Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
N
nettle
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Labels
Merge Requests
5
Merge Requests
5
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Commits
Open sidebar
Nettle
nettle
Commits
563df21b
Commit
563df21b
authored
Jan 20, 2014
by
Niels Möller
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'poly1305' into 'master'.
parents
4c4f6647
5d6be1bc
Changes
12
Hide whitespace changes
Inline
Side-by-side
Showing
12 changed files
with
793 additions
and
2 deletions
+793
-2
ChangeLog
ChangeLog
+129
-0
Makefile.in
Makefile.in
+2
-1
asm.m4
asm.m4
+10
-0
configure.ac
configure.ac
+1
-1
examples/nettle-benchmark.c
examples/nettle-benchmark.c
+21
-0
poly1305-aes.c
poly1305-aes.c
+78
-0
poly1305-internal.c
poly1305-internal.c
+170
-0
poly1305.h
poly1305.h
+120
-0
testsuite/.test-rules.make
testsuite/.test-rules.make
+3
-0
testsuite/Makefile.in
testsuite/Makefile.in
+1
-0
testsuite/poly1305-test.c
testsuite/poly1305-test.c
+86
-0
x86_64/poly1305-internal.asm
x86_64/poly1305-internal.asm
+172
-0
No files found.
ChangeLog
View file @
563df21b
2014-01-20 Niels Möller <nisse@lysator.liu.se>
Merged poly1305-changes (starting at 2013-11-08).
* x86_64/poly1305-internal.asm: Update to new interface.
poly1305_digest much simplified.
* poly1305.h (struct poly1305_ctx): Moved block and index
fields...
(struct poly1305_aes_ctx): ... to here.
* asm.m4: Delete also from the assembly definition of struct
poly1305_ctx.
* poly1305-internal.c (poly1305_digest): Don't do final padding
here, leave that to caller. Add digest to the provided nonce s,
and deleted length and dst arguments. Also reset h0-h4 to zero
when done.
(_poly1305_block): Renamed, from...
(poly1305_block): ...old name.
* poly1305-aes.c (poly1305_aes_update): New function.
(poly1305_aes_digest): Update for poly1305_digest changes, do
final padding here.
* poly1305.c (poly1305_update): Deleted file and function. Moved
to poly1305-aes.c.
* Makefile.in (nettle_SOURCES): Deleted poly1305.c.
2014-01-17 Niels Möller <nisse@lysator.liu.se>
* poly1305-internal.c (poly1305_block): Additional argument with
the high bit.
(poly1305_block_internal): Deleted function, code moved into the
poly1305_block.
(poly1305_digest): Simplified padding code, call poly1305_block
with high bit 0.
* poly1305.h (poly1305_block): Update prototype.
* poly1305.c (poly1305_update): Call poly1305_block with high bit 1.
* x86_64/poly1305-internal.asm (poly1305_block): Handle new
argument.
* poly1305.h (struct poly1305_ctx): Moved nonce field from here...
(struct poly1305_aes_ctx): ... to here.
* poly1305-aes.c (poly1305_aes_set_nonce, poly1305_aes_digest):
Updated for above.
* poly1305.c (poly1305_set_nonce): Deleted function.
* asm.m4: Delete nonce also from the assembly definition of struct
poly1305_ctx.
2014-01-16 Niels Möller <nisse@lysator.liu.se>
* poly1305-aes.c: Include poly1305.c. Rewrite functions without
using the POLY1305_* macros.
* Makefile.in (HEADERS): Deleted poly1305-aes.h.
* poly1305.h (POLY1305_CTX, POLY1305_SET_KEY, POLY1305_SET_NONCE)
(POLY1305_DIGEST): Deleted macros. Only implemented variant is
poly1305-aes.
(POLY1305_DIGEST_SIZE, POLY1305_BLOCK_SIZE, POLY1305_KEY_SIZE):
New constants.
(POLY1305_AES_KEY_SIZE, POLY1305_AES_DIGEST_SIZE): Moved here,
from poly1305-aes.h.
