Merge branch 'master' of https://github.com/jedisct1/libsodium
* 'master' of https://github.com/jedisct1/libsodium: Indent xchacha20poly1305: optimize and be compatible with ietf chacha20poly1305 (#461)
This commit is contained in:
commit
4e8832ed57
@ -5,9 +5,8 @@
|
||||
#include <string.h>
|
||||
|
||||
#include "crypto_aead_xchacha20poly1305.h"
|
||||
#include "crypto_onetimeauth_poly1305.h"
|
||||
#include "crypto_stream_xchacha20.h"
|
||||
#include "crypto_verify_16.h"
|
||||
#include "crypto_aead_chacha20poly1305.h"
|
||||
#include "crypto_core_hchacha20.h"
|
||||
#include "utils.h"
|
||||
|
||||
#include "private/common.h"
|
||||
@ -24,32 +23,16 @@ crypto_aead_xchacha20poly1305_encrypt_detached(unsigned char *c,
|
||||
const unsigned char *npub,
|
||||
const unsigned char *k)
|
||||
{
|
||||
crypto_onetimeauth_poly1305_state state;
|
||||
unsigned char block0[64U];
|
||||
unsigned char slen[8U];
|
||||
unsigned char k2[crypto_core_hchacha20_OUTPUTBYTES];
|
||||
int ret;
|
||||
|
||||
(void) nsec;
|
||||
crypto_stream_xchacha20(block0, sizeof block0, npub, k);
|
||||
crypto_onetimeauth_poly1305_init(&state, block0);
|
||||
sodium_memzero(block0, sizeof block0);
|
||||
crypto_core_hchacha20(k2, npub, k, NULL);
|
||||
ret = crypto_aead_chacha20poly1305_encrypt_detached
|
||||
(c, mac, maclen_p, m, mlen, ad, adlen, nsec,
|
||||
npub + crypto_core_hchacha20_INPUTBYTES, k2);
|
||||
sodium_memzero(k2, crypto_core_hchacha20_OUTPUTBYTES);
|
||||
|
||||
crypto_onetimeauth_poly1305_update(&state, ad, adlen);
|
||||
STORE64_LE(slen, (uint64_t) adlen);
|
||||
crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
|
||||
|
||||
crypto_stream_xchacha20_xor_ic(c, m, mlen, npub, 1U, k);
|
||||
|
||||
crypto_onetimeauth_poly1305_update(&state, c, mlen);
|
||||
STORE64_LE(slen, (uint64_t) mlen);
|
||||
crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
|
||||
|
||||
crypto_onetimeauth_poly1305_final(&state, mac);
|
||||
sodium_memzero(&state, sizeof state);
|
||||
|
||||
if (maclen_p != NULL) {
|
||||
*maclen_p = crypto_aead_xchacha20poly1305_ABYTES;
|
||||
}
|
||||
return 0;
|
||||
return ret;
|
||||
}
|
||||
|
||||
int
|
||||
@ -94,43 +77,17 @@ crypto_aead_xchacha20poly1305_decrypt_detached(unsigned char *m,
|
||||
const unsigned char *npub,
|
||||
const unsigned char *k)
|
||||
{
|
||||
crypto_onetimeauth_poly1305_state state;
|
||||
unsigned char block0[64U];
|
||||
unsigned char slen[8U];
|
||||
unsigned char computed_mac[crypto_aead_xchacha20poly1305_ABYTES];
|
||||
unsigned long long mlen;
|
||||
unsigned char k2[crypto_core_hchacha20_OUTPUTBYTES];
|
||||
int ret;
|
||||
|
||||
(void) nsec;
|
||||
crypto_stream_xchacha20(block0, sizeof block0, npub, k);
|
||||
crypto_onetimeauth_poly1305_init(&state, block0);
|
||||
sodium_memzero(block0, sizeof block0);
|
||||
crypto_core_hchacha20(k2, npub, k, NULL);
|
||||
ret = crypto_aead_chacha20poly1305_decrypt_detached
|
||||
(m, nsec, c, clen, mac, ad, adlen,
