void
chacha_poly1305_digest (struct chacha_poly1305_ctx *ctx,
size_t length, uint8_t *digest)
{
uint8_t buf[8];
if (!ctx->data_size)
{
LE_WRITE_UINT64 (buf, ctx->auth_size);
poly1305_update (ctx, sizeof(buf), buf);
}
LE_WRITE_UINT64 (buf, ctx->data_size);
poly1305_update (ctx, sizeof(buf), buf);
/* Final bytes. FIXME: Duplicated in poly1305_aes128.c */
if (ctx->index > 0)
{
assert (ctx->index < POLY1305_BLOCK_SIZE);
ctx->block[ctx->index] = 1;
memset (ctx->block + ctx->index + 1,
0, POLY1305_BLOCK_SIZE - 1 - ctx->index);
_poly1305_block (&ctx->poly1305, ctx->block, 0);
}
poly1305_digest (&ctx->poly1305, &ctx->s);
memcpy (digest, &ctx->s.b, length);
}
void
poly1305_auth(unsigned char mac[16], const unsigned char *m, size_t bytes, const unsigned char key[32]) {
poly1305_context ctx;
poly1305_init(&ctx, key);
poly1305_update(&ctx, m, bytes);
poly1305_finish(&ctx, mac);
}
void
chacha_poly1305_update (struct chacha_poly1305_ctx *ctx,
size_t length, const uint8_t *data)
{
assert (ctx->data_size == 0);
poly1305_update (ctx, length, data);
ctx->auth_size += length;
}
void
chacha_poly1305_encrypt (struct chacha_poly1305_ctx *ctx,
size_t length, uint8_t *dst, const uint8_t *src)
{
if (!length)
return;
assert (ctx->data_size % CHACHA_POLY1305_BLOCK_SIZE == 0);
if (!ctx->data_size)
{
uint8_t buf[8];
LE_WRITE_UINT64 (buf, ctx->auth_size);
poly1305_update (ctx, sizeof(buf), buf);
}
chacha_crypt (&ctx->chacha, length, dst, src);
poly1305_update (ctx, length, dst);
ctx->data_size += length;
}
int
crypto_onetimeauth_poly1305_donna_update(crypto_onetimeauth_poly1305_state *state,
const unsigned char *in,
unsigned long long inlen)
{
poly1305_update((poly1305_context *) state, in, inlen);
return 0;
}
int
crypto_onetimeauth_poly1305_donna(unsigned char *out, const unsigned char *m,
unsigned long long inlen,
const unsigned char *key)
{
poly1305_context ctx;
poly1305_init(&ctx, key);
poly1305_update(&ctx, m, inlen);
poly1305_finish(&ctx, out);
return 0;
}
void
chacha_poly1305_decrypt (struct chacha_poly1305_ctx *ctx,
size_t length, uint8_t *dst, const uint8_t *src)
{
if (!length)
return;
assert (ctx->data_size % CHACHA_POLY1305_BLOCK_SIZE == 0);
poly1305_pad (ctx);
poly1305_update (ctx, length, src);
chacha_crypt (&ctx->chacha, length, dst, src);
ctx->data_size += length;
}
static inline void
poly1305aes_authenticate(uint8_t out[16],
const uint8_t kr[32],
const uint8_t nonce[16],
const uint8_t *msg,
size_t len)
{
struct poly1305 ctx;
uint8_t encno[16];
poly1305_setkey(&ctx, kr+16);
aes(encno, kr, nonce);
poly1305_init(&ctx, encno);
poly1305_update(&ctx, msg, len);
poly1305_mac(&ctx, out);
}
void
CRYPTO_poly1305_update(poly1305_context *ctx, const unsigned char *in,
size_t len)
{
poly1305_update(ctx, in, len);
}
/* test a few basic operations */
int
poly1305_power_on_self_test(void) {
/* example from nacl */
static const unsigned char nacl_key[32] = {
0xee,0xa6,0xa7,0x25,0x1c,0x1e,0x72,0x91,
0x6d,0x11,0xc2,0xcb,0x21,0x4d,0x3c,0x25,
0x25,0x39,0x12,0x1d,0x8e,0x23,0x4e,0x65,
0x2d,0x65,0x1f,0xa4,0xc8,0xcf,0xf8,0x80,
};