(struct poly1305_aes_ctx): Likewise.
(poly1305_aes_set_key, poly1305_aes_set_nonce)
(poly1305_aes_update, poly1305_aes_digest): Likewise.
* poly1305-aes.h: Deleted file, declarations moved to poly1305.h.
Update all users.
* poly1305-internal.c (s2, s3, s4): Fixed macros.
* poly1305-aes.h (struct poly1305_aes_ctx): Replace struct aes_ctx
by struct aes128_ctx.
* poly1305-aes.c (poly1305_aes_set_key, poly1305_aes_digest):
Update to use aes128_* functions.
* poly1305.h (POLY1305_SET_KEY): Drop key size argument when
calling set_key.
2013-12-19 Niels Möller <nisse@lysator.liu.se>
* poly1305-aes.h (poly1305_aes_update): Define as an alias for
poly1305_update, using preprocessor and a type cast.
* poly1305-aes.c (poly1305_aes_update): Deleted function.
* poly1305.h (poly1305_update): Declare.
(_POLY1305_BLOCK, POLY1305_UPDATE): Deleted macros.
* poly1305.c (poly1305_update): New function.
2013-11-21 Niels Möller <nisse@lysator.liu.se>
* x86_64/poly1305-internal.asm: New file. Almost a factor of two
speedup.
* configure.ac (asm_replace_list): Added poly1305-internal.asm.
* asm.m4: Define struct ffsets for 64-bit poly1305_ctx.
* poly1305.h (POLY1305_DIGEST): Pass the encrypted nonce as an
additional argument to poly1305_digest.
(struct poly1305_ctx): Introduce unions, to support either 26-bit
or 64-bit implementation.
* poly1305-internal.c (poly1305_digest): Added s argument.
* poly1305.c (poly1305_set_s): Deleted function.
2013-11-12 Niels Möller <nisse@lysator.liu.se>
* poly1305-internal.c: New file, for poly1305 functions depending
on the internal mod (2^130 - 5) representation.
(poly1305_block_internal): New helper function.
(poly1305_block, poly1305_digest): Use it.
2013-11-08 Nikos Mavrogiannopoulos <nmav@gnutls.org>
* poly1305.h: New file.
* poly1305.c: New file.
* poly1305-aes.h: New file.
* poly1305-aes.c: New file.
* Makefile.in (nettle_SOURCES): Added poly1305-aes.c and poly1305.c.
(HEADERS): Added poly1305-aes.h and poly1305.h.
* testsuite/poly1305-test.c: New file.
* testsuite/Makefile.in (TS_NETTLE_SOURCES): Added poly1305-test.c.
* examples/nettle-benchmark.c (time_poly1305_aes): New function.
(main): Benchmark poly1305.
2014-01-20 Niels Möller <nisse@lysator.liu.se>
* Makefile.in (nettle_SOURCES): Added salsa20-set-nonce.c,
...
...
Makefile.in
View file @
563df21b
...
...
@@ -105,6 +105,7 @@ nettle_SOURCES = aes-decrypt-internal.c aes-decrypt.c \
serpent-set-key.c serpent-encrypt.c serpent-decrypt.c
\
serpent-meta.c
\
twofish.c twofish-meta.c
\
poly1305-aes.c poly1305-internal.c
\
umac-nh.c umac-nh-n.c umac-l2.c umac-l3.c
\
umac-poly64.c umac-poly128.c umac-set-key.c
\
umac32.c umac64.c umac96.c umac128.c
\
...
...
@@ -164,7 +165,7 @@ HEADERS = aes.h arcfour.h arctwo.h asn1.h bignum.h blowfish.h \
pgp.h pkcs1.h realloc.h ripemd160.h rsa.h rsa-compat.h
\
salsa20.h sexp.h
\
serpent.h sha.h sha1.h sha2.h sha3.h twofish.h
\
umac.h yarrow.h
umac.h yarrow.h
poly1305.h
INSTALL_HEADERS
=
$(HEADERS)
nettle-stdint.h
...
...
asm.m4
View file @
563df21b
...
...