|
||||
npub + crypto_core_hchacha20_INPUTBYTES, k2);
|
||||
sodium_memzero(k2, crypto_core_hchacha20_OUTPUTBYTES);
|
||||
|
||||
crypto_onetimeauth_poly1305_update(&state, ad, adlen);
|
||||
STORE64_LE(slen, (uint64_t) adlen);
|
||||
crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
|
||||
|
||||
mlen = clen;
|
||||
crypto_onetimeauth_poly1305_update(&state, c, mlen);
|
||||
STORE64_LE(slen, (uint64_t) mlen);
|
||||
crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
|
||||
|
||||
crypto_onetimeauth_poly1305_final(&state, computed_mac);
|
||||
sodium_memzero(&state, sizeof state);
|
||||
|
||||
(void) sizeof(int[sizeof computed_mac == 16U ? 1 : -1]);
|
||||
ret = crypto_verify_16(computed_mac, mac);
|
||||
sodium_memzero(computed_mac, sizeof computed_mac);
|
||||
if (m == NULL) {
|
||||
return ret;
|
||||
}
|
||||
if (ret != 0) {
|
||||
memset(m, 0, mlen);
|
||||
return -1;
|
||||
}
|
||||
crypto_stream_xchacha20_xor_ic(m, c, mlen, npub, 1U, k);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int
|
||||
@ -163,6 +120,115 @@ crypto_aead_xchacha20poly1305_decrypt(unsigned char *m,
|
||||
return ret;
|
||||
}
|
||||
|
||||
int
|
||||
crypto_aead_xchacha20poly1305_ietf_encrypt_detached(unsigned char *c,
|
||||
unsigned char *mac,
|
||||
unsigned long long *maclen_p,
|
||||
const unsigned char *m,
|
||||
unsigned long long mlen,
|
||||
const unsigned char *ad,
|
||||
unsigned long long adlen,
|
||||
const unsigned char *nsec,
|
||||
const unsigned char *npub,
|
||||
const unsigned char *k)
|
||||
{
|
||||
unsigned char k2[crypto_core_hchacha20_OUTPUTBYTES];
|
||||
unsigned char npub2[crypto_aead_chacha20poly1305_ietf_NPUBBYTES] = { 0 };
|
||||
int ret;
|
||||
|
||||
crypto_core_hchacha20(k2, npub, k, NULL);
|
||||
memcpy(npub2 + 4, npub + crypto_core_hchacha20_INPUTBYTES, crypto_aead_chacha20poly1305_ietf_NPUBBYTES - 4);
|
||||
ret = crypto_aead_chacha20poly1305_ietf_encrypt_detached
|
||||
(c, mac, maclen_p, m, mlen, ad, adlen, nsec, npub2, k2);
|
||||
sodium_memzero(k2, crypto_core_hchacha20_OUTPUTBYTES);
|
||||
|
||||
return ret;
|
||||
}
|
||||
|
||||
int
|
||||
crypto_aead_xchacha20poly1305_ietf_encrypt(unsigned char *c,
|
||||
unsigned long long *clen_p,
|
||||
const unsigned char *m,
|
||||
unsigned long long mlen,
|
||||
const unsigned char *ad,
|
||||
unsigned long long adlen,
|
||||
const unsigned char *nsec,
|
||||
const unsigned char *npub,
|
||||
const unsigned char *k)
|
||||
{
|
||||
unsigned long long clen = 0ULL;
|
||||
int ret;
|
||||
|
||||
if (mlen > UINT64_MAX - crypto_aead_xchacha20poly1305_ietf_ABYTES) {
|
||||
abort(); /* LCOV_EXCL_LINE */
|
||||
}
|
||||
ret = crypto_aead_xchacha20poly1305_ietf_encrypt_detached
|
||||
(c, c + mlen, NULL, m, mlen, ad, adlen, nsec, npub, k);
|
||||
if (clen_p != NULL) {
|
||||
if (ret == 0) {
|
||||
clen = mlen + crypto_aead_xchacha20poly1305_ietf_ABYTES;
|
||||
}
|
||||
*clen_p = clen;
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
