/src/libgcrypt/cipher/cipher-poly1305.c

Source (jump to first uncovered line)
/* cipher-poly1305.c  -  Poly1305 based AEAD cipher mode, RFC-8439
 * Copyright (C) 2014 Jussi Kivilinna <jussi.kivilinna@iki.fi>
 *
 * This file is part of Libgcrypt.
 *
 * Libgcrypt is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Lesser General Public License as
 * published by the Free Software Foundation; either version 2.1 of
 * the License, or (at your option) any later version.
 *
 * Libgcrypt is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Lesser General Public License for more details.
 *
 * You should have received a copy of the GNU Lesser General Public
 * License along with this program; if not, see <http://www.gnu.org/licenses/>.
 */

#include <config.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

#include "g10lib.h"
#include "cipher.h"
#include "bufhelp.h"
#include "./cipher-internal.h"
#include "./poly1305-internal.h"


static inline int
poly1305_bytecounter_add (u32 ctr[2], size_t add)
{
  int overflow = 0;

  if (sizeof(add) > sizeof(u32))
    {
      u32 high_add = ((add >> 31) >> 1) & 0xffffffff;
      ctr[1] += high_add;
      if (ctr[1] < high_add)
        overflow = 1;
    }

  ctr[0] += add;
  if (ctr[0] >= add)
    return overflow;

  ctr[1] += 1;
  return (ctr[1] < 1) || overflow;
}


static void
poly1305_fill_bytecounts (gcry_cipher_hd_t c)
{
  u32 lenbuf[4];

  lenbuf[0] = le_bswap32(c->u_mode.poly1305.aadcount[0]);
  lenbuf[1] = le_bswap32(c->u_mode.poly1305.aadcount[1]);
  lenbuf[2] = le_bswap32(c->u_mode.poly1305.datacount[0]);
  lenbuf[3] = le_bswap32(c->u_mode.poly1305.datacount[1]);
  _gcry_poly1305_update (&c->u_mode.poly1305.ctx, (byte*)lenbuf,
       sizeof(lenbuf));

  wipememory(lenbuf, sizeof(lenbuf));
}


static void
poly1305_do_padding (gcry_cipher_hd_t c, u32 ctr[2])
{
  static const byte zero_padding_buf[15] = {};
  u32 padding_count;

  /* Padding to 16 byte boundary. */
  if (ctr[0] % 16 > 0)
    {
      padding_count = 16 - ctr[0] % 16;

      _gcry_poly1305_update (&c->u_mode.poly1305.ctx, zero_padding_buf,
           padding_count);
    }
}


static void
poly1305_aad_finish (gcry_cipher_hd_t c)
{
  /* After AAD, feed padding bytes so we get 16 byte alignment. */
  poly1305_do_padding (c, c->u_mode.poly1305.aadcount);

  /* Start of encryption marks end of AAD stream. */
  c->u_mode.poly1305.aad_finalized = 1;

  c->u_mode.poly1305.datacount[0] = 0;
  c->u_mode.poly1305.datacount[1] = 0;
}


static gcry_err_code_t
poly1305_set_zeroiv (gcry_cipher_hd_t c)
{
  byte zero[8] = { 0, };

  return _gcry_cipher_poly1305_setiv (c, zero, sizeof(zero));
}


gcry_err_code_t
_gcry_cipher_poly1305_authenticate (gcry_cipher_hd_t c,
            const byte * aadbuf, size_t aadbuflen)
{
  if (c->u_mode.poly1305.bytecount_over_limits)
    return GPG_ERR_INV_LENGTH;
  if (c->u_mode.poly1305.aad_finalized)
    return GPG_ERR_INV_STATE;
  if (c->marks.tag)
    return GPG_ERR_INV_STATE;

  if (!c->marks.iv)
    poly1305_set_zeroiv(c);

  if (poly1305_bytecounter_add(c->u_mode.poly1305.aadcount, aadbuflen))
    {
      c->u_mode.poly1305.bytecount_over_limits = 1;
      return GPG_ERR_INV_LENGTH;
    }

