diff options
| author | Peter Dettman <peter.dettman@bouncycastle.org> | 2017-03-22 19:55:25 +1030 |
|---|---|---|
| committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2017-03-22 19:55:25 +1030 |
| commit | e779238a8773133f88d6a4c3e554b39849e9f0c4 (patch) | |
| tree | 0d48cca3cea961a50eeb6c981f44f507f88913ff /crypto/src | |
| parent | update (diff) | |
| download | BouncyCastle.NET-ed25519-e779238a8773133f88d6a4c3e554b39849e9f0c4.tar.xz | |
BJA-620 followup for Poly1305
- bug not present in C#, but include test case - conservatively added an extra step in carry propagation
Diffstat (limited to 'crypto/src')
| -rw-r--r-- | crypto/src/crypto/macs/Poly1305.cs | 32 |
1 files changed, 15 insertions, 17 deletions
diff --git a/crypto/src/crypto/macs/Poly1305.cs b/crypto/src/crypto/macs/Poly1305.cs index 0f66ccccc..c0a660fac 100644 --- a/crypto/src/crypto/macs/Poly1305.cs +++ b/crypto/src/crypto/macs/Poly1305.cs @@ -219,13 +219,13 @@ namespace Org.BouncyCastle.Crypto.Macs ulong tp3 = mul32x32_64(h0,r3) + mul32x32_64(h1,r2) + mul32x32_64(h2,r1) + mul32x32_64(h3,r0) + mul32x32_64(h4,s4); ulong tp4 = mul32x32_64(h0,r4) + mul32x32_64(h1,r3) + mul32x32_64(h2,r2) + mul32x32_64(h3,r1) + mul32x32_64(h4,r0); - ulong b; - h0 = (uint)tp0 & 0x3ffffff; b = (tp0 >> 26); - tp1 += b; h1 = (uint)tp1 & 0x3ffffff; b = (tp1 >> 26); - tp2 += b; h2 = (uint)tp2 & 0x3ffffff; b = (tp2 >> 26); - tp3 += b; h3 = (uint)tp3 & 0x3ffffff; b = (tp3 >> 26); - tp4 += b; h4 = (uint)tp4 & 0x3ffffff; b = (tp4 >> 26); - h0 += (uint)(b * 5); + h0 = (uint)tp0 & 0x3ffffff; tp1 += (tp0 >> 26); + h1 = (uint)tp1 & 0x3ffffff; tp2 += (tp1 >> 26); + h2 = (uint)tp2 & 0x3ffffff; tp3 += (tp2 >> 26); + h3 = (uint)tp3 & 0x3ffffff; tp4 += (tp3 >> 26); + h4 = (uint)tp4 & 0x3ffffff; + h0 += (uint)(tp4 >> 26) * 5; + h1 += (h0 >> 26); h0 &= 0x3ffffff; } public int DoFinal(byte[] output, int outOff) @@ -238,17 +238,14 @@ namespace Org.BouncyCastle.Crypto.Macs ProcessBlock(); } - ulong f0, f1, f2, f3; - - uint b = h0 >> 26; - h0 = h0 & 0x3ffffff; - h1 += b; b = h1 >> 26; h1 = h1 & 0x3ffffff; - h2 += b; b = h2 >> 26; h2 = h2 & 0x3ffffff; - h3 += b; b = h3 >> 26; h3 = h3 & 0x3ffffff; - h4 += b; b = h4 >> 26; h4 = h4 & 0x3ffffff; - h0 += b * 5; + h1 += (h0 >> 26); h0 &= 0x3ffffff; + h2 += (h1 >> 26); h1 &= 0x3ffffff; + h3 += (h2 >> 26); h2 &= 0x3ffffff; + h4 += (h3 >> 26); h3 &= 0x3ffffff; + h0 += (h4 >> 26) * 5; h4 &= 0x3ffffff; + h1 += (h0 >> 26); h0 &= 0x3ffffff; - uint g0, g1, g2, g3, g4; + uint g0, g1, g2, g3, g4, b; g0 = h0 + 5; b = g0 >> 26; g0 &= 0x3ffffff; g1 = h1 + b; b = g1 >> 26; g1 &= 0x3ffffff; g2 = h2 + b; b = g2 >> 26; g2 &= 0x3ffffff; @@ -263,6 +260,7 @@ namespace Org.BouncyCastle.Crypto.Macs h3 = (h3 & nb) | (g3 & b); h4 = (h4 & nb) | (g4 & b); + ulong f0, f1, f2, f3; f0 = ((h0 ) | (h1 << 26)) + (ulong)k0; f1 = ((h1 >> 6 ) | (h2 << 20)) + (ulong)k1; f2 = ((h2 >> 12) | (h3 << 14)) + (ulong)k2; |