mirror of
https://github.com/trezor/trezor-firmware.git
synced 2025-01-10 23:40:58 +00:00
Fix counter initialization bug in rfc7539_init(). Fix const correctness in rfc7539.h and chacha20poly1305.h. (#188)
This commit is contained in:
parent
2bbbc3e155
commit
7079277fb0
@ -10,7 +10,7 @@ void hchacha20(ECRYPT_ctx *x,u8 *c);
|
|||||||
// Initialize the XChaCha20 + Poly1305 context for encryption or decryption
|
// Initialize the XChaCha20 + Poly1305 context for encryption or decryption
|
||||||
// using a 32 byte key and 24 byte nonce. The key and the first 16 bytes of
|
// using a 32 byte key and 24 byte nonce. The key and the first 16 bytes of
|
||||||
// the nonce are used as input to HChaCha20 to derive the Chacha20 key.
|
// the nonce are used as input to HChaCha20 to derive the Chacha20 key.
|
||||||
void xchacha20poly1305_init(chacha20poly1305_ctx *ctx, uint8_t key[32], uint8_t nonce[24]) {
|
void xchacha20poly1305_init(chacha20poly1305_ctx *ctx, const uint8_t key[32], const uint8_t nonce[24]) {
|
||||||
unsigned char subkey[32] = {0};
|
unsigned char subkey[32] = {0};
|
||||||
unsigned char block0[64] = {0};
|
unsigned char block0[64] = {0};
|
||||||
ECRYPT_ctx tmp;
|
ECRYPT_ctx tmp;
|
||||||
@ -37,20 +37,20 @@ void xchacha20poly1305_init(chacha20poly1305_ctx *ctx, uint8_t key[32], uint8_t
|
|||||||
|
|
||||||
// Encrypt n bytes of plaintext where n must be evenly divisible by the
|
// Encrypt n bytes of plaintext where n must be evenly divisible by the
|
||||||
// Chacha20 blocksize of 64, except for the final n bytes of plaintext.
|
// Chacha20 blocksize of 64, except for the final n bytes of plaintext.
|
||||||
void chacha20poly1305_encrypt(chacha20poly1305_ctx *ctx, uint8_t *in, uint8_t *out, size_t n) {
|
void chacha20poly1305_encrypt(chacha20poly1305_ctx *ctx, const uint8_t *in, uint8_t *out, size_t n) {
|
||||||
ECRYPT_encrypt_bytes(&ctx->chacha20, in, out, n);
|
ECRYPT_encrypt_bytes(&ctx->chacha20, in, out, n);
|
||||||
poly1305_update(&ctx->poly1305, out, n);
|
poly1305_update(&ctx->poly1305, out, n);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Decrypt n bytes of ciphertext where n must be evenly divisible by the
|
// Decrypt n bytes of ciphertext where n must be evenly divisible by the
|
||||||
// Chacha20 blocksize of 64, except for the final n bytes of ciphertext.
|
// Chacha20 blocksize of 64, except for the final n bytes of ciphertext.
|
||||||
void chacha20poly1305_decrypt(chacha20poly1305_ctx *ctx, uint8_t *in, uint8_t *out, size_t n) {
|
void chacha20poly1305_decrypt(chacha20poly1305_ctx *ctx, const uint8_t *in, uint8_t *out, size_t n) {
|
||||||
poly1305_update(&ctx->poly1305, in, n);
|
poly1305_update(&ctx->poly1305, in, n);
|
||||||
ECRYPT_encrypt_bytes(&ctx->chacha20, in, out, n);
|
ECRYPT_encrypt_bytes(&ctx->chacha20, in, out, n);
|
||||||
}
|
}
|
||||||
|
|
||||||
// Include authenticated data in the Poly1305 MAC.
|
// Include authenticated data in the Poly1305 MAC.