  _gcry_poly1305_update (&c->u_mode.poly1305.ctx, aadbuf, aadbuflen);

  return 0;
}


gcry_err_code_t
_gcry_cipher_poly1305_encrypt (gcry_cipher_hd_t c,
             byte *outbuf, size_t outbuflen,
             const byte *inbuf, size_t inbuflen)
{
  gcry_err_code_t err;

  if (outbuflen < inbuflen)
    return GPG_ERR_BUFFER_TOO_SHORT;
  if (c->marks.tag)
    return GPG_ERR_INV_STATE;
  if (c->u_mode.poly1305.bytecount_over_limits)
    return GPG_ERR_INV_LENGTH;

  if (!c->marks.iv)
    {
      err = poly1305_set_zeroiv(c);
      if (err)
        return err;
    }

  if (!c->u_mode.poly1305.aad_finalized)
    poly1305_aad_finish(c);

  if (poly1305_bytecounter_add(c->u_mode.poly1305.datacount, inbuflen))
    {
      c->u_mode.poly1305.bytecount_over_limits = 1;
      return GPG_ERR_INV_LENGTH;
    }

#ifdef USE_CHACHA20
  if (LIKELY(inbuflen > 0) && LIKELY(c->spec->algo == GCRY_CIPHER_CHACHA20))
    {
      return _gcry_chacha20_poly1305_encrypt (c, outbuf, inbuf, inbuflen);
    }
#endif

  while (inbuflen)
    {
      size_t currlen = inbuflen;

      /* Since checksumming is done after encryption, process input in 24KiB
       * chunks to keep data loaded in L1 cache for checksumming.  However
       * only do splitting if input is large enough so that last chunks does
       * not end up being short. */
      if (currlen > 32 * 1024)
  currlen = 24 * 1024;

      c->spec->stencrypt(&c->context.c, outbuf, (byte*)inbuf, currlen);

      _gcry_poly1305_update (&c->u_mode.poly1305.ctx, outbuf, currlen);

      outbuf += currlen;
      inbuf += currlen;
      outbuflen -= currlen;
      inbuflen -= currlen;
    }

  return 0;
}


gcry_err_code_t
_gcry_cipher_poly1305_decrypt (gcry_cipher_hd_t c,
             byte *outbuf, size_t outbuflen,
             const byte *inbuf, size_t inbuflen)
{
  gcry_err_code_t err;

  if (outbuflen < inbuflen)
    return GPG_ERR_BUFFER_TOO_SHORT;
  if (c->marks.tag)
    return GPG_ERR_INV_STATE;
  if (c->u_mode.poly1305.bytecount_over_limits)
    return GPG_ERR_INV_LENGTH;

  if (!c->marks.iv)
    {
      err = poly1305_set_zeroiv(c);
      if (err)
        return err;
    }

  if (!c->u_mode.poly1305.aad_finalized)
    poly1305_aad_finish(c);

  if (poly1305_bytecounter_add(c->u_mode.poly1305.datacount, inbuflen))
    {
      c->u_mode.poly1305.bytecount_over_limits = 1;
      return GPG_ERR_INV_LENGTH;
    }

#ifdef USE_CHACHA20
  if (LIKELY(inbuflen > 0) && LIKELY(c->spec->algo == GCRY_CIPHER_CHACHA20))
    {
      return _gcry_chacha20_poly1305_decrypt (c, outbuf, inbuf, inbuflen);
    }
#endif

  while (inbuflen)
    {
      size_t currlen = inbuflen;

      /* Since checksumming is done before decryption, process input in 24KiB
       * chunks to keep data loaded in L1 cache for decryption.  However only
       * do splitting if input is large enough so that last chunks does not
       * end up being short. */
      if (currlen > 32 * 1024)
  currlen = 24 * 1024;