@@ -76,4 +76,14 @@ STRUCTURE(AES)
STRUCT(TABLE2, AES_TABLE_SIZE)
STRUCT(TABLE3, AES_TABLE_SIZE)
C For 64-bit implementation
STRUCTURE(P1305)
STRUCT(R0, 8)
STRUCT(R1, 8)
STRUCT(S1, 8)
STRUCT(PAD, 12)
STRUCT(H2, 4)
STRUCT(H0, 8)
STRUCT(H1, 8)
divert
configure.ac
View file @
563df21b
...
...
@@ -262,7 +262,7 @@ fi
# to a new object file).
asm_replace_list="aes-encrypt-internal.asm aes-decrypt-internal.asm \
arcfour-crypt.asm camellia-crypt-internal.asm \
md5-compress.asm memxor.asm \
md5-compress.asm memxor.asm
poly1305-internal.asm
\
salsa20-crypt.asm salsa20-core-internal.asm \
serpent-encrypt.asm serpent-decrypt.asm \
sha1-compress.asm sha256-compress.asm sha512-compress.asm \
...
...
examples/nettle-benchmark.c
View file @
563df21b
...
...
@@ -56,6 +56,7 @@
#include "sha3.h"
#include "twofish.h"
#include "umac.h"
#include "poly1305.h"
#include "nettle-meta.h"
#include "nettle-internal.h"
...
...
@@ -398,6 +399,23 @@ time_umac(void)
time_function
(
bench_hash
,
&
info
));
}
static
void
time_poly1305_aes
(
void
)
{
static
uint8_t
data
[
BENCH_BLOCK
];
struct
bench_hash_info
info
;
struct
poly1305_aes_ctx
ctx
;
uint8_t
key
[
32
];
poly1305_aes_set_key
(
&
ctx
,
key
);
info
.
ctx
=
&
ctx
;
info
.
update
=
(
nettle_hash_update_func
*
)
poly1305_aes_update
;
info
.
data
=
data
;
display
(
"poly1305-aes"
,
"update"
,
1024
,
time_function
(
bench_hash
,
&
info
));
}
static
void
time_gcm
(
void
)
{
...
...
@@ -718,6 +736,9 @@ main(int argc, char **argv)
if
(
!
alg
||
strstr
(
"umac"
,
alg
))
time_umac
();
if
(
!
alg
||
strstr
(
"poly1305-aes"
,
alg
))
time_poly1305_aes
();
for
(
i
=
0
;
ciphers
[
i
];
i
++
)
if
(
!
alg
||
strstr
(
ciphers
[
i
]
->
name
,
alg
))
time_cipher
(
ciphers
[
i
]);
...
...
poly1305-aes.c
0 → 100644
View file @
563df21b
/* nettle, low-level cryptographics library
*
* Copyright (C) 2013 Nikos Mavrogiannopoulos
* Copyright (C) 2014 Niels Möller
*
* The nettle library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 2.1 of the License, or (at your
* option) any later version.
*
* The nettle library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
* License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with the nettle library; see the file COPYING.LIB. If not, write to
* the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02111-1301, USA.
