From 2542367c2db367283af164aa10f4d4f80e7e386d Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Sun, 1 Oct 2017 10:08:04 +0200 Subject: [PATCH] secretstream: set the initial counter to 1 Avoids using the first block for two different purposes, and will be more consistent with the AES-based version. This breaks backwards compatibility, but better do it now that most distro are still shipping < 1.0.14, that no applications seem to be already using that new API, and that there will be an update to the library major due to the aes128ctr removal. --- .../secretstream_xchacha20poly1305.c | 16 ++++++++++++---- test/default/secretstream.c | 3 ++- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/src/libsodium/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c b/src/libsodium/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c index 2d0c9ff9..ef000d16 100644 --- a/src/libsodium/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c +++ b/src/libsodium/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c @@ -23,6 +23,15 @@ static const unsigned char _pad0[16] = { 0 }; +static inline void +_crypto_secretstream_xchacha20poly1305_counter_reset + (crypto_secretstream_xchacha20poly1305_state *state) +{ + memset(STATE_COUNTER(state), 0, + crypto_secretstream_xchacha20poly1305_COUNTERBYTES); + STATE_COUNTER(state)[0] = 1; +} + void crypto_secretstream_xchacha20poly1305_keygen (unsigned char k[crypto_secretstream_xchacha20poly1305_KEYBYTES]) @@ -47,7 +56,7 @@ crypto_secretstream_xchacha20poly1305_init_push randombytes_buf(out, crypto_secretstream_xchacha20poly1305_HEADERBYTES); crypto_core_hchacha20(state->k, out, k, NULL); - memset(STATE_COUNTER(state), 0, crypto_secretstream_xchacha20poly1305_COUNTERBYTES); + _crypto_secretstream_xchacha20poly1305_counter_reset(state); memcpy(STATE_INONCE(state), out + crypto_core_hchacha20_INPUTBYTES, crypto_secretstream_xchacha20poly1305_INONCEBYTES); memset(state->_pad, 0, sizeof state->_pad); @@ -62,7 +71,7 @@ crypto_secretstream_xchacha20poly1305_init_pull const unsigned char k[crypto_secretstream_xchacha20poly1305_KEYBYTES]) { crypto_core_hchacha20(state->k, in, k, NULL); - memset(STATE_COUNTER(state), 0, crypto_secretstream_xchacha20poly1305_COUNTERBYTES); + _crypto_secretstream_xchacha20poly1305_counter_reset(state); memcpy(STATE_INONCE(state), in + crypto_core_hchacha20_INPUTBYTES, crypto_secretstream_xchacha20poly1305_INONCEBYTES); memset(state->_pad, 0, sizeof state->_pad); @@ -95,8 +104,7 @@ crypto_secretstream_xchacha20poly1305_rekey STATE_INONCE(state)[i] = new_key_and_inonce[crypto_stream_chacha20_ietf_KEYBYTES + i]; } - memset(STATE_COUNTER(state), 0, - crypto_secretstream_xchacha20poly1305_COUNTERBYTES); + _crypto_secretstream_xchacha20poly1305_counter_reset(state); } int diff --git a/test/default/secretstream.c b/test/default/secretstream.c index b3cefc97..6e842e98 100644 --- a/test/default/secretstream.c +++ b/test/default/secretstream.c @@ -219,7 +219,8 @@ main(void) assert(memcmp(state_copy.k, state->k, sizeof state->k) != 0); assert(memcmp(state_copy.nonce, state->nonce, sizeof state->nonce) != 0); - assert(sodium_is_zero(state->nonce, 4U)); + assert(state->nonce[0] == 1U); + assert(sodium_is_zero(state->nonce + 1, 3U)); ret = crypto_secretstream_xchacha20poly1305_init_pull(state, header, k); assert(ret == 0);