      _gcry_poly1305_update (&c->u_mode.poly1305.ctx, inbuf, currlen);

      c->spec->stdecrypt(&c->context.c, outbuf, (byte*)inbuf, currlen);

      outbuf += currlen;
      inbuf += currlen;
      outbuflen -= currlen;
      inbuflen -= currlen;
    }

  return 0;
}


static gcry_err_code_t
_gcry_cipher_poly1305_tag (gcry_cipher_hd_t c,
         byte * outbuf, size_t outbuflen, int check)
{
  gcry_err_code_t err;

  if (outbuflen < POLY1305_TAGLEN)
    return GPG_ERR_BUFFER_TOO_SHORT;
  if (c->u_mode.poly1305.bytecount_over_limits)
    return GPG_ERR_INV_LENGTH;

  if (!c->marks.iv)
    {
      err = poly1305_set_zeroiv(c);
      if (err)
        return err;
    }

  if (!c->u_mode.poly1305.aad_finalized)
    poly1305_aad_finish(c);

  if (!c->marks.tag)
    {
      /* After data, feed padding bytes so we get 16 byte alignment. */
      poly1305_do_padding (c, c->u_mode.poly1305.datacount);

      /* Write byte counts to poly1305. */
      poly1305_fill_bytecounts(c);

      _gcry_poly1305_finish(&c->u_mode.poly1305.ctx, c->u_iv.iv);

      c->marks.tag = 1;
    }

  if (!check)
    {
      memcpy (outbuf, c->u_iv.iv, POLY1305_TAGLEN);
    }
  else
    {
      /* OUTBUFLEN gives the length of the user supplied tag in OUTBUF
       * and thus we need to compare its length first.  */
      if (outbuflen != POLY1305_TAGLEN
          || !buf_eq_const (outbuf, c->u_iv.iv, POLY1305_TAGLEN))
        return GPG_ERR_CHECKSUM;
    }

  return 0;
}


gcry_err_code_t
_gcry_cipher_poly1305_get_tag (gcry_cipher_hd_t c, unsigned char *outtag,
                          size_t taglen)
{
  return _gcry_cipher_poly1305_tag (c, outtag, taglen, 0);
}

gcry_err_code_t
_gcry_cipher_poly1305_check_tag (gcry_cipher_hd_t c, const unsigned char *intag,
                            size_t taglen)
{
  return _gcry_cipher_poly1305_tag (c, (unsigned char *) intag, taglen, 1);
}


void
_gcry_cipher_poly1305_setkey (gcry_cipher_hd_t c)
{
  c->u_mode.poly1305.aadcount[0] = 0;
  c->u_mode.poly1305.aadcount[1] = 0;

  c->u_mode.poly1305.datacount[0] = 0;
  c->u_mode.poly1305.datacount[1] = 0;

  c->u_mode.poly1305.bytecount_over_limits = 0;
  c->u_mode.poly1305.aad_finalized = 0;
  c->marks.tag = 0;
  c->marks.iv = 0;
}


gcry_err_code_t
_gcry_cipher_poly1305_setiv (gcry_cipher_hd_t c, const byte *iv, size_t ivlen)
{
  byte tmpbuf[64]; /* size of ChaCha20 block */
  gcry_err_code_t err;

  /* IV must be 96-bits */
  if (!iv && ivlen != (96 / 8))
    return GPG_ERR_INV_ARG;

  memset(&c->u_mode.poly1305.ctx, 0, sizeof(c->u_mode.poly1305.ctx));

  c->u_mode.poly1305.aadcount[0] = 0;
  c->u_mode.poly1305.aadcount[1] = 0;

  c->u_mode.poly1305.datacount[0] = 0;
  c->u_mode.poly1305.datacount[1] = 0;

  c->u_mode.poly1305.bytecount_over_limits = 0;
  c->u_mode.poly1305.aad_finalized = 0;
  c->marks.tag = 0;
  c->marks.iv = 0;

  /* Set up IV for stream cipher. */
  c->spec->setiv (&c->context.c, iv, ivlen);

