* far is a whole number of blocks. Flushing is performed
* automatically by @poly1305_done@, but it may be necessary to
* force it by hand when using @poly1305_concat@.
+ * (Alternatively, you might use @poly1305_flushzero@ instead.)
*
* Flushing a partial block has an observable effect on the
* computation: the resulting state is (with high probability)
#endif
mul_r(ctx, ctx->u.P.h, t);
- ctx->count++;
+ ctx->nbuf = 0; ctx->count++;
+}
+
+/* --- @poly1305_flushzero@ --- *
+ *
+ * Arguments: @poly1305_ctx *ctx@ = MAC context to flush
+ *
+ * Returns: ---
+ *
+ * Use: Forces any buffered message data in the context to be
+ * processed, by hashing between zero and fifteen additional
+ * zero bytes. Like @poly1305_flush@, this has no effect if the
+ * the message processed so far is a whole number of blocks.
+ * Unlike @poly1305_flush@, the behaviour if the message is not
+ * a whole number of blocks is equivalent to actually hashing
+ * some extra data.
+ */
+
+void poly1305_flushzero(poly1305_ctx *ctx)
+{
+ if (!ctx->nbuf) return;
+ memset(ctx->buf + ctx->nbuf, 0, 16 - ctx->nbuf);
+ update_full(ctx, ctx->buf);
ctx->nbuf = 0;
}
#include <mLib/testrig.h>
+#include "rijndael-ecb.h"
+
static int vrf_hash(dstr v[])
{
poly1305_key k;
return (ok);
}
+#define MSZMAX 1000
+
+static int vrf_mct(dstr v[])
+{
+ unsigned j, msz;
+ unsigned long i, niter;
+ rijndael_ecbctx rij;
+ poly1305_key key;
+ poly1305_ctx mac;
+ dstr d = DSTR_INIT;
+ octet k[16], r[16], n[16], s[16], *t, m[MSZMAX] = { 0 };
+ int ok = 1;
+
+ if (v[0].len != sizeof(k)) { fprintf(stderr, "AES key len\n"); exit(2); }
+ if (v[1].len != sizeof(r)) { fprintf(stderr, "poly key len\n"); exit(2); }
+ if (v[2].len != sizeof(n)) { fprintf(stderr, "nonce len\n"); exit(2); }
+ if (v[4].len != sizeof(n)) { fprintf(stderr, "result len\n"); exit(2); }
+ memcpy(k, v[0].buf, sizeof(k));
+ memcpy(r, v[1].buf, sizeof(k));
+ memcpy(n, v[2].buf, sizeof(k));
+ niter = *(unsigned long *)v[3].buf;
+ dstr_ensure(&d, 16); d.len = 16; t = (octet *)d.buf;
+
+ rijndael_ecbinit(&rij, k, sizeof(k), 0);
+ poly1305_keyinit(&key, r, sizeof(r));
+ for (i = 0; i < niter; i++) {
+ msz = 0;
+ for (;;) {
+ rijndael_ecbencrypt(&rij, n, s, 16);
+ poly1305_macinit(&mac, &key, s);
+ poly1305_hash(&mac, m, msz);
+ poly1305_done(&mac, t);
+ if (msz >= MSZMAX) break;
+ n[0] ^= i&0xff;
+ for (j = 0; j < 16; j++) n[j] ^= t[j];
+ if (msz%2) {
+ for (j = 0; j < 16; j++) k[j] ^= t[j];
+ rijndael_ecbinit(&rij, k, sizeof(k), 0);
+ }
+ if (msz%3) {
+ for (j = 0; j < 16; j++) r[j] ^= t[j];
+ poly1305_keyinit(&key, r, sizeof(r));
+ }
+ m[msz++] ^= t[0];
+ }
+ }
+
+ if (memcmp(t, v[4].buf, 16) != 0) {
+ ok = 0;
+ fprintf(stderr, "failed...");
+ fprintf(stderr, "\n\tinitial k = "); type_hex.dump(&v[0], stderr);
+ fprintf(stderr, "\n\tinitial r = "); type_hex.dump(&v[1], stderr);
+ fprintf(stderr, "\n\tinitial n = "); type_hex.dump(&v[2], stderr);
+ fprintf(stderr, "\n\titerations = %lu", niter);
+ fprintf(stderr, "\n\texpected = "); type_hex.dump(&v[4], stderr);
+ fprintf(stderr, "\n\tcalculated = "); type_hex.dump(&d, stderr);
+ fputc('\n', stderr);
+ }
+
+ dstr_destroy(&d);
+ return (ok);
+}
+
static const struct test_chunk tests[] = {
{ "poly1305-hash", vrf_hash,
{ &type_hex, &type_hex, &type_hex, &type_hex } },
{ "poly1305-cat", vrf_cat,
{ &type_hex, &type_hex, &type_hex, &type_hex, &type_hex, &type_hex } },
+ { "poly1305-mct", vrf_mct,
+ { &type_hex, &type_hex, &type_hex, &type_ulong, &type_hex } },
{ 0, 0, { 0 } }
};