1 /** 2 * \file poly1305.h 3 * 4 * \brief This file contains Poly1305 definitions and functions. 5 * 6 * Poly1305 is a one-time message authenticator that can be used to 7 * authenticate messages. Poly1305-AES was created by Daniel 8 * Bernstein https://cr.yp.to/mac/poly1305-20050329.pdf The generic 9 * Poly1305 algorithm (not tied to AES) was also standardized in RFC 10 * 7539. 11 * 12 * \author Daniel King <damaki.gh@gmail.com> 13 */ 14 15 /* 16 * Copyright The Mbed TLS Contributors 17 * SPDX-License-Identifier: Apache-2.0 18 * 19 * Licensed under the Apache License, Version 2.0 (the "License"); you may 20 * not use this file except in compliance with the License. 21 * You may obtain a copy of the License at 22 * 23 * http://www.apache.org/licenses/LICENSE-2.0 24 * 25 * Unless required by applicable law or agreed to in writing, software 26 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT 27 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 28 * See the License for the specific language governing permissions and 29 * limitations under the License. 30 */ 31 32 #ifndef MBEDTLS_POLY1305_H 33 #define MBEDTLS_POLY1305_H 34 #include "mbedtls/private_access.h" 35 36 #include "mbedtls/build_info.h" 37 38 #include <stdint.h> 39 #include <stddef.h> 40 41 /** Invalid input parameter(s). */ 42 #define MBEDTLS_ERR_POLY1305_BAD_INPUT_DATA -0x0057 43 44 #ifdef __cplusplus 45 extern "C" { 46 #endif 47 48 #if !defined(MBEDTLS_POLY1305_ALT) 49 50 typedef struct mbedtls_poly1305_context { 51 uint32_t MBEDTLS_PRIVATE(r)[4]; /** The value for 'r' (low 128 bits of the key). */ 52 uint32_t MBEDTLS_PRIVATE(s)[4]; /** The value for 's' (high 128 bits of the key). */ 53 uint32_t MBEDTLS_PRIVATE(acc)[5]; /** The accumulator number. */ 54 uint8_t MBEDTLS_PRIVATE(queue)[16]; /** The current partial block of data. */ 55 size_t MBEDTLS_PRIVATE(queue_len); /** The number of bytes stored in 'queue'. */ 56 } 57 mbedtls_poly1305_context; 58 59 #else /* MBEDTLS_POLY1305_ALT */ 60 #include "poly1305_alt.h" 61 #endif /* MBEDTLS_POLY1305_ALT */ 62 63 /** 64 * \brief This function initializes the specified Poly1305 context. 65 * 66 * It must be the first API called before using 67 * the context. 68 * 69 * It is usually followed by a call to 70 * \c mbedtls_poly1305_starts(), then one or more calls to 71 * \c mbedtls_poly1305_update(), then one call to 72 * \c mbedtls_poly1305_finish(), then finally 73 * \c mbedtls_poly1305_free(). 74 * 75 * \param ctx The Poly1305 context to initialize. This must 76 * not be \c NULL. 77 */ 78 void mbedtls_poly1305_init(mbedtls_poly1305_context *ctx); 79 80 /** 81 * \brief This function releases and clears the specified 82 * Poly1305 context. 83 * 84 * \param ctx The Poly1305 context to clear. This may be \c NULL, in which 85 * case this function is a no-op. If it is not \c NULL, it must 86 * point to an initialized Poly1305 context. 87 */ 88 void mbedtls_poly1305_free(mbedtls_poly1305_context *ctx); 89 90 /** 91 * \brief This function sets the one-time authentication key. 92 * 93 * \warning The key must be unique and unpredictable for each 94 * invocation of Poly1305. 95 * 96 * \param ctx The Poly1305 context to which the key should be bound. 97 * This must be initialized. 98 * \param key The buffer containing the \c 32 Byte (\c 256 Bit) key. 99 * 100 * \return \c 0 on success. 101 * \return A negative error code on failure. 102 */ 103 int mbedtls_poly1305_starts(mbedtls_poly1305_context *ctx, 104 const unsigned char key[32]); 105 106 /** 107 * \brief This functions feeds an input buffer into an ongoing 108 * Poly1305 computation. 109 * 110 * It is called between \c mbedtls_cipher_poly1305_starts() and 111 * \c mbedtls_cipher_poly1305_finish(). 112 * It can be called repeatedly to process a stream of data. 113 * 114 * \param ctx The Poly1305 context to use for the Poly1305 operation. 115 * This must be initialized and bound to a key. 116 * \param ilen The length of the input data in Bytes. 117 * Any value is accepted. 118 * \param input The buffer holding the input data. 119 * This pointer can be \c NULL if `ilen == 0`. 120 * 121 * \return \c 0 on success. 122 * \return A negative error code on failure. 123 */ 124 int mbedtls_poly1305_update(mbedtls_poly1305_context *ctx, 125 const unsigned char *input, 126 size_t ilen); 127 128 /** 129 * \brief This function generates the Poly1305 Message 130 * Authentication Code (MAC). 131 * 132 * \param ctx The Poly1305 context to use for the Poly1305 operation. 133 * This must be initialized and bound to a key. 134 * \param mac The buffer to where the MAC is written. This must 135 * be a writable buffer of length \c 16 Bytes. 136 * 137 * \return \c 0 on success. 138 * \return A negative error code on failure. 139 */ 140 int mbedtls_poly1305_finish(mbedtls_poly1305_context *ctx, 141 unsigned char mac[16]); 142 143 /** 144 * \brief This function calculates the Poly1305 MAC of the input 145 * buffer with the provided key. 146 * 147 * \warning The key must be unique and unpredictable for each 148 * invocation of Poly1305. 149 * 150 * \param key The buffer containing the \c 32 Byte (\c 256 Bit) key. 151 * \param ilen The length of the input data in Bytes. 152 * Any value is accepted. 153 * \param input The buffer holding the input data. 154 * This pointer can be \c NULL if `ilen == 0`. 155 * \param mac The buffer to where the MAC is written. This must be 156 * a writable buffer of length \c 16 Bytes. 157 * 158 * \return \c 0 on success. 159 * \return A negative error code on failure. 160 */ 161 int mbedtls_poly1305_mac(const unsigned char key[32], 162 const unsigned char *input, 163 size_t ilen, 164 unsigned char mac[16]); 165 166 #if defined(MBEDTLS_SELF_TEST) 167 /** 168 * \brief The Poly1305 checkup routine. 169 * 170 * \return \c 0 on success. 171 * \return \c 1 on failure. 172 */ 173 int mbedtls_poly1305_self_test(int verbose); 174 #endif /* MBEDTLS_SELF_TEST */ 175 176 #ifdef __cplusplus 177 } 178 #endif 179 180 #endif /* MBEDTLS_POLY1305_H */ 181