*/
#if HAVE_CONFIG_H
#include "config.h"
#endif
#include <assert.h>
#include <string.h>
#include "poly1305.h"
#include "macros.h"
void
poly1305_aes_set_key
(
struct
poly1305_aes_ctx
*
ctx
,
const
uint8_t
*
key
)
{
aes128_set_encrypt_key
(
&
ctx
->
aes
,
(
key
));
poly1305_set_key
(
&
ctx
->
pctx
,
(
key
+
16
));
ctx
->
index
=
0
;
}
void
poly1305_aes_set_nonce
(
struct
poly1305_aes_ctx
*
ctx
,
const
uint8_t
*
nonce
)
{
memcpy
(
ctx
->
nonce
,
nonce
,
POLY1305_AES_NONCE_SIZE
);
}
#define COMPRESS(ctx, data) _poly1305_block(&(ctx)->pctx, (data), 1)
void
poly1305_aes_update
(
struct
poly1305_aes_ctx
*
ctx
,
size_t
length
,
const
uint8_t
*
data
)
{
MD_UPDATE
(
ctx
,
length
,
data
,
COMPRESS
,
(
void
)
0
);
}
void
poly1305_aes_digest
(
struct
poly1305_aes_ctx
*
ctx
,
size_t
length
,
uint8_t
*
digest
)
{
uint8_t
s
[
POLY1305_BLOCK_SIZE
];
/* final bytes */
if
(
ctx
->
index
>
0
)
{
assert
(
ctx
->
index
<
POLY1305_BLOCK_SIZE
);
ctx
->
block
[
ctx
->
index
]
=
1
;
memset
(
ctx
->
block
+
ctx
->
index
+
1
,
0
,
POLY1305_BLOCK_SIZE
-
1
-
ctx
->
index
);
_poly1305_block
(
&
ctx
->
pctx
,
ctx
->
block
,
0
);
}
aes128_encrypt
(
&
ctx
->
aes
,
POLY1305_BLOCK_SIZE
,
s
,
ctx
->
nonce
);
poly1305_digest
(
&
ctx
->
pctx
,
s
);
memcpy
(
digest
,
s
,
length
);
INCREMENT
(
16
,
ctx
->
nonce
);
ctx
->
index
=
0
;
}
poly1305-internal.c
0 → 100644
View file @
563df21b
/* nettle, low-level cryptographics library
*
* Placed by the author under public domain or the MIT license.
* (see https://github.com/floodyberry/poly1305-donna )
* Modified for nettle by Nikos Mavrogiannopoulos and Niels Möller.
*
* Copyright: 2012-2013 Andrew M. (floodyberry)
* Copyright: 2013 Nikos Mavrogiannopoulos
* Copyright: 2013 Niels Möller
*
* Permission is hereby granted, free of charge, to any person obtaining a
* copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be included
* in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.
* IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY
* CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
* TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
#if HAVE_CONFIG_H
#include "config.h"
#endif
#include <assert.h>
#include <string.h>
#include "poly1305.h"
#include "macros.h"
#define mul32x32_64(a,b) ((uint64_t)(a) * (b))
#define r0 r.r32[0]
#define r1 r.r32[1]
#define r2 r.r32[2]
#define r3 r.r32[3]
#define r4 r.r32[4]
#define s1 r.r32[5]
