int poly1305_test(void) { #ifndef LTC_TEST return CRYPT_NOP; #else /* https://tools.ietf.org/html/rfc7539#section-2.5.2 */ unsigned char k[] = { 0x85, 0xd6, 0xbe, 0x78, 0x57, 0x55, 0x6d, 0x33, 0x7f, 0x44, 0x52, 0xfe, 0x42, 0xd5, 0x06, 0xa8, 0x01, 0x03, 0x80, 0x8a, 0xfb, 0x0d, 0xb2, 0xfd, 0x4a, 0xbf, 0xf6, 0xaf, 0x41, 0x49, 0xf5, 0x1b }; unsigned char tag[] = { 0xA8, 0x06, 0x1D, 0xC1, 0x30, 0x51, 0x36, 0xC6, 0xC2, 0x2B, 0x8B, 0xAF, 0x0C, 0x01, 0x27, 0xA9 }; char m[] = "Cryptographic Forum Research Group"; unsigned long len = 16, mlen = strlen(m); unsigned char out[1000]; poly1305_state st; int err; /* process piece by piece */ if ((err = poly1305_init(&st, k, 32)) != CRYPT_OK) return err; if ((err = poly1305_process(&st, (unsigned char*)m, 5)) != CRYPT_OK) return err; if ((err = poly1305_process(&st, (unsigned char*)m + 5, 4)) != CRYPT_OK) return err; if ((err = poly1305_process(&st, (unsigned char*)m + 9, 3)) != CRYPT_OK) return err; if ((err = poly1305_process(&st, (unsigned char*)m + 12, 2)) != CRYPT_OK) return err; if ((err = poly1305_process(&st, (unsigned char*)m + 14, 1)) != CRYPT_OK) return err; if ((err = poly1305_process(&st, (unsigned char*)m + 15, mlen - 15)) != CRYPT_OK) return err; if ((err = poly1305_done(&st, out, &len)) != CRYPT_OK) return err; if (compare_testvector(out, len, tag, sizeof(tag), "POLY1305-TV1", 1) != 0) return CRYPT_FAIL_TESTVECTOR; /* process in one go */ if ((err = poly1305_init(&st, k, 32)) != CRYPT_OK) return err; if ((err = poly1305_process(&st, (unsigned char*)m, mlen)) != CRYPT_OK) return err; if ((err = poly1305_done(&st, out, &len)) != CRYPT_OK) return err; if (compare_testvector(out, len, tag, sizeof(tag), "POLY1305-TV2", 1) != 0) return CRYPT_FAIL_TESTVECTOR; return CRYPT_OK; #endif }
/** POLY1305 a file @param fname The name of the file you wish to POLY1305 @param key The secret key @param keylen The length of the secret key @param mac [out] The POLY1305 authentication tag @param maclen [in/out] The max size and resulting size of the authentication tag @return CRYPT_OK if successful, CRYPT_NOP if file support has been disabled */ int poly1305_file(const char *fname, const unsigned char *key, unsigned long keylen, unsigned char *mac, unsigned long *maclen) { #ifdef LTC_NO_FILE LTC_UNUSED_PARAM(fname); LTC_UNUSED_PARAM(key); LTC_UNUSED_PARAM(keylen); LTC_UNUSED_PARAM(mac); LTC_UNUSED_PARAM(maclen); return CRYPT_NOP; #else poly1305_state st; FILE *in; unsigned char *buf; size_t x; int err; LTC_ARGCHK(fname != NULL); LTC_ARGCHK(key != NULL); LTC_ARGCHK(mac != NULL); LTC_ARGCHK(maclen != NULL); if ((buf = XMALLOC(LTC_FILE_READ_BUFSIZE)) == NULL) { return CRYPT_MEM; } if ((err = poly1305_init(&st, key, keylen)) != CRYPT_OK) { goto LBL_ERR; } in = fopen(fname, "rb"); if (in == NULL) { err = CRYPT_FILE_NOTFOUND; goto LBL_ERR; } do { x = fread(buf, 1, LTC_FILE_READ_BUFSIZE, in); if ((err = poly1305_process(&st, buf, (unsigned long)x)) != CRYPT_OK) { fclose(in); goto LBL_CLEANBUF; } } while (x == LTC_FILE_READ_BUFSIZE); if (fclose(in) != 0) { err = CRYPT_ERROR; goto LBL_CLEANBUF; } err = poly1305_done(&st, mac, maclen); LBL_CLEANBUF: zeromem(buf, LTC_FILE_READ_BUFSIZE); LBL_ERR: #ifdef LTC_CLEAN_STACK zeromem(&st, sizeof(poly1305_state)); #endif XFREE(buf); return err; #endif }
void poly1305_auth(unsigned char mac[16], const unsigned char *m, size_t bytes, const unsigned char key[32]) { poly1305_context ctx; poly1305_init(&ctx, key); poly1305_update(&ctx, m, bytes); poly1305_finish(&ctx, mac); }
