| Adam Langley | 6814ed3 | 2012-09-08 14:24:19 -0400 | [diff] [blame] | 1 | // Copyright 2012 The Go Authors. All rights reserved. |
| 2 | // Use of this source code is governed by a BSD-style |
| 3 | // license that can be found in the LICENSE file. |
| 4 | |
| 5 | /* |
| 6 | Package poly1305 implements Poly1305 one-time message authentication code as specified in http://cr.yp.to/mac/poly1305-20050329.pdf. |
| 7 | |
| 8 | Poly1305 is a fast, one-time authentication function. It is infeasible for an |
| 9 | attacker to generate an authenticator for a message without the key. However, a |
| 10 | key must only be used for a single message. Authenticating two different |
| 11 | messages with the same key allows an attacker to forge authenticators for other |
| 12 | messages with the same key. |
| 13 | |
| 14 | Poly1305 was originally coupled with AES in order to make Poly1305-AES. AES was |
| 15 | used with a fixed key in order to generate one-time keys from an nonce. |
| 16 | However, in this package AES isn't used and the one-time key is specified |
| 17 | directly. |
| 18 | */ |
| David Symonds | 1fbbd62 | 2014-12-09 13:38:15 +1100 | [diff] [blame] | 19 | package poly1305 // import "golang.org/x/crypto/poly1305" |
| Adam Langley | 6814ed3 | 2012-09-08 14:24:19 -0400 | [diff] [blame] | 20 | |
| 21 | import "crypto/subtle" |
| 22 | |
| 23 | // TagSize is the size, in bytes, of a poly1305 authenticator. |
| 24 | const TagSize = 16 |
| 25 | |
| 26 | // Verify returns true if mac is a valid authenticator for m with the given |
| 27 | // key. |
| 28 | func Verify(mac *[16]byte, m []byte, key *[32]byte) bool { |
| 29 | var tmp [16]byte |
| 30 | Sum(&tmp, m, key) |
| 31 | return subtle.ConstantTimeCompare(tmp[:], mac[:]) == 1 |
| 32 | } |
