Add Poly1305 MAC

* cipher/Makefile.am: Add 'mac-poly1305.c', 'poly1305.c' and
'poly1305-internal.h'.
* cipher/mac-internal.h (poly1305mac_context_s): New.
(gcry_mac_handle): Add 'u.poly1305mac'.
(_gcry_mac_type_spec_poly1305mac): New.
* cipher/mac-poly1305.c: New.
* cipher/mac.c (mac_list): Add Poly1305.
* cipher/poly1305-internal.h: New.
* cipher/poly1305.c: New.
* src/gcrypt.h.in: Add 'GCRY_MAC_POLY1305'.
* tests/basic.c (check_mac): Add Poly1035 test vectors; Allow
overriding lengths of data and key buffers.
* tests/bench-slope.c (mac_bench): Increase max algo number from 500 to
600.
* tests/benchmark.c (mac_bench): Ditto.
--

Patch adds Bernstein's Poly1305 message authentication code to libgcrypt.
Implementation is based on Andrew Moon's public domain implementation
from: https://github.com/floodyberry/poly1305-opt

The algorithm added by this patch is the plain Poly1305 without AES and
takes 32-bit key that must not be reused.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>

1 files changed, 93 insertions, 0 deletions

diff --git a/cipher/poly1305-internal.h b/cipher/poly1305-internal.h
new file mode 100644
index 00000000..d2c6b5cd
--- /dev/null
+++ b/cipher/poly1305-internal.h
@@ -0,0 +1,93 @@
+/* poly1305-internal.h  -  Poly1305 internals
+ * Copyright (C) 2014 Jussi Kivilinna <jussi.kivilinna@iki.fi>
+ *
+ * This file is part of Libgcrypt.
+ *
+ * Libgcrypt is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser general Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * Libgcrypt is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this program; if not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef G10_POLY1305_INTERNAL_H
+#define G10_POLY1305_INTERNAL_H
+
+#include <config.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "types.h"
+#include "g10lib.h"
+#include "cipher.h"
+#include "bufhelp.h"
+
+
+#define POLY1305_TAGLEN 16
+#define POLY1305_KEYLEN 32
+
+
+/* Block-size used in default implementation. */
+#define POLY1305_REF_BLOCKSIZE 16
+
+/* State size of default implementation. */
+#define POLY1305_REF_STATESIZE 64
+
+/* State alignment for default implementation. */
+#define POLY1305_REF_ALIGNMENT sizeof(void *)
+
+
+/* Largest block-size used in any implementation (optimized implementations
+ * might use block-size multiple of 16). */
+#define POLY1305_LARGEST_BLOCKSIZE POLY1305_REF_BLOCKSIZE
+
+/* Largest state-size used in any implementation. */
+#define POLY1305_LARGEST_STATESIZE POLY1305_REF_STATESIZE
+
+/* Minimum alignment for state pointer passed to implementations. */
+#define POLY1305_STATE_ALIGNMENT POLY1305_REF_ALIGNMENT
+
+
+typedef struct poly1305_key_s
+{
+  byte b[POLY1305_KEYLEN];
+} poly1305_key_t;
+
+
+typedef struct poly1305_ops_s
+{
+  size_t block_size;
+  void (*init_ext) (void *ctx, const poly1305_key_t * key);
+  unsigned int (*blocks) (void *ctx, const byte * m, size_t bytes);
+  unsigned int (*finish_ext) (void *ctx, const byte * m, size_t remaining,
+			      byte mac[POLY1305_TAGLEN]);
+} poly1305_ops_t;
+
+
+typedef struct poly1305_context_s
+{
+  byte state[POLY1305_LARGEST_STATESIZE + POLY1305_STATE_ALIGNMENT];
+  byte buffer[POLY1305_LARGEST_BLOCKSIZE];
+  const poly1305_ops_t *ops;
+  unsigned int leftover;
+} poly1305_context_t;
+
+
+gcry_err_code_t _gcry_poly1305_init (poly1305_context_t * ctx, const byte * key,
+				     size_t keylen);
+
+void _gcry_poly1305_finish (poly1305_context_t * ctx,
+			    byte mac[POLY1305_TAGLEN]);
+
+void _gcry_poly1305_update (poly1305_context_t * ctx, const byte * buf,
+			    size_t buflen);
+
+
+#endif /* G10_POLY1305_INTERNAL_H */