/** POLY1305 multiple blocks of memory to produce the authentication tag @param key The secret key @param keylen The length of the secret key (octets) @param mac [out] Destination of the authentication tag @param maclen [in/out] Max size and resulting size of authentication tag @param in The data to POLY1305 @param inlen The length of the data to POLY1305 (octets) @param ... tuples of (data,len) pairs to POLY1305, terminated with a (NULL,x) (x=don't care) @return CRYPT_OK if successful */ int poly1305_memory_multi(const unsigned char *key, unsigned long keylen, unsigned char *mac, unsigned long *maclen, const unsigned char *in, unsigned long inlen, ...) { poly1305_state st; int err; va_list args; const unsigned char *curptr; unsigned long curlen; LTC_ARGCHK(key != NULL); LTC_ARGCHK(in != NULL); LTC_ARGCHK(mac != NULL); LTC_ARGCHK(maclen != NULL); va_start(args, inlen); curptr = in; curlen = inlen; if ((err = poly1305_init(&st, key, keylen)) != CRYPT_OK) { goto LBL_ERR; } for (;;) { if ((err = poly1305_process(&st, curptr, curlen)) != CRYPT_OK) { goto LBL_ERR; } curptr = va_arg(args, const unsigned char*); if (curptr == NULL) break; curlen = va_arg(args, unsigned long); } err = poly1305_done(&st, mac, maclen); LBL_ERR: #ifdef LTC_CLEAN_STACK zeromem(&st, sizeof(poly1305_state)); #endif va_end(args); return err; }
int crypto_onetimeauth_poly1305_donna_init(crypto_onetimeauth_poly1305_state *state, const unsigned char *key) { poly1305_init((poly1305_context *) state, key); return 0; }
void Poly1305::key_schedule(const byte key[], size_t) { m_buf_pos = 0; m_buf.resize(16); m_poly.resize(8); poly1305_init(m_poly, key); }
int crypto_onetimeauth_poly1305_donna(unsigned char *out, const unsigned char *m, unsigned long long inlen, const unsigned char *key) { poly1305_context ctx; poly1305_init(&ctx, key); poly1305_update(&ctx, m, inlen); poly1305_finish(&ctx, out); return 0; }
static inline void poly1305aes_authenticate(uint8_t out[16], const uint8_t kr[32], const uint8_t nonce[16], const uint8_t *msg, size_t len) { struct poly1305 ctx; uint8_t encno[16]; poly1305_setkey(&ctx, kr+16); aes(encno, kr, nonce); poly1305_init(&ctx, encno); poly1305_update(&ctx, msg, len); poly1305_mac(&ctx, out); }
/** Set IV + counter data to the ChaCha20Poly1305 state and reset the context @param st The ChaCha20Poly1305 state @param iv The IV data to add @param ivlen The length of the IV (must be 12 or 8) @return CRYPT_OK on success */ int chacha20poly1305_setiv(chacha20poly1305_state *st, const unsigned char *iv, unsigned long ivlen) { chacha_state tmp_st; int i, err; unsigned char polykey[32]; LTC_ARGCHK(st != NULL); LTC_ARGCHK(iv != NULL); LTC_ARGCHK(ivlen == 12 || ivlen == 8); /* set IV for chacha20 */ if (ivlen == 12) { /* IV 96bit */ if ((err = chacha_ivctr32(&st->chacha, iv, ivlen, 1)) != CRYPT_OK) return err; } else { /* IV 64bit */ if ((err = chacha_ivctr64(&st->chacha, iv, ivlen, 1)) != CRYPT_OK) return err; } /* copy chacha20 key to temporary state */ for(i = 0; i < 12; i++) tmp_st.input[i] = st->chacha.input[i]; tmp_st.rounds = 20; /* set IV */ if (ivlen == 12) { /* IV 32bit */ if ((err = chacha_ivctr32(&tmp_st, iv, ivlen, 0)) != CRYPT_OK) return err; } else { /* IV 64bit */ if ((err = chacha_ivctr64(&tmp_st, iv, ivlen, 0)) != CRYPT_OK) return err; } /* (re)generate new poly1305 key */ if ((err = chacha_keystream(&tmp_st, polykey, 32)) != CRYPT_OK) return err; /* (re)initialise poly1305 */ if ((err = poly1305_init(&st->poly, polykey, 32)) != CRYPT_OK) return err; st->ctlen = 0; st->aadlen = 0; st->aadflg = 1; return CRYPT_OK; }