#define s2 s32[0]
#define s3 s32[1]
#define s4 s32[2]
#define h0 h.h32[0]
#define h1 h.h32[1]
#define h2 h.h32[2]
#define h3 h.h32[3]
#define h4 hh
void
poly1305_set_key
(
struct
poly1305_ctx
*
ctx
,
const
uint8_t
key
[
16
])
{
uint32_t
t0
,
t1
,
t2
,
t3
;
t0
=
LE_READ_UINT32
(
key
);
t1
=
LE_READ_UINT32
(
key
+
4
);
t2
=
LE_READ_UINT32
(
key
+
8
);
t3
=
LE_READ_UINT32
(
key
+
12
);
ctx
->
r0
=
t0
&
0x3ffffff
;
t0
>>=
26
;
t0
|=
t1
<<
6
;
ctx
->
r1
=
t0
&
0x3ffff03
;
t1
>>=
20
;
t1
|=
t2
<<
12
;
ctx
->
r2
=
t1
&
0x3ffc0ff
;
t2
>>=
14
;
t2
|=
t3
<<
18
;
ctx
->
r3
=
t2
&
0x3f03fff
;
t3
>>=
8
;
ctx
->
r4
=
t3
&
0x00fffff
;
ctx
->
s1
=
ctx
->
r1
*
5
;
ctx
->
s2
=
ctx
->
r2
*
5
;
ctx
->
s3
=
ctx
->
r3
*
5
;
ctx
->
s4
=
ctx
->
r4
*
5
;
ctx
->
h0
=
0
;
ctx
->
h1
=
0
;
ctx
->
h2
=
0
;
ctx
->
h3
=
0
;
ctx
->
h4
=
0
;
}
void
_poly1305_block
(
struct
poly1305_ctx
*
ctx
,
const
uint8_t
m
[
16
],
unsigned
t4
)
{
uint32_t
t0
,
t1
,
t2
,
t3
;
uint32_t
b
;
uint64_t
t
[
5
];
uint64_t
c
;
t0
=
LE_READ_UINT32
(
m
);
t1
=
LE_READ_UINT32
(
m
+
4
);
t2
=
LE_READ_UINT32
(
m
+
8
);
t3
=
LE_READ_UINT32
(
m
+
12
);
ctx
->
h0
+=
t0
&
0x3ffffff
;
ctx
->
h1
+=
((((
uint64_t
)
t1
<<
32
)
|
t0
)
>>
26
)
&
0x3ffffff
;
ctx
->
h2
+=
((((
uint64_t
)
t2
<<
32
)
|
t1
)
>>
20
)
&
0x3ffffff
;
ctx
->
h3
+=
((((
uint64_t
)
t3
<<
32
)
|
t2
)
>>
14
)
&
0x3ffffff
;
ctx
->
h4
+=
(
t3
>>
8
)
|
((
uint32_t
)
t4
<<
24
);
/* poly1305_donna_mul: */
t
[
0
]
=
mul32x32_64
(
ctx
->
h0
,
ctx
->
r0
)
+
mul32x32_64
(
ctx
->
h1
,
ctx
->
s4
)
+
mul32x32_64
(
ctx
->
h2
,
ctx
->
s3
)
+
mul32x32_64
(
ctx
->
h3
,
ctx
->
s2
)
+
mul32x32_64
(
ctx
->
h4
,
ctx
->
s1
);
t
[
1
]
=
mul32x32_64
(
ctx
->
h0
,
ctx
->
r1
)
+
mul32x32_64
(
ctx
->
h1
,
ctx
->
r0
)
+
mul32x32_64
(
ctx
->
h2
,
ctx
->
s4
)
+
mul32x32_64
(
ctx
->
h3
,
ctx
->
s3
)
+
mul32x32_64
(
ctx
->
h4
,
ctx
->
s2
);
t
[
2
]
=
mul32x32_64
(
ctx
->
h0
,
ctx
->
r2
)
+
mul32x32_64
(
ctx
->
h1
,
ctx
->
r1
)
+
mul32x32_64
(
ctx
->
h2
,
ctx
->
r0
)
+
mul32x32_64
(
ctx
->
h3
,
ctx
->
s4
)
+
mul32x32_64
(
ctx
->
h4
,
ctx
->
s3
);
t
[
3
]
=
mul32x32_64
(
ctx
->
h0
,
ctx
->
r3
)
+
mul32x32_64
(
ctx
->
h1
,
ctx
->
r2
)
+
mul32x32_64
(
ctx
->
h2
,
ctx
->
r1
)
+
mul32x32_64
(
ctx
->
h3
,
ctx
->
r0
)
+
mul32x32_64
(
ctx
->
h4
,
ctx
->
s4
);
t
[
4
]
=
mul32x32_64
(
ctx
->
h0
,
ctx
->
r4
)
+
mul32x32_64
(
ctx
->
h1
,
ctx
->
r3
)
+
mul32x32_64
(
ctx
->
h2
,
ctx
->
r2
)
+
mul32x32_64
(
ctx
