Bug in poly1305-donna-16.h #2
Comments
dchest
added a commit
to dchest/tweetnacl-js
that referenced
this issue
Mar 28, 2016
There is a bug in fast version, which was ported from 16-bit Poly1305-donna, where the bug comes from: floodyberry/poly1305-donna#2 Until we figure out the source of bug, return nacl-fast version to match the original nacl version.
|
Test that fails is: /* generates a final value of (2^130 - 2) == 3 */
static const unsigned char wrap_key[32] = {
0x02,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
};
static const unsigned char wrap_msg[16] = {
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff,
0xff,0xff,0xff,0xff,0xff,0xff,0xff,0xff
};
static const unsigned char wrap_mac[16] = {
0x03,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
}; |
|
Sorry about not updating for so long! This should be fixed now. The issue was not properly detecting if st->h was >= 2^130 - 5, coupled with believing my own README and defining POLY1305_16BITS instead of POLY1305_16BIT and not catching the failure. The chance of the bug affecting anything in the real world is essentially zero luckily, but it's good to have it fixed. |
|
Thanks a lot! |
|
Thank you! I just compiled and ran it under with GCC 4.7.3 and MS VC 6 and got I will add a comment to the stackoverflow question. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The code in poly1305-donna-16.h failed to pass the selftest and most of the test vectors from
http://tools.ietf.org/html/rfc7539. See my post and the answer at http://stackoverflow.com/questions/31806863/verification-of-poly1305-donna-16-h-code.
The text was updated successfully, but these errors were encountered: