From 7079277fb0aa5db9c7cbbdec9117b8239aeccff7 Mon Sep 17 00:00:00 2001 From: Andrew Kozlik <42678794+andrewkozlik@users.noreply.github.com> Date: Fri, 30 Nov 2018 15:17:52 +0100 Subject: [PATCH] Fix counter initialization bug in rfc7539_init(). Fix const correctness in rfc7539.h and chacha20poly1305.h. (#188) --- chacha20poly1305/chacha20poly1305.c | 8 ++++---- chacha20poly1305/chacha20poly1305.h | 8 ++++---- chacha20poly1305/rfc7539.c | 5 +++-- chacha20poly1305/rfc7539.h | 4 ++-- 4 files changed, 13 insertions(+), 12 deletions(-) diff --git a/chacha20poly1305/chacha20poly1305.c b/chacha20poly1305/chacha20poly1305.c index d75ddd162b..e585f09514 100644 --- a/chacha20poly1305/chacha20poly1305.c +++ b/chacha20poly1305/chacha20poly1305.c @@ -10,7 +10,7 @@ void hchacha20(ECRYPT_ctx *x,u8 *c); // Initialize the XChaCha20 + Poly1305 context for encryption or decryption // using a 32 byte key and 24 byte nonce. The key and the first 16 bytes of // the nonce are used as input to HChaCha20 to derive the Chacha20 key. -void xchacha20poly1305_init(chacha20poly1305_ctx *ctx, uint8_t key[32], uint8_t nonce[24]) { +void xchacha20poly1305_init(chacha20poly1305_ctx *ctx, const uint8_t key[32], const uint8_t nonce[24]) { unsigned char subkey[32] = {0}; unsigned char block0[64] = {0}; ECRYPT_ctx tmp; @@ -37,20 +37,20 @@ void xchacha20poly1305_init(chacha20poly1305_ctx *ctx, uint8_t key[32], uint8_t // Encrypt n bytes of plaintext where n must be evenly divisible by the // Chacha20 blocksize of 64, except for the final n bytes of plaintext. -void chacha20poly1305_encrypt(chacha20poly1305_ctx *ctx, uint8_t *in, uint8_t *out, size_t n) { +void chacha20poly1305_encrypt(chacha20poly1305_ctx *ctx, const uint8_t *in, uint8_t *out, size_t n) { ECRYPT_encrypt_bytes(&ctx->chacha20, in, out, n); poly1305_update(&ctx->poly1305, out, n); } // Decrypt n bytes of ciphertext where n must be evenly divisible by the // Chacha20 blocksize of 64, except for the final n bytes of ciphertext. -void chacha20poly1305_decrypt(chacha20poly1305_ctx *ctx, uint8_t *in, uint8_t *out, size_t n) { +void chacha20poly1305_decrypt(chacha20poly1305_ctx *ctx, const uint8_t *in, uint8_t *out, size_t n) { poly1305_update(&ctx->poly1305, in, n); ECRYPT_encrypt_bytes(&ctx->chacha20, in, out, n); } // Include authenticated data in the Poly1305 MAC. -void chacha20poly1305_auth(chacha20poly1305_ctx *ctx, uint8_t *in, size_t n) { +void chacha20poly1305_auth(chacha20poly1305_ctx *ctx, const uint8_t *in, size_t n) { poly1305_update(&ctx->poly1305, in, n); } diff --git a/chacha20poly1305/chacha20poly1305.h b/chacha20poly1305/chacha20poly1305.h index d02ea0c609..1f501f12ee 100644 --- a/chacha20poly1305/chacha20poly1305.h +++ b/chacha20poly1305/chacha20poly1305.h @@ -10,10 +10,10 @@ typedef struct { poly1305_context poly1305; } chacha20poly1305_ctx; -void xchacha20poly1305_init(chacha20poly1305_ctx *ctx, uint8_t key[32], uint8_t nonce[24]); -void chacha20poly1305_encrypt(chacha20poly1305_ctx *ctx, uint8_t *in, uint8_t *out, size_t n); -void chacha20poly1305_decrypt(chacha20poly1305_ctx *ctx, uint8_t *in, uint8_t *out, size_t n); -void chacha20poly1305_auth(chacha20poly1305_ctx *ctx, uint8_t *in, size_t n); +void xchacha20poly1305_init(chacha20poly1305_ctx *ctx, const uint8_t key[32], const uint8_t nonce[24]); +void chacha20poly1305_encrypt(chacha20poly1305_ctx *ctx, const uint8_t *in, uint8_t *out, size_t n); +void chacha20poly1305_decrypt(chacha20poly1305_ctx *ctx, const uint8_t *in, uint8_t *out, size_t n); +void chacha20poly1305_auth(chacha20poly1305_ctx *ctx, const uint8_t *in, size_t n); void chacha20poly1305_finish(chacha20poly1305_ctx *ctx, uint8_t mac[16]); #endif // CHACHA20POLY1305_H diff --git a/chacha20poly1305/rfc7539.c b/chacha20poly1305/rfc7539.c index 7958e64376..94e5f0b233 100644 --- a/chacha20poly1305/rfc7539.c +++ b/chacha20poly1305/rfc7539.c @@ -7,10 +7,11 @@ // Initialize the ChaCha20 + Poly1305 context for encryption or decryption // using a 32 byte key and 12 byte nonce as in the RFC 7539 style. -void rfc7539_init(chacha20poly1305_ctx *ctx, uint8_t key[32], uint8_t nonce[12]) { +void rfc7539_init(chacha20poly1305_ctx *ctx, const uint8_t key[32], const uint8_t nonce[12]) { unsigned char block0[64] = {0}; ECRYPT_keysetup(&ctx->chacha20, key, 256, 16); + ctx->chacha20.input[12] = 0; ctx->chacha20.input[13] = U8TO32_LITTLE(nonce + 0); ctx->chacha20.input[14] = U8TO32_LITTLE(nonce + 4); ctx->chacha20.input[15] = U8TO32_LITTLE(nonce + 8); @@ -24,7 +25,7 @@ void rfc7539_init(chacha20poly1305_ctx *ctx, uint8_t key[32], uint8_t nonce[12]) // Include authenticated data in the Poly1305 MAC using the RFC 7539 // style with 16 byte padding. This must only be called once and prior // to encryption or decryption. -void rfc7539_auth(chacha20poly1305_ctx *ctx, uint8_t *in, size_t n) { +void rfc7539_auth(chacha20poly1305_ctx *ctx, const uint8_t *in, size_t n) { uint8_t padding[16] = {0}; poly1305_update(&ctx->poly1305, in, n); if (n % 16 != 0) diff --git a/chacha20poly1305/rfc7539.h b/chacha20poly1305/rfc7539.h index 2bd4990b6c..75e3d1d7ee 100644 --- a/chacha20poly1305/rfc7539.h +++ b/chacha20poly1305/rfc7539.h @@ -3,8 +3,8 @@ #include "chacha20poly1305.h" -void rfc7539_init(chacha20poly1305_ctx *ctx, uint8_t key[32], uint8_t nonce[12]); -void rfc7539_auth(chacha20poly1305_ctx *ctx, uint8_t *in, size_t n); +void rfc7539_init(chacha20poly1305_ctx *ctx, const uint8_t key[32], const uint8_t nonce[12]); +void rfc7539_auth(chacha20poly1305_ctx *ctx, const uint8_t *in, size_t n); void rfc7539_finish(chacha20poly1305_ctx *ctx, int64_t alen, int64_t plen, uint8_t mac[16]); #endif // RFC7539_H