  /* Get the first block from ChaCha20. */
  memset(tmpbuf, 0, sizeof(tmpbuf));
  c->spec->stencrypt(&c->context.c, tmpbuf, tmpbuf, sizeof(tmpbuf));

  /* Use the first 32-bytes as Poly1305 key. */
  err = _gcry_poly1305_init (&c->u_mode.poly1305.ctx, tmpbuf, POLY1305_KEYLEN);

  wipememory(tmpbuf, sizeof(tmpbuf));

  if (err)
    return err;

  c->marks.iv = 1;
  return 0;
}

Coverage Report

Created: 2024-11-21 07:03

Line	Count	Source (jump to first uncovered line)
1		/* cipher-poly1305.c - Poly1305 based AEAD cipher mode, RFC-8439
2		* Copyright (C) 2014 Jussi Kivilinna <jussi.kivilinna@iki.fi>
3		*
4		* This file is part of Libgcrypt.
5		*
6		* Libgcrypt is free software; you can redistribute it and/or modify
7		* it under the terms of the GNU Lesser General Public License as
8		* published by the Free Software Foundation; either version 2.1 of
9		* the License, or (at your option) any later version.
10		*
11		* Libgcrypt is distributed in the hope that it will be useful,
12		* but WITHOUT ANY WARRANTY; without even the implied warranty of
13		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14		* GNU Lesser General Public License for more details.
15		*
16		* You should have received a copy of the GNU Lesser General Public
17		* License along with this program; if not, see <http://www.gnu.org/licenses/>.
18		*/
19
20		#include <config.h>
21		#include <stdio.h>
22		#include <stdlib.h>
23		#include <string.h>
24		#include <errno.h>
25
26		#include "g10lib.h"
27		#include "cipher.h"
28		#include "bufhelp.h"
29		#include "./cipher-internal.h"
30		#include "./poly1305-internal.h"
31
32
33		static inline int
34		poly1305_bytecounter_add (u32 ctr[2], size_t add)
35	0	{
36	0	int overflow = 0;
37
38	0	if (sizeof(add) > sizeof(u32))
39	0	{
40	0	u32 high_add = ((add >> 31) >> 1) & 0xffffffff;
41	0	ctr[1] += high_add;
42	0	if (ctr[1] < high_add)
43	0	overflow = 1;
44	0	}
45
46	0	ctr[0] += add;
47	0	if (ctr[0] >= add)
48	0	return overflow;
49
50	0	ctr[1] += 1;
51	0	return (ctr[1] < 1) \|\| overflow;
52	0	}
53
54
55		static void
56		poly1305_fill_bytecounts (gcry_cipher_hd_t c)
57	0	{
58	0	u32 lenbuf[4];
59
60	0	lenbuf[0] = le_bswap32(c->u_mode.poly1305.aadcount[0]);
61	0	lenbuf[1] = le_bswap32(c->u_mode.poly1305.aadcount[1]);
62	0	lenbuf[2] = le_bswap32(c->u_mode.poly1305.datacount[0]);
63	0	lenbuf[3] = le_bswap32(c->u_mode.poly1305.datacount[1]);
64	0	_gcry_poly1305_update (&c->u_mode.poly1305.ctx, (byte*)lenbuf,
65	0	sizeof(lenbuf));
66
67	0	wipememory(lenbuf, sizeof(lenbuf));
68	0	}
69
70
71		static void
72		poly1305_do_padding (gcry_cipher_hd_t c, u32 ctr[2])
73	0	{
74	0	static const byte zero_padding_buf[15] = {};
75	0	u32 padding_count;
76
77		/* Padding to 16 byte boundary. */