void CRYPTO_poly1305_init(poly1305_context *ctx, const unsigned char key[32]) { poly1305_init(ctx, key); }
/* test a few basic operations */ int poly1305_power_on_self_test(void) { /* example from nacl */ static const unsigned char nacl_key[32] = { 0xee,0xa6,0xa7,0x25,0x1c,0x1e,0x72,0x91, 0x6d,0x11,0xc2,0xcb,0x21,0x4d,0x3c,0x25, 0x25,0x39,0x12,0x1d,0x8e,0x23,0x4e,0x65, 0x2d,0x65,0x1f,0xa4,0xc8,0xcf,0xf8,0x80, }; static const unsigned char nacl_msg[131] = { 0x8e,0x99,0x3b,0x9f,0x48,0x68,0x12,0x73, 0xc2,0x96,0x50,0xba,0x32,0xfc,0x76,0xce, 0x48,0x33,0x2e,0xa7,0x16,0x4d,0x96,0xa4, 0x47,0x6f,0xb8,0xc5,0x31,0xa1,0x18,0x6a, 0xc0,0xdf,0xc1,0x7c,0x98,0xdc,0xe8,0x7b, 0x4d,0xa7,0xf0,0x11,0xec,0x48,0xc9,0x72, 0x71,0xd2,0xc2,0x0f,0x9b,0x92,0x8f,0xe2, 0x27,0x0d,0x6f,0xb8,0x63,0xd5,0x17,0x38, 0xb4,0x8e,0xee,0xe3,0x14,0xa7,0xcc,0x8a, 0xb9,0x32,0x16,0x45,0x48,0xe5,0x26,0xae, 0x90,0x22,0x43,0x68,0x51,0x7a,0xcf,0xea, 0xbd,0x6b,0xb3,0x73,0x2b,0xc0,0xe9,0xda, 0x99,0x83,0x2b,0x61,0xca,0x01,0xb6,0xde, 0x56,0x24,0x4a,0x9e,0x88,0xd5,0xf9,0xb3, 0x79,0x73,0xf6,0x22,0xa4,0x3d,0x14,0xa6, 0x59,0x9b,0x1f,0x65,0x4c,0xb4,0x5a,0x74, 0xe3,0x55,0xa5 }; static const unsigned char nacl_mac[16] = { 0xf3,0xff,0xc7,0x70,0x3f,0x94,0x00,0xe5, 0x2a,0x7d,0xfb,0x4b,0x3d,0x33,0x05,0xd9 }; /* generates a final value of (2^130 - 2) == 3 */ static const unsigned char wrap_key[32] = { 0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, }; static const unsigned char wrap_msg[16] = { 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff, 0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff }; static const unsigned char wrap_mac[16] = { 0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00, 0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00, }; /* mac of the macs of messages of length 0 to 256, where the key and messages have all their values set to the length */ static const unsigned char total_key[32] = { 0x01,0x02,0x03,0x04,0x05,0x06,0x07, 0xff,0xfe,0xfd,0xfc,0xfb,0xfa,0xf9, 0xff,0xff,0xff,0xff,0xff,0xff,0xff, 0xff,0xff,0xff,0xff,0xff,0xff,0xff }; static const unsigned char total_mac[16] = { 0x64,0xaf,0xe2,0xe8,0xd6,0xad,0x7b,0xbd, 0xd2,0x87,0xf9,0x7c,0x44,0x62,0x3d,0x39 }; poly1305_context ctx; poly1305_context total_ctx; unsigned char all_key[32]; unsigned char all_msg[256]; unsigned char mac[16]; size_t i, j; int result = 1; for (i = 0; i < sizeof(mac); i++) mac[i] = 0; poly1305_auth(mac, nacl_msg, sizeof(nacl_msg), nacl_key); result &= poly1305_verify(nacl_mac, mac); for (i = 0; i < sizeof(mac); i++) mac[i] = 0; poly1305_init(&ctx, nacl_key); poly1305_update(&ctx, nacl_msg + 0, 32); poly1305_update(&ctx, nacl_msg + 32, 64); poly1305_update(&ctx, nacl_msg + 96, 16); poly1305_update(&ctx, nacl_msg + 112, 8); poly1305_update(&ctx, nacl_msg + 120, 4); poly1305_update(&ctx, nacl_msg + 124, 2); poly1305_update(&ctx, nacl_msg + 126, 1); poly1305_update(&ctx, nacl_msg + 127, 1); poly1305_update(&ctx, nacl_msg + 128, 1); poly1305_update(&ctx, nacl_msg + 129, 1); poly1305_update(&ctx, nacl_msg + 130, 1); poly1305_finish(&ctx, mac); result &= poly1305_verify(nacl_mac, mac); for (i = 0; i < sizeof(mac); i++) mac[i] = 0; poly1305_auth(mac, wrap_msg, sizeof(wrap_msg), wrap_key); result &= poly1305_verify(wrap_mac, mac); poly1305_init(&total_ctx, total_key); for (i = 0; i < 256; i++) { /* set key and message to 'i,i,i..' */ for (j = 0; j < sizeof(all_key); j++) all_key[j] = i; for (j = 0; j < i; j++) all_msg[j] = i; poly1305_auth(mac, all_msg, i, all_key); poly1305_update(&total_ctx, mac, 16); } poly1305_finish(&total_ctx, mac); result &= poly1305_verify(total_mac, mac); return result; }