projects / BoarSSL / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Initial commit.
[BoarSSL] / Tests / Poly1305Ref.cs
1 /*
2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
3 *
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
11 *
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
14 *
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22 * SOFTWARE.
23 */
24
25 using System;
26
27 using Crypto;
28
29 /*
30 * This is a "reference" implementation of Poly1305 that uses the
31 * generic ZInt code for computations. It is not constant-time, and
32 * it is very slow; it is meant to test other implementations.
33 *
34 * API is identical to the Poly1305 class.
35 */
36
37 public class Poly1305Ref {
38
39 public ChaCha20 ChaCha {
40 get; set;
41 }
42
43 public Poly1305Ref()
44 {
45 }
46
47 static ZInt p = ((ZInt)1 << 130) - (ZInt)5;
48 static ZInt rmask = ((ZInt)1 << 124) - (ZInt)1
49 - ((ZInt)15 << 28) - ((ZInt)15 << 60) - ((ZInt)15 << 92)
50 - ((ZInt)3 << 32) - ((ZInt)3 << 64) - ((ZInt)3 << 96);
51
52 public void Run(byte[] iv,
53 byte[] data, int off, int len,
54 byte[] aad, int offAAD, int lenAAD,
55 byte[] tag, bool encrypt)
56 {
57 byte[] pkey = new byte[32];
58 ChaCha.Run(iv, 0, pkey);
59 if (encrypt) {
60 ChaCha.Run(iv, 1, data, off, len);
61 }
62
63 ByteSwap(pkey, 0, 16);
64 ZInt r = ZInt.DecodeUnsignedBE(pkey, 0, 16);
65 r &= rmask;
66 ZInt a = (ZInt)0;
67
68 a = RunInner(a, r, aad, offAAD, lenAAD);
69 a = RunInner(a, r, data, off, len);
70 byte[] foot = new byte[16];
71 foot[ 0] = (byte)lenAAD;
72 foot[ 1] = (byte)(lenAAD >> 8);
73 foot[ 2] = (byte)(lenAAD >> 16);
74 foot[ 3] = (byte)(lenAAD >> 24);
75 foot[ 8] = (byte)len;
76 foot[ 9] = (byte)(len >> 8);
77 foot[10] = (byte)(len >> 16);
78 foot[11] = (byte)(len >> 24);
79 a = RunInner(a, r, foot, 0, 16);
80
81 ByteSwap(pkey, 16, 16);
82 ZInt s = ZInt.DecodeUnsignedBE(pkey, 16, 16);
83 a += s;
84 a.ToBytesLE(tag, 0, 16);
85
86 if (!encrypt) {
87 ChaCha.Run(iv, 1, data, off, len);
88 }
89 }
90
91 ZInt RunInner(ZInt a, ZInt r, byte[] data, int off, int len)
92 {
93 byte[] tmp = new byte[16];
94 while (len > 0) {
95 if (len >= 16) {
96 Array.Copy(data, off, tmp, 0, 16);
97 } else {
98 Array.Copy(data, off, tmp, 0, len);
99 for (int i = len; i < 16; i ++) {
100 tmp[i] = 0;
101 }
102 }
103 ByteSwap(tmp, 0, 16);
104 ZInt v = ZInt.DecodeUnsignedBE(tmp) | ((ZInt)1 << 128);
105 a = ((a + v) * r) % p;
106 off += 16;
107 len -= 16;
108 }
109 return a;
110 }
111
112 static void ByteSwap(byte[] buf, int off, int len)
113 {
114 for (int i = 0; (i + i) < len; i ++) {
115 byte t = buf[off + i];
116 buf[off + i] = buf[off + len - 1 - i];
117 buf[off + len - 1 - i] = t;
118 }
119 }
120 }
Unnamed repository; edit this file 'description' to name the repository.