78	0	if (ctr[0] % 16 > 0)
79	0	{
80	0	padding_count = 16 - ctr[0] % 16;
81
82	0	_gcry_poly1305_update (&c->u_mode.poly1305.ctx, zero_padding_buf,
83	0	padding_count);
84	0	}
85	0	}
86
87
88		static void
89		poly1305_aad_finish (gcry_cipher_hd_t c)
90	0	{
91		/* After AAD, feed padding bytes so we get 16 byte alignment. */
92	0	poly1305_do_padding (c, c->u_mode.poly1305.aadcount);
93
94		/* Start of encryption marks end of AAD stream. */
95	0	c->u_mode.poly1305.aad_finalized = 1;
96
97	0	c->u_mode.poly1305.datacount[0] = 0;
98	0	c->u_mode.poly1305.datacount[1] = 0;
99	0	}
100
101
102		static gcry_err_code_t
103		poly1305_set_zeroiv (gcry_cipher_hd_t c)
104	0	{
105	0	byte zero[8] = { 0, };
106
107	0	return _gcry_cipher_poly1305_setiv (c, zero, sizeof(zero));
108	0	}
109
110
111		gcry_err_code_t
112		_gcry_cipher_poly1305_authenticate (gcry_cipher_hd_t c,
113		const byte * aadbuf, size_t aadbuflen)
114	0	{
115	0	if (c->u_mode.poly1305.bytecount_over_limits)
116	0	return GPG_ERR_INV_LENGTH;
117	0	if (c->u_mode.poly1305.aad_finalized)
118	0	return GPG_ERR_INV_STATE;
119	0	if (c->marks.tag)
120	0	return GPG_ERR_INV_STATE;
121
122	0	if (!c->marks.iv)
123	0	poly1305_set_zeroiv(c);
124
125	0	if (poly1305_bytecounter_add(c->u_mode.poly1305.aadcount, aadbuflen))
126	0	{
127	0	c->u_mode.poly1305.bytecount_over_limits = 1;
128	0	return GPG_ERR_INV_LENGTH;
129	0	}
130
131	0	_gcry_poly1305_update (&c->u_mode.poly1305.ctx, aadbuf, aadbuflen);
132
133	0	return 0;
134	0	}
135
136
137		gcry_err_code_t
138		_gcry_cipher_poly1305_encrypt (gcry_cipher_hd_t c,
139		byte *outbuf, size_t outbuflen,
140		const byte *inbuf, size_t inbuflen)
141	0	{
142	0	gcry_err_code_t err;
143
144	0	if (outbuflen < inbuflen)
145	0	return GPG_ERR_BUFFER_TOO_SHORT;
146	0	if (c->marks.tag)
147	0	return GPG_ERR_INV_STATE;
148	0	if (c->u_mode.poly1305.bytecount_over_limits)
149	0	return GPG_ERR_INV_LENGTH;
150
151	0	if (!c->marks.iv)
152	0	{
153	0	err = poly1305_set_zeroiv(c);
154	0	if (err)
155	0	return err;
156	0	}
157
158	0	if (!c->u_mode.poly1305.aad_finalized)
159	0	poly1305_aad_finish(c);
160
161	0	if (poly1305_bytecounter_add(c->u_mode.poly1305.datacount, inbuflen))
162	0	{
163	0	c->u_mode.poly1305.bytecount_over_limits = 1;
164	0	return GPG_ERR_INV_LENGTH;
165	0	}
166
167	0	#ifdef USE_CHACHA20
168	0	if (LIKELY(inbuflen > 0) && LIKELY(c->spec->algo == GCRY_CIPHER_CHACHA20))
169	0	{
170	0	return _gcry_chacha20_poly1305_encrypt (c, outbuf, inbuf, inbuflen);
171	0	}
172	0	#endif
173
174	0	while (inbuflen)
175	0	{
176	0	size_t currlen = inbuflen;
177
178		/* Since checksumming is done after encryption, process input in 24KiB
179		* chunks to keep data loaded in L1 cache for checksumming. However
180		* only do splitting if input is large enough so that last chunks does