int
|
||||
crypto_aead_xchacha20poly1305_ietf_decrypt_detached(unsigned char *m,
|
||||
unsigned char *nsec,
|
||||
const unsigned char *c,
|
||||
unsigned long long clen,
|
||||
const unsigned char *mac,
|
||||
const unsigned char *ad,
|
||||
unsigned long long adlen,
|
||||
const unsigned char *npub,
|
||||
const unsigned char *k)
|
||||
{
|
||||
unsigned char k2[crypto_core_hchacha20_OUTPUTBYTES];
|
||||
unsigned char npub2[crypto_aead_chacha20poly1305_ietf_NPUBBYTES] = { 0 };
|
||||
int ret;
|
||||
|
||||
crypto_core_hchacha20(k2, npub, k, NULL);
|
||||
memcpy(npub2 + 4, npub + crypto_core_hchacha20_INPUTBYTES,
|
||||
crypto_aead_chacha20poly1305_ietf_NPUBBYTES - 4);
|
||||
ret = crypto_aead_chacha20poly1305_ietf_decrypt_detached
|
||||
(m, nsec, c, clen, mac, ad, adlen, npub2, k2);
|
||||
sodium_memzero(k2, crypto_core_hchacha20_OUTPUTBYTES);
|
||||
|
||||
return ret;
|
||||
|
||||
}
|
||||
|
||||
int
|
||||
crypto_aead_xchacha20poly1305_ietf_decrypt(unsigned char *m,
|
||||
unsigned long long *mlen_p,
|
||||
unsigned char *nsec,
|
||||
const unsigned char *c,
|
||||
unsigned long long clen,
|
||||
const unsigned char *ad,
|
||||
unsigned long long adlen,
|
||||
const unsigned char *npub,
|
||||
const unsigned char *k)
|
||||
{
|
||||
unsigned long long mlen = 0ULL;
|
||||
int ret = -1;
|
||||
|
||||
if (clen >= crypto_aead_xchacha20poly1305_ietf_ABYTES) {
|
||||
ret = crypto_aead_xchacha20poly1305_ietf_decrypt_detached
|
||||
(m, nsec,
|
||||
c, clen - crypto_aead_xchacha20poly1305_ietf_ABYTES,
|
||||
c + clen - crypto_aead_xchacha20poly1305_ietf_ABYTES,
|
||||
ad, adlen, npub, k);
|
||||
}
|
||||
if (mlen_p != NULL) {
|
||||
if (ret == 0) {
|
||||
mlen = clen - crypto_aead_xchacha20poly1305_ietf_ABYTES;
|
||||
}
|
||||
*mlen_p = mlen;
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
|
||||
size_t
|
||||
crypto_aead_xchacha20poly1305_keybytes(void) {
|
||||
return crypto_aead_xchacha20poly1305_KEYBYTES;
|
||||
@ -182,3 +248,23 @@ size_t
|
||||
crypto_aead_xchacha20poly1305_abytes(void) {
|
||||
return crypto_aead_xchacha20poly1305_ABYTES;
|
||||
}
|
||||
|
||||
size_t
|
||||
crypto_aead_xchacha20poly1305_ietf_keybytes(void) {
|
||||
return crypto_aead_xchacha20poly1305_ietf_KEYBYTES;
|
||||
}
|
||||
|
||||
size_t
|
||||
crypto_aead_xchacha20poly1305_ietf_npubbytes(void) {
|
||||
return crypto_aead_xchacha20poly1305_ietf_NPUBBYTES;
|
||||
}
|
||||
|
||||
size_t
|
||||
crypto_aead_xchacha20poly1305_ietf_nsecbytes(void) {
|
||||
return crypto_aead_xchacha20poly1305_ietf_NSECBYTES;
|
||||
}
|
||||
|
||||
size_t
|
||||
crypto_aead_xchacha20poly1305_ietf_abytes(void) {
|
||||
return crypto_aead_xchacha20poly1305_ietf_ABYTES;
|
||||
}
|
||||
|
@ -27,6 +27,22 @@ size_t crypto_aead_xchacha20poly1305_npubbytes(void);
|
||||
SODIUM_EXPORT
|
||||
size_t crypto_aead_xchacha20poly1305_abytes(void);
|
||||
|
||||
#define crypto_aead_xchacha20poly1305_ietf_KEYBYTES 32U
|
||||
SODIUM_EXPORT
