx, nacl_msg + 124, 2);
poly1305_update(&ctx, nacl_msg + 126, 1);
poly1305_update(&ctx, nacl_msg + 127, 1);
poly1305_update(&ctx, nacl_msg + 128, 1);
poly1305_update(&ctx, nacl_msg + 129, 1);
poly1305_update(&ctx, nacl_msg + 130, 1);
poly1305_finish(&ctx, mac);
result &= poly1305_verify(nacl_mac, mac);
for (i = 0; i < sizeof(mac); i++)
mac[i] = 0;
poly1305_auth(mac, wrap_msg, sizeof(wrap_msg), wrap_key);
result &= poly1305_verify(wrap_mac, mac);
poly1305_init(&total_ctx, total_key);
for (i = 0; i < 256; i++) {
/* set key and message to 'i,i,i..' */
for (j = 0; j < sizeof(all_key); j++)
all_key[j] = i;
for (j = 0; j < i; j++)
all_msg[j] = i;
poly1305_auth(mac, all_msg, i, all_key);
poly1305_update(&total_ctx, mac, 16);
}
poly1305_finish(&total_ctx, mac);
result &= poly1305_verify(total_mac, mac);
return result;
}