->
h3
,
ctx
->
r1
)
+
mul32x32_64
(
ctx
->
h4
,
ctx
->
r0
);
ctx
->
h0
=
(
uint32_t
)
t
[
0
]
&
0x3ffffff
;
c
=
(
t
[
0
]
>>
26
);
t
[
1
]
+=
c
;
ctx
->
h1
=
(
uint32_t
)
t
[
1
]
&
0x3ffffff
;
b
=
(
uint32_t
)(
t
[
1
]
>>
26
);
t
[
2
]
+=
b
;
ctx
->
h2
=
(
uint32_t
)
t
[
2
]
&
0x3ffffff
;
b
=
(
uint32_t
)(
t
[
2
]
>>
26
);
t
[
3
]
+=
b
;
ctx
->
h3
=
(
uint32_t
)
t
[
3
]
&
0x3ffffff
;
b
=
(
uint32_t
)(
t
[
3
]
>>
26
);
t
[
4
]
+=
b
;
ctx
->
h4
=
(
uint32_t
)
t
[
4
]
&
0x3ffffff
;
b
=
(
uint32_t
)(
t
[
4
]
>>
26
);
ctx
->
h0
+=
b
*
5
;
}
/* Adds digest to the nonce */
void
poly1305_digest
(
struct
poly1305_ctx
*
ctx
,
uint8_t
*
s
)
{
uint32_t
b
,
nb
;
uint64_t
f0
,
f1
,
f2
,
f3
;
uint32_t
g0
,
g1
,
g2
,
g3
,
g4
;
b
=
ctx
->
h0
>>
26
;
ctx
->
h0
=
ctx
->
h0
&
0x3ffffff
;
ctx
->
h1
+=
b
;
b
=
ctx
->
h1
>>
26
;
ctx
->
h1
=
ctx
->
h1
&
0x3ffffff
;
ctx
->
h2
+=
b
;
b
=
ctx
->
h2
>>
26
;
ctx
->
h2
=
ctx
->
h2
&
0x3ffffff
;
ctx
->
h3
+=
b
;
b
=
ctx
->
h3
>>
26
;
ctx
->
h3
=
ctx
->
h3
&
0x3ffffff
;
ctx
->
h4
+=
b
;
b
=
ctx
->
h4
>>
26
;
ctx
->
h4
=
ctx
->
h4
&
0x3ffffff
;
ctx
->
h0
+=
b
*
5
;
b
=
ctx
->
h0
>>
26
;
ctx
->
h0
=
ctx
->
h0
&
0x3ffffff
;
ctx
->
h1
+=
b
;
g0
=
ctx
->
h0
+
5
;
b
=
g0
>>
26
;
g0
&=
0x3ffffff
;
g1
=
ctx
->
h1
+
b
;
b
=
g1
>>
26
;
g1
&=
0x3ffffff
;
g2
=
ctx
->
h2
+
b
;
b
=
g2
>>
26
;
g2
&=
0x3ffffff
;
g3
=
ctx
->
h3
+
b
;
b
=
g3
>>
26
;
g3
&=
0x3ffffff
;
g4
=
ctx
->
h4
+
b
-
(
1
<<
26
);
b
=
(
g4
>>
31
)
-
1
;
nb
=
~
b
;
ctx
->
h0
=
(
ctx
->
h0
&
nb
)
|
(
g0
&
b
);
ctx
->
h1
=
(
ctx
->
h1
&
nb
)
|
(
g1
&
b
);
ctx
->
h2
=
(
ctx
->
h2
&
nb
)
|
(
g2
&
b
);
ctx
->
h3
=
(
ctx
->
h3
&
nb
)
|
(
g3
&
b
);
ctx
->
h4
=
(
ctx
->
h4
&
nb
)
|
(
g4
&
b
);
f0
=
((
ctx
->
h0
)
|
(
ctx
->
h1
<<
26
))
+
(
uint64_t
)
LE_READ_UINT32
(
s
);
f1
=
((
ctx
->
h1
>>
6
)
|
(
ctx
->
h2
<<
20
))
+
(
uint64_t
)
LE_READ_UINT32
(
s
+
4
);
f2
=
((
ctx
->
h2
>>
12
)
|
(
ctx
->
h3
<<
14
))
+
(
uint64_t
)
LE_READ_UINT32
(
s
+
8
);
f3
=
((
ctx
->
h3
>>
18
)
|
(
ctx
->
h4
<<
8
))
+
(
uint64_t
)
LE_READ_UINT32
(
s
+
12
);
LE_WRITE_UINT32
(
s
,
f0
);
f1
+=
(
f0
>>
32
);
LE_WRITE_UINT32
(
s
+
4
,
f1
);
f2
+=
(
f1
>>
32
);
LE_WRITE_UINT32
(
s
+
8
,
f2
);
f3
+=
(
f2
>>
32
);
LE_WRITE_UINT32
(
s
+
12
,
f3
);
ctx
->
h0
=
0
;
ctx
->
h1
=
0
;
ctx
->
h2
=
0
;
ctx
->
h3
=
0
;
ctx
->
h4
=
0
;
}
poly1305.h
0 → 100644
View file @
563df21b
/* poly1305.h
*
* Poly1305 message authentication code.
