From 20400191b65175cbb516bf93b2da1650b3f74b0d Mon Sep 17 00:00:00 2001
Message-Id: <20400191b65175cbb516bf93b2da1650b3f74b0d.1716707249.git.mdw@distorted.org.uk>
From: Mark Wooding <mdw@chiark.greenend.org.uk>
Date: Thu, 26 May 2016 09:26:09 +0100
Subject: [PATCH] symm/poly1305.c: Implement `flushzero' to zero-pad to a block
 boundary.
Organization: Straylight/Edgeware

From: Mark Wooding <mdw@distorted.org.uk>

I prefer plain `flush', but not all implementations expose it.  The
`flushzero' operation is the one wanted by RFC7539 AEAD.
---
 symm/poly1305.c | 25 ++++++++++++++++++++++++-
 symm/poly1305.h | 17 +++++++++++++++++
 2 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/symm/poly1305.c b/symm/poly1305.c
index 27889574..3a838a83 100644
--- a/symm/poly1305.c
+++ b/symm/poly1305.c
@@ -571,6 +571,7 @@ void poly1305_hash(poly1305_ctx *ctx, const void *p, size_t sz)
  *		far is a whole number of blocks.  Flushing is performed
  *		automatically by @poly1305_done@, but it may be necessary to
  *		force it by hand when using @poly1305_concat@.
+ *		(Alternatively, you might use @poly1305_flushzero@ instead.)
  *
  *		Flushing a partial block has an observable effect on the
  *		computation: the resulting state is (with high probability)
@@ -604,7 +605,29 @@ void poly1305_flush(poly1305_ctx *ctx)
 #endif
 
   mul_r(ctx, ctx->u.P.h, t);
-  ctx->count++;
+  ctx->nbuf = 0; ctx->count++;
+}
+
+/* --- @poly1305_flushzero@ --- *
+ *
+ * Arguments:	@poly1305_ctx *ctx@ = MAC context to flush
+ *
+ * Returns:	---
+ *
+ * Use:		Forces any buffered message data in the context to be
+ *		processed, by hashing between zero and fifteen additional
+ *		zero bytes.  Like @poly1305_flush@, this has no effect if the
+ *		the message processed so far is a whole number of blocks.
+ *		Unlike @poly1305_flush@, the behaviour if the message is not
+ *		a whole number of blocks is equivalent to actually hashing
+ *		some extra data.
+ */
+
+void poly1305_flushzero(poly1305_ctx *ctx)
+{
+  if (!ctx->nbuf) return;
+  memset(ctx->buf + ctx->nbuf, 0, 16 - ctx->nbuf);
+  update_full(ctx, ctx->buf);
   ctx->nbuf = 0;
 }
 
diff --git a/symm/poly1305.h b/symm/poly1305.h
index 14424283..2441ad05 100644
--- a/symm/poly1305.h
+++ b/symm/poly1305.h
@@ -179,6 +179,23 @@ extern void poly1305_hash(poly1305_ctx */*ctx*/,
 
 extern void poly1305_flush(poly1305_ctx */*ctx*/);
 
+/* --- @poly1305_flushzero@ --- *
+ *
+ * Arguments:	@poly1305_ctx *ctx@ = MAC context to flush
+ *
+ * Returns:	---
+ *
+ * Use:		Forces any buffered message data in the context to be
+ *		processed, by hashing between zero and fifteen additional
+ *		zero bytes.  Like @poly1305_flush@, this has no effect if the
+ *		the message processed so far is a whole number of blocks.
+ *		Unlike @poly1305_flush@, the behaviour if the message is not
+ *		a whole number of blocks is equivalent to actually hashing
+ *		some extra data.
+ */
+
+extern void poly1305_flushzero(poly1305_ctx */*ctx*/);
+
 /* --- @poly1305_concat@ --- *
  *
  * Arguments:	@poly1305_ctx *ctx@ = destination context
-- 
[mdw]