X-Git-Url: http://git.meshlink.io/?a=blobdiff_plain;f=src%2Fchacha-poly1305%2Fchacha-poly1305.c;h=3b89b749e923e9c8fa5a1319ef48085c1d0f8a45;hb=eaea9a2ea3c80478a6aa4e502afaed5b5b6bbfde;hp=2711abb29eb04455ac38a77f0c9a14b3cb66b5a7;hpb=fa05f996c5500c056a36c1d43e33a407f876643c;p=meshlink

diff --git a/src/chacha-poly1305/chacha-poly1305.c b/src/chacha-poly1305/chacha-poly1305.c
index 2711abb2..3b89b749 100644
--- a/src/chacha-poly1305/chacha-poly1305.c
+++ b/src/chacha-poly1305/chacha-poly1305.c
@@ -68,6 +68,30 @@ bool chacha_poly1305_encrypt(chacha_poly1305_ctx_t *ctx, uint64_t seqnr, const v
 	return true;
 }
 
+bool chacha_poly1305_verify(chacha_poly1305_ctx_t *ctx, uint64_t seqnr, const void *indata, size_t inlen) {
+	uint8_t seqbuf[8];
+	uint8_t expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN];
+
+	/*
+	 * Run ChaCha20 once to generate the Poly1305 key. The IV is the
+	 * packet sequence number.
+	 */
+	memset(poly_key, 0, sizeof(poly_key));
+	put_u64(seqbuf, seqnr);
+	chacha_ivsetup(&ctx->main_ctx, seqbuf, NULL);
+	chacha_encrypt_bytes(&ctx->main_ctx, poly_key, poly_key, sizeof(poly_key));
+
+	/* Check tag before anything else */
+	inlen -= POLY1305_TAGLEN;
+	const uint8_t *tag = (const uint8_t *)indata + inlen;
+
+	poly1305_auth(expected_tag, indata, inlen, poly_key);
+	if (memcmp(expected_tag, tag, POLY1305_TAGLEN))
+		return false;
+
+	return true;
+}
+
 bool chacha_poly1305_decrypt(chacha_poly1305_ctx_t *ctx, uint64_t seqnr, const void *indata, size_t inlen, void *outdata, size_t *outlen) {
 	uint8_t seqbuf[8];
 	const uint8_t one[8] = { 1, 0, 0, 0, 0, 0, 0, 0 };	/* NB little-endian */