static const unsigned char nacl_msg[131] = {
0x8e,0x99,0x3b,0x9f,0x48,0x68,0x12,0x73,
0xc2,0x96,0x50,0xba,0x32,0xfc,0x76,0xce,
0x48,0x33,0x2e,0xa7,0x16,0x4d,0x96,0xa4,
0x47,0x6f,0xb8,0xc5,0x31,0xa1,0x18,0x6a,
0xc0,0xdf,0xc1,0x7c,0x98,0xdc,0xe8,0x7b,
0x4d,0xa7,0xf0,0x11,0xec,0x48,0xc9,0x72,
0x71,0xd2,0xc2,0x0f,0x9b,0x92,0x8f,0xe2,
0x27,0x0d,0x6f,0xb8,0x63,0xd5,0x17,0x38,
0xb4,0x8e,0xee,0xe3,0x14,0xa7,0xcc,0x8a,
0xb9,0x32,0x16,0x45,0x48,0xe5,0x26,0xae,
0x90,0x22,0x43,0x68,0x51,0x7a,0xcf,0xea,
0xbd,0x6b,0xb3,0x73,0x2b,0xc0,0xe9,0xda,
0x99,0x83,0x2b,0x61,0xca,0x01,0xb6,0xde,
0x56,0x24,0x4a,0x9e,0x88,0xd5,0xf9,0xb3,
0x79,0x73,0xf6,0x22,0xa4,0x3d,0x14,0xa6,
0x59,0x9b,0x1f,0x65,0x4c,0xb4,0x5a,0x74,
0xe3,0x55,0xa5
};
static const unsigned char nacl_mac[16] = {
0xf3,0xff,0xc7,0x70,0x3f,0x94,0x00,0xe5,
0x2a,0x7d,0xfb,0x4b,0x3d,0x33,0x05,0xd9
};
/* generates a final value of (2^130 - 2) == 3 */
static const unsigned char wrap_key[32] = {
0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
};
static const unsigned char wrap_msg[16] = {
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff
};
static const unsigned char wrap_mac[16] = {
0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
};
/*
mac of the macs of messages of length 0 to 256, where the key and messages
have all their values set to the length
*/
static const unsigned char total_key[32] = {
0x01,0x02,0x03,0x04,0x05,0x06,0x07,
0xff,0xfe,0xfd,0xfc,0xfb,0xfa,0xf9,
0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0xff,0xff
};
static const unsigned char total_mac[16] = {
0x64,0xaf,0xe2,0xe8,0xd6,0xad,0x7b,0xbd,
0xd2,0x87,0xf9,0x7c,0x44,0x62,0x3d,0x39
};
poly1305_context ctx;
poly1305_context total_ctx;
unsigned char all_key[32];
unsigned char all_msg[256];
unsigned char mac[16];
size_t i, j;
int result = 1;
for (i = 0; i < sizeof(mac); i++)
mac[i] = 0;
poly1305_auth(mac, nacl_msg, sizeof(nacl_msg), nacl_key);
result &= poly1305_verify(nacl_mac, mac);
for (i = 0; i < sizeof(mac); i++)
mac[i] = 0;
poly1305_init(&ctx, nacl_key);
poly1305_update(&ctx, nacl_msg + 0, 32);
poly1305_update(&ctx, nacl_msg + 32, 64);
poly1305_update(&ctx, nacl_msg + 96, 16);
poly1305_update(&ctx, nacl_msg + 112, 8);
poly1305_update(&ctx, nacl_msg + 120, 4);
poly1305_update(&ctx, nacl_msg + 124, 2);
poly1305_update(&ctx, nacl_msg + 126, 1);
poly1305_update(&ctx, nacl_msg + 127, 1);
poly1305_update(&ctx, nacl_msg + 128, 1);
poly1305_update(&ctx, nacl_msg + 129, 1);
poly1305_update(&ctx, nacl_msg + 130, 1);
poly1305_finish(&ctx, mac);
result &= poly1305_verify(nacl_mac, mac);
for (i = 0; i < sizeof(mac); i++)
mac[i] = 0;
poly1305_auth(mac, wrap_msg, sizeof(wrap_msg), wrap_key);
result &= poly1305_verify(wrap_mac, mac);
poly1305_init(&total_ctx, total_key);
for (i = 0; i < 256; i++) {
/* set key and message to 'i,i,i..' */
for (j = 0; j < sizeof(all_key); j++)
all_key[j] = i;
for (j = 0; j < i; j++)
all_msg[j] = i;
poly1305_auth(mac, all_msg, i, all_key);
poly1305_update(&total_ctx, mac, 16);
}
poly1305_finish(&total_ctx, mac);
result &= poly1305_verify(total_mac, mac);
return result;
}