|
||||
size_t crypto_aead_xchacha20poly1305_ietf_keybytes(void);
|
||||
|
||||
#define crypto_aead_xchacha20poly1305_ietf_NSECBYTES 0U
|
||||
SODIUM_EXPORT
|
||||
size_t crypto_aead_xchacha20poly1305_ietf_nsecbytes(void);
|
||||
|
||||
#define crypto_aead_xchacha20poly1305_ietf_NPUBBYTES 24U
|
||||
SODIUM_EXPORT
|
||||
size_t crypto_aead_xchacha20poly1305_ietf_npubbytes(void);
|
||||
|
||||
#define crypto_aead_xchacha20poly1305_ietf_ABYTES 16U
|
||||
SODIUM_EXPORT
|
||||
size_t crypto_aead_xchacha20poly1305_ietf_abytes(void);
|
||||
|
||||
SODIUM_EXPORT
|
||||
int crypto_aead_xchacha20poly1305_encrypt(unsigned char *c,
|
||||
unsigned long long *clen_p,
|
||||
@ -74,6 +90,60 @@ int crypto_aead_xchacha20poly1305_decrypt_detached(unsigned char *m,
|
||||
const unsigned char *k)
|
||||
__attribute__ ((warn_unused_result));
|
||||
|
||||
SODIUM_EXPORT
|
||||
int crypto_aead_xchacha20poly1305_ietf_encrypt(unsigned char *c,
|
||||
unsigned long long *clen_p,
|
||||
const unsigned char *m,
|
||||
unsigned long long mlen,
|
||||
const unsigned char *ad,
|
||||
unsigned long long adlen,
|
||||
const unsigned char *nsec,
|
||||
const unsigned char *npub,
|
||||
const unsigned char *k);
|
||||
|
||||
SODIUM_EXPORT
|
||||
int crypto_aead_xchacha20poly1305_ietf_decrypt(unsigned char *m,
|
||||
unsigned long long *mlen_p,
|
||||
unsigned char *nsec,
|
||||
const unsigned char *c,
|
||||
unsigned long long clen,
|
||||
const unsigned char *ad,
|
||||
unsigned long long adlen,
|
||||
const unsigned char *npub,
|
||||
const unsigned char *k)
|
||||
__attribute__ ((warn_unused_result));
|
||||
|
||||
SODIUM_EXPORT
|
||||
int crypto_aead_xchacha20poly1305_ietf_encrypt_detached(unsigned char *c,
|
||||
unsigned char *mac,
|
||||
unsigned long long *maclen_p,
|
||||
const unsigned char *m,
|
||||
unsigned long long mlen,
|
||||
const unsigned char *ad,
|
||||
unsigned long long adlen,
|
||||
const unsigned char *nsec,
|
||||
const unsigned char *npub,
|
||||
const unsigned char *k);
|
||||
|
||||
SODIUM_EXPORT
|
||||
int crypto_aead_xchacha20poly1305_ietf_decrypt_detached(unsigned char *m,
|
||||
unsigned char *nsec,
|
||||
const unsigned char *c,
|
||||
unsigned long long clen,
|
||||
const unsigned char *mac,
|
||||
const unsigned char *ad,
|
||||
unsigned long long adlen,
|
||||
const unsigned char *npub,
|
||||
const unsigned char *k)
|
||||
__attribute__ ((warn_unused_result));
|
||||
|
||||
/* Aliases */
|
||||
|
||||
#define crypto_aead_xchacha20poly1305_IETF_KEYBYTES crypto_aead_xchacha20poly1305_ietf_KEYBYTES
|
||||
#define crypto_aead_xchacha20poly1305_IETF_NSECBYTES crypto_aead_xchacha20poly1305_ietf_NSECBYTES
|
||||
#define crypto_aead_xchacha20poly1305_IETF_NPUBBYTES crypto_aead_xchacha20poly1305_ietf_NPUBBYTES
|
||||
#define crypto_aead_xchacha20poly1305_IETF_ABYTES crypto_aead_xchacha20poly1305_ietf_ABYTES
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
Loading…
Reference in New Issue
Block a user