*/
/* nettle, low-level cryptographics library
*
* Copyright (C) 2013 Nikos Mavrogiannopoulos
* Copyright (C) 2013, 2014 Niels Möller
*
* The nettle library is free software; you can redistribute it and/or modify
* it under the terms of the GNU Lesser General Public License as published by
* the Free Software Foundation; either version 2.1 of the License, or (at your
* option) any later version.
*
* The nettle library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Lesser General Public
* License for more details.
*
* You should have received a copy of the GNU Lesser General Public License
* along with the nettle library; see the file COPYING.LIB. If not, write to
* the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,
* MA 02111-1301, USA.
*/
#ifndef NETTLE_POLY1305_H_INCLUDED
#define NETTLE_POLY1305_H_INCLUDED
#include "aes.h"
#ifdef __cplusplus
extern
"C"
{
#endif
/* Name mangling */
#define poly1305_set_key nettle_poly1305_set_key
#define poly1305_digest nettle_poly1305_digest
#define _poly1305_block _nettle_poly1305_block
#define poly1305_aes_set_key nettle_poly1305_aes_set_key
#define poly1305_aes_set_nonce nettle_poly1305_aes_set_nonce
#define poly1305_aes_update nettle_poly1305_aes_update
#define poly1305_aes_digest nettle_poly1305_aes_digest
/* Low level functions/macros for the poly1305 construction. */
#define POLY1305_DIGEST_SIZE 16
#define POLY1305_BLOCK_SIZE 16
#define POLY1305_KEY_SIZE 16
struct
poly1305_ctx
{
/* Key, 128-bit value and some cached multiples. */
union
{
uint32_t
r32
[
6
];
uint64_t
r64
[
3
];
}
r
;
uint32_t
s32
[
3
];
/* State, represented as words of 26, 32 or 64 bits, depending on
implementation. */
/* High bits first, to maintain alignment. */
uint32_t
hh
;
union
{
uint32_t
h32
[
4
];
uint64_t
h64
[
2
];
}
h
;
};
/* Low-level internal interface. */
void
poly1305_set_key
(
struct
poly1305_ctx
*
ctx
,
const
uint8_t
key
[
POLY1305_KEY_SIZE
]);
/* Extracts digest, and adds it to s, the encrypted nonce. */
void
poly1305_digest
(
struct
poly1305_ctx
*
ctx
,
uint8_t
*
s
);
/* Internal function. Process one block. */
void
_poly1305_block
(
struct
poly1305_ctx
*
ctx
,
const
uint8_t
m
[
POLY1305_BLOCK_SIZE
],
unsigned
high
);
/* poly1305-aes */
#define POLY1305_AES_KEY_SIZE 32
#define POLY1305_AES_DIGEST_SIZE 16
#define POLY1305_AES_NONCE_SIZE 16
struct
poly1305_aes_ctx
{
/* Keep aes context last, to make it possible to use a general
poly1305_update if other variants are added. */
struct
poly1305_ctx
pctx
;
uint8_t
block
[
POLY1305_BLOCK_SIZE
];
unsigned
index
;
uint8_t
nonce
[
POLY1305_BLOCK_SIZE
];
struct
aes128_ctx
aes
;
};
/* Also initialize the nonce to zero. */
void
poly1305_aes_set_key
(
struct
poly1305_aes_ctx
*
ctx
,
const
uint8_t
*
key
);
/* Optional, if not used, messages get incrementing nonces starting
from zero. */
void
poly1305_aes_set_nonce
(
struct
poly1305_aes_ctx
*
ctx
,
const
uint8_t
*
nonce
);
/* Update is not aes-specific, but since this is the only implemented
variant, we need no more general poly1305_update. */
void
poly1305_aes_update
(
struct
poly1305_aes_ctx
*
ctx
,
size_t
length
,
const
uint8_t
*
data
);
/* Also increments the nonce */
void
poly1305_aes_digest
(
struct
poly1305_aes_ctx
*
ctx
,
size_t
length
,
uint8_t
*
digest
);
#ifdef __cplusplus
}
#endif
#endif
/* NETTLE_POLY1305_H_INCLUDED */
testsuite/.test-rules.make
View file @
563df21b
...
