poly1305/poly1305_compat.go - crypto - Git at Google

 // Copyright 2012 The Go Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style
 // license that can be found in the LICENSE file.

 // Package poly1305 implements Poly1305 one-time message authentication code as
 // specified in https://cr.yp.to/mac/poly1305-20050329.pdf.
 //
 // Poly1305 is a fast, one-time authentication function. It is infeasible for an
 // attacker to generate an authenticator for a message without the key. However, a
 // key must only be used for a single message. Authenticating two different
 // messages with the same key allows an attacker to forge authenticators for other
 // messages with the same key.
 //
 // Poly1305 was originally coupled with AES in order to make Poly1305-AES. AES was
 // used with a fixed key in order to generate one-time keys from an nonce.
 // However, in this package AES isn't used and the one-time key is specified
 // directly.
 //
 // Deprecated: Poly1305 as implemented by this package is a cryptographic
 // building block that is not safe for general purpose use.
 // For encryption, use the full ChaCha20-Poly1305 construction implemented by
 // golang.org/x/crypto/chacha20poly1305. For authentication, use a general
 // purpose MAC such as HMAC implemented by crypto/hmac.
 package poly1305

 import "golang.org/x/crypto/internal/poly1305"

 // TagSize is the size, in bytes, of a poly1305 authenticator.
 //
 // For use with golang.org/x/crypto/chacha20poly1305, chacha20poly1305.Overhead
 // can be used instead.
 const TagSize = 16

 // Sum generates an authenticator for msg using a one-time key and puts the
 // 16-byte result into out. Authenticating two different messages with the same
 // key allows an attacker to forge messages at will.
 func Sum(out *[16]byte, m []byte, key *[32]byte) {
 	poly1305.Sum(out, m, key)
 }

 // Verify returns true if mac is a valid authenticator for m with the given key.
 func Verify(mac *[16]byte, m []byte, key *[32]byte) bool {
 	return poly1305.Verify(mac, m, key)
 }

 // New returns a new MAC computing an authentication
 // tag of all data written to it with the given key.
 // This allows writing the message progressively instead
 // of passing it as a single slice. Common users should use
 // the Sum function instead.
 //
 // The key must be unique for each message, as authenticating
 // two different messages with the same key allows an attacker
 // to forge messages at will.
 func New(key *[32]byte) *MAC {
 	return &MAC{mac: poly1305.New(key)}
 }

 // MAC is an io.Writer computing an authentication tag
 // of the data written to it.
 //
 // MAC cannot be used like common hash.Hash implementations,
 // because using a poly1305 key twice breaks its security.
 // Therefore writing data to a running MAC after calling
 // Sum or Verify causes it to panic.
 type MAC struct {
 	mac *poly1305.MAC
 }

 // Size returns the number of bytes Sum will return.
 func (h *MAC) Size() int { return TagSize }

 // Write adds more data to the running message authentication code.
 // It never returns an error.
 //
 // It must not be called after the first call of Sum or Verify.
 func (h *MAC) Write(p []byte) (n int, err error) {
 	return h.mac.Write(p)
 }

 // Sum computes the authenticator of all data written to the
 // message authentication code.
 func (h *MAC) Sum(b []byte) []byte {
 	return h.mac.Sum(b)
 }

 // Verify returns whether the authenticator of all data written to
 // the message authentication code matches the expected value.
 func (h *MAC) Verify(expected []byte) bool {
 	return h.mac.Verify(expected)
 }
	// Copyright 2012 The Go Authors. All rights reserved.
	// Use of this source code is governed by a BSD-style
	// license that can be found in the LICENSE file.

	// Package poly1305 implements Poly1305 one-time message authentication code as
	// specified in https://cr.yp.to/mac/poly1305-20050329.pdf.
	//
	// Poly1305 is a fast, one-time authentication function. It is infeasible for an
	// attacker to generate an authenticator for a message without the key. However, a
	// key must only be used for a single message. Authenticating two different
	// messages with the same key allows an attacker to forge authenticators for other
	// messages with the same key.
	//
	// Poly1305 was originally coupled with AES in order to make Poly1305-AES. AES was
	// used with a fixed key in order to generate one-time keys from an nonce.
	// However, in this package AES isn't used and the one-time key is specified
	// directly.
	//
	// Deprecated: Poly1305 as implemented by this package is a cryptographic
	// building block that is not safe for general purpose use.
	// For encryption, use the full ChaCha20-Poly1305 construction implemented by
	// golang.org/x/crypto/chacha20poly1305. For authentication, use a general
	// purpose MAC such as HMAC implemented by crypto/hmac.
	package poly1305

	import "golang.org/x/crypto/internal/poly1305"

	// TagSize is the size, in bytes, of a poly1305 authenticator.
	//
	// For use with golang.org/x/crypto/chacha20poly1305, chacha20poly1305.Overhead
	// can be used instead.
	const TagSize = 16

	// Sum generates an authenticator for msg using a one-time key and puts the
	// 16-byte result into out. Authenticating two different messages with the same
	// key allows an attacker to forge messages at will.
	func Sum(out [16]byte, m []byte, key [32]byte) {
	poly1305.Sum(out, m, key)
	}

	// Verify returns true if mac is a valid authenticator for m with the given key.
	func Verify(mac [16]byte, m []byte, key [32]byte) bool {
	return poly1305.Verify(mac, m, key)
	}

	// New returns a new MAC computing an authentication
	// tag of all data written to it with the given key.
	// This allows writing the message progressively instead
	// of passing it as a single slice. Common users should use
	// the Sum function instead.
	//
	// The key must be unique for each message, as authenticating
	// two different messages with the same key allows an attacker
	// to forge messages at will.
	func New(key [32]byte) MAC {
	return &MAC{mac: poly1305.New(key)}
	}

	// MAC is an io.Writer computing an authentication tag
	// of the data written to it.
	//
	// MAC cannot be used like common hash.Hash implementations,
	// because using a poly1305 key twice breaks its security.
	// Therefore writing data to a running MAC after calling
	// Sum or Verify causes it to panic.
	type MAC struct {
	mac *poly1305.MAC
	}

	// Size returns the number of bytes Sum will return.
	func (h *MAC) Size() int { return TagSize }

	// Write adds more data to the running message authentication code.
	// It never returns an error.
	//
	// It must not be called after the first call of Sum or Verify.
	func (h *MAC) Write(p []byte) (n int, err error) {
	return h.mac.Write(p)
	}

	// Sum computes the authenticator of all data written to the
	// message authentication code.
	func (h *MAC) Sum(b []byte) []byte {
	return h.mac.Sum(b)
	}

	// Verify returns whether the authenticator of all data written to
	// the message authentication code matches the expected value.
	func (h *MAC) Verify(expected []byte) bool {
	return h.mac.Verify(expected)
	}