[openssl-dev] [openssl.org #4483] Wrong results with Poly1305 functions

Hanno Boeck via RT rt at openssl.org
Fri Mar 25 12:10:32 UTC 2016

Attached is a sample code that will test various inputs for the
Poly1305 functions of openssl.

These produce wrong results. The first example does so only on 32 bit,
the other three also on 64 bit.

David Benjamin has already reported incorrect results for Poly1305 in
bug #4439, these are separate issues. I have tested this against latest
git + the patch Andy Polyakov provided in that thread (+ the typo fix
David Benjamin mentioned).
I have checked the results against two reference implementations
(donna-poly1305 and the gmpxx example code from DJB), so I'm reasoanbly
confident the bug is in openssl and not in the reference code.

This needs to be compiled inside a compiled openssl tree (see comment).

The simplest example triggering a wrong result is a key completely
consisting of bytes with value 0c and an input of 02:fc.

This was found with the help of american fuzzy lop.

Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4483
Please log in as guest with password guest if prompted

-------------- next part --------------
A non-text attachment was scrubbed...
Name: polytest.c
Type: text/x-c++src
Size: 7590 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160325/725c21e8/attachment.c>

More information about the openssl-dev mailing list