...
@@ -106,6 +106,9 @@ gcm-test$(EXEEXT): gcm-test.$(OBJEXT)
eax-test$(EXEEXT)
:
eax-test.$(OBJEXT)
$(LINK)
eax-test.
$(OBJEXT)
$(TEST_OBJS)
-o
eax-test
$(EXEEXT)
poly1305-test$(EXEEXT)
:
poly1305-test.$(OBJEXT)
$(LINK)
poly1305-test.
$(OBJEXT)
$(TEST_OBJS)
-o
poly1305-test
$(EXEEXT)
hmac-test$(EXEEXT)
:
hmac-test.$(OBJEXT)
$(LINK)
hmac-test.
$(OBJEXT)
$(TEST_OBJS)
-o
hmac-test
$(EXEEXT)
...
...
testsuite/Makefile.in
View file @
563df21b
...
...
@@ -26,6 +26,7 @@ TS_NETTLE_SOURCES = aes-test.c arcfour-test.c arctwo-test.c \
serpent-test.c twofish-test.c
\
knuth-lfib-test.c
\
cbc-test.c ctr-test.c gcm-test.c eax-test.c
\
poly1305-test.c
\
hmac-test.c umac-test.c
\
meta-hash-test.c meta-cipher-test.c meta-armor-test.c
\
buffer-test.c yarrow-test.c pbkdf2-test.c
...
...
testsuite/poly1305-test.c
0 → 100644
View file @
563df21b
#include "testutils.h"
#include "poly1305.h"
static
void
update
(
void
*
ctx
,
nettle_hash_update_func
*
f
,
const
struct
tstring
*
msg
,
unsigned
length
)
{
for
(;
length
>
msg
->
length
;
length
-=
msg
->
length
)
f
(
ctx
,
msg
->
length
,
msg
->
data
);
f
(
ctx
,
length
,
msg
->
data
);
}
static
void
check_digest
(
const
char
*
name
,
void
*
ctx
,
nettle_hash_digest_func
*
f
,
const
struct
tstring
*
msg
,
unsigned
length
,
unsigned
tag_length
,
const
uint8_t
*
ref
)
{
uint8_t
tag
[
16
];
f
(
ctx
,
tag_length
,
tag
);
if
(
memcmp
(
tag
,
ref
,
tag_length
)
!=
0
)
{
printf
(
"%s failed
\n
"
,
name
);
printf
(
"msg: "
);
print_hex
(
msg
->
length
,
msg
->
data
);
printf
(
"length: %u
\n
"
,
length
);
printf
(
"tag: "
);
print_hex
(
tag_length
,
tag
);
printf
(
"ref: "
);
print_hex
(
tag_length
,
ref
);
abort
();
}
}
static
void
test_poly1305
(
const
struct
tstring
*
key
,
const
struct
tstring
*
nonce
,
const
struct
tstring
*
msg
,
unsigned
length
,
const
struct
tstring
*
ref
)
{
struct
poly1305_aes_ctx
ctx
;
ASSERT
(
key
->
length
==
POLY1305_AES_KEY_SIZE
);
ASSERT
(
ref
->
length
==
POLY1305_AES_DIGEST_SIZE
);
poly1305_aes_set_key
(
&
ctx
,
key
->
data
);
poly1305_aes_set_nonce
(
&
ctx
,
nonce
->
data
);