181		* not end up being short. */
182	0	if (currlen > 32 * 1024)
183	0	currlen = 24 * 1024;
184
185	0	c->spec->stencrypt(&c->context.c, outbuf, (byte*)inbuf, currlen);
186
187	0	_gcry_poly1305_update (&c->u_mode.poly1305.ctx, outbuf, currlen);
188
189	0	outbuf += currlen;
190	0	inbuf += currlen;
191	0	outbuflen -= currlen;
192	0	inbuflen -= currlen;
193	0	}
194
195	0	return 0;
196	0	}
197
198
199		gcry_err_code_t
200		_gcry_cipher_poly1305_decrypt (gcry_cipher_hd_t c,
201		byte *outbuf, size_t outbuflen,
202		const byte *inbuf, size_t inbuflen)
203	0	{
204	0	gcry_err_code_t err;
205
206	0	if (outbuflen < inbuflen)
207	0	return GPG_ERR_BUFFER_TOO_SHORT;
208	0	if (c->marks.tag)
209	0	return GPG_ERR_INV_STATE;
210	0	if (c->u_mode.poly1305.bytecount_over_limits)
211	0	return GPG_ERR_INV_LENGTH;
212
213	0	if (!c->marks.iv)
214	0	{
215	0	err = poly1305_set_zeroiv(c);
216	0	if (err)
217	0	return err;
218	0	}
219
220	0	if (!c->u_mode.poly1305.aad_finalized)
221	0	poly1305_aad_finish(c);
222
223	0	if (poly1305_bytecounter_add(c->u_mode.poly1305.datacount, inbuflen))
224	0	{
225	0	c->u_mode.poly1305.bytecount_over_limits = 1;
226	0	return GPG_ERR_INV_LENGTH;
227	0	}
228
229	0	#ifdef USE_CHACHA20
230	0	if (LIKELY(inbuflen > 0) && LIKELY(c->spec->algo == GCRY_CIPHER_CHACHA20))
231	0	{
232	0	return _gcry_chacha20_poly1305_decrypt (c, outbuf, inbuf, inbuflen);
233	0	}
234	0	#endif
235
236	0	while (inbuflen)
237	0	{
238	0	size_t currlen = inbuflen;
239
240		/* Since checksumming is done before decryption, process input in 24KiB
241		* chunks to keep data loaded in L1 cache for decryption. However only
242		* do splitting if input is large enough so that last chunks does not
243		* end up being short. */
244	0	if (currlen > 32 * 1024)
245	0	currlen = 24 * 1024;
246
247	0	_gcry_poly1305_update (&c->u_mode.poly1305.ctx, inbuf, currlen);
248
249	0	c->spec->stdecrypt(&c->context.c, outbuf, (byte*)inbuf, currlen);
250
251	0	outbuf += currlen;
252	0	inbuf += currlen;
253	0	outbuflen -= currlen;
254	0	inbuflen -= currlen;
255	0	}
256
257	0	return 0;
258	0	}
259
260
261		static gcry_err_code_t
262		_gcry_cipher_poly1305_tag (gcry_cipher_hd_t c,
263		byte * outbuf, size_t outbuflen, int check)
264	0	{
265	0	gcry_err_code_t err;
266
267	0	if (outbuflen < POLY1305_TAGLEN)
268	0	return GPG_ERR_BUFFER_TOO_SHORT;
269	0	if (c->u_mode.poly1305.bytecount_over_limits)
270	0	return GPG_ERR_INV_LENGTH;
271
272	0	if (!c->marks.iv)
273	0	{
274	0	err = poly1305_set_zeroiv(c);
275	0	if (err)
276	0	return err;
277	0	}
278
279	0	if (!c->u_mode.poly1305.aad_finalized)
280	0	poly1305_aad_finish(c);
281
282	0	if (!c->marks.tag)
283	0	{
284		/* After data, feed padding bytes so we get 16 byte alignment. */
285	0	poly1305_do_padding (c, c->u_mode.poly1305.datacount);
286
287		/* Write byte counts to poly1305. */
288	0	poly1305_fill_bytecounts(c);
289
290	0	_gcry_poly1305_finish(&c->u_mode.poly1305.ctx, c->u_iv.iv);
291
292	0	c->marks.tag = 1;
293	0	}
294
295	0	if (!check)
296	0	{
297	0	memcpy (outbuf, c->u_iv.iv, POLY1305_TAGLEN);
298	0	}
299	0	else
300	0	{
301		/* OUTBUFLEN gives the length of the user supplied tag in OUTBUF
302		* and thus we need to compare its length first. */
303	0	if (outbuflen != POLY1305_TAGLEN
304	0	\|\| !buf_eq_const (outbuf, c->u_iv.iv, POLY1305_TAGLEN))
305	0	return GPG_ERR_CHECKSUM;
306	0	}
307
308	0	return 0;
309	0	}
310
311
312		gcry_err_code_t
313		_gcry_cipher_poly1305_get_tag (gcry_cipher_hd_t c, unsigned char *outtag,
314		size_t taglen)
315	0	{
316	0	return _gcry_cipher_poly1305_tag (c, outtag, taglen, 0);
317	0	}
318
319		gcry_err_code_t
320		_gcry_cipher_poly1305_check_tag (gcry_cipher_hd_t c, const unsigned char *intag,
321		size_t taglen)
322	0	{
323	0	return _gcry_cipher_poly1305_tag (c, (unsigned char *) intag, taglen, 1);
324	0	}
325
326
327		void
328		_gcry_cipher_poly1305_setkey (gcry_cipher_hd_t c)
329	0	{
330	0	c->u_mode.poly1305.aadcount[0] = 0;
331	0	c->u_mode.poly1305.aadcount[1] = 0;
332
333	0	c->u_mode.poly1305.datacount[0] = 0;
334	0	c->u_mode.poly1305.datacount[1] = 0;
335
336	0	c->u_mode.poly1305.bytecount_over_limits = 0;
337	0	c->u_mode.poly1305.aad_finalized = 0;
338	0	c->marks.tag = 0;
339	0	c->marks.iv = 0;
340	0	}
341
342
343		gcry_err_code_t
344		_gcry_cipher_poly1305_setiv (gcry_cipher_hd_t c, const byte *iv, size_t ivlen)
345	0	{
346	0	byte tmpbuf[64]; /* size of ChaCha20 block */
347	0	gcry_err_code_t err;
348
349		/* IV must be 96-bits */
350	0	if (!iv && ivlen != (96 / 8))
351	0	return GPG_ERR_INV_ARG;
352
353	0	memset(&c->u_mode.poly1305.ctx, 0, sizeof(c->u_mode.poly1305.ctx));
354
355	0	c->u_mode.poly1305.aadcount[0] = 0;
356	0	c->u_mode.poly1305.aadcount[1] = 0;
357
358	0	c->u_mode.poly1305.datacount[0] = 0;
359	0	c->u_mode.poly1305.datacount[1] = 0;
360
361	0	c->u_mode.poly1305.bytecount_over_limits = 0;
362	0	c->u_mode.poly1305.aad_finalized = 0;
363	0	c->marks.tag = 0;
364	0	c->marks.iv = 0;
365
366		/* Set up IV for stream cipher. */
367	0	c->spec->setiv (&c->context.c, iv, ivlen);
368
369		/* Get the first block from ChaCha20. */
370	0	memset(tmpbuf, 0, sizeof(tmpbuf));
371	0	c->spec->stencrypt(&c->context.c, tmpbuf, tmpbuf, sizeof(tmpbuf));
372
373		/* Use the first 32-bytes as Poly1305 key. */
374	0	err = _gcry_poly1305_init (&c->u_mode.poly1305.ctx, tmpbuf, POLY1305_KEYLEN);
375
376	0	wipememory(tmpbuf, sizeof(tmpbuf));
377
378	0	if (err)
379	0	return err;
380
381	0	c->marks.iv = 1;
382	0	return 0;
383	0	}