|
||||||
void chacha20poly1305_auth(chacha20poly1305_ctx *ctx, uint8_t *in, size_t n) {
|
void chacha20poly1305_auth(chacha20poly1305_ctx *ctx, const uint8_t *in, size_t n) {
|
||||||
poly1305_update(&ctx->poly1305, in, n);
|
poly1305_update(&ctx->poly1305, in, n);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -10,10 +10,10 @@ typedef struct {
|
|||||||
poly1305_context poly1305;
|
poly1305_context poly1305;
|
||||||
} chacha20poly1305_ctx;
|
} chacha20poly1305_ctx;
|
||||||
|
|
||||||
void xchacha20poly1305_init(chacha20poly1305_ctx *ctx, uint8_t key[32], uint8_t nonce[24]);
|
void xchacha20poly1305_init(chacha20poly1305_ctx *ctx, const uint8_t key[32], const uint8_t nonce[24]);
|
||||||
void chacha20poly1305_encrypt(chacha20poly1305_ctx *ctx, uint8_t *in, uint8_t *out, size_t n);
|
void chacha20poly1305_encrypt(chacha20poly1305_ctx *ctx, const uint8_t *in, uint8_t *out, size_t n);
|
||||||
void chacha20poly1305_decrypt(chacha20poly1305_ctx *ctx, uint8_t *in, uint8_t *out, size_t n);
|
void chacha20poly1305_decrypt(chacha20poly1305_ctx *ctx, const uint8_t *in, uint8_t *out, size_t n);
|
||||||
void chacha20poly1305_auth(chacha20poly1305_ctx *ctx, uint8_t *in, size_t n);
|
void chacha20poly1305_auth(chacha20poly1305_ctx *ctx, const uint8_t *in, size_t n);
|
||||||
void chacha20poly1305_finish(chacha20poly1305_ctx *ctx, uint8_t mac[16]);
|
void chacha20poly1305_finish(chacha20poly1305_ctx *ctx, uint8_t mac[16]);
|
||||||
|
|
||||||
#endif // CHACHA20POLY1305_H
|
#endif // CHACHA20POLY1305_H
|
||||||
|
@ -7,10 +7,11 @@
|
|||||||
|
|
||||||
// Initialize the ChaCha20 + Poly1305 context for encryption or decryption
|
// Initialize the ChaCha20 + Poly1305 context for encryption or decryption
|
||||||
// using a 32 byte key and 12 byte nonce as in the RFC 7539 style.
|
// using a 32 byte key and 12 byte nonce as in the RFC 7539 style.
|
||||||
void rfc7539_init(chacha20poly1305_ctx *ctx, uint8_t key[32], uint8_t nonce[12]) {
|
void rfc7539_init(chacha20poly1305_ctx *ctx, const uint8_t key[32], const uint8_t nonce[12]) {
|
||||||
unsigned char block0[64] = {0};
|
unsigned char block0[64] = {0};
|
||||||
|
|
||||||
ECRYPT_keysetup(&ctx->chacha20, key, 256, 16);
|
ECRYPT_keysetup(&ctx->chacha20, key, 256, 16);
|
||||||
|
ctx->chacha20.input[12] = 0;
|
||||||
ctx->chacha20.input[13] = U8TO32_LITTLE(nonce + 0);
|
ctx->chacha20.input[13] = U8TO32_LITTLE(nonce + 0);
|
||||||
ctx->chacha20.input[14] = U8TO32_LITTLE(nonce + 4);
|
ctx->chacha20.input[14] = U8TO32_LITTLE(nonce + 4);
|
||||||
ctx->chacha20.input[15] = U8TO32_LITTLE(nonce + 8);
|
ctx->chacha20.input[15] = U8TO32_LITTLE(nonce + 8);
|
||||||
@ -24,7 +25,7 @@ void rfc7539_init(chacha20poly1305_ctx *ctx, uint8_t key[32], uint8_t nonce[12])
|
|||||||
// Include authenticated data in the Poly1305 MAC using the RFC 7539
|
// Include authenticated data in the Poly1305 MAC using the RFC 7539
|
||||||
// style with 16 byte padding. This must only be called once and prior
|
// style with 16 byte padding. This must only be called once and prior
|
||||||
// to encryption or decryption.
|
// to encryption or decryption.
|
||||||
void rfc7539_auth(chacha20poly1305_ctx *ctx, uint8_t *in, size_t n) {
|
void rfc7539_auth(chacha20poly1305_ctx *ctx, const uint8_t *in, size_t n) {
|
||||||
uint8_t padding[16] = {0};
|
uint8_t padding[16] = {0};
|
||||||
poly1305_update(&ctx->poly1305, in, n);
|
poly1305_update(&ctx->poly1305, in, n);
|
||||||
if (n % 16 != 0)
|
if (n % 16 != 0)
|
||||||
|
@ -3,8 +3,8 @@
|
|||||||
|
|
||||||
#include "chacha20poly1305.h"
|
#include "chacha20poly1305.h"
|
||||||
|
|
||||||
void rfc7539_init(chacha20poly1305_ctx *ctx, uint8_t key[32], uint8_t nonce[12]);
|
void rfc7539_init(chacha20poly1305_ctx *ctx, const uint8_t key[32], const uint8_t nonce[12]);
|
||||||
void rfc7539_auth(chacha20poly1305_ctx *ctx, uint8_t *in, size_t n);
|
void rfc7539_auth(chacha20poly1305_ctx *ctx, const uint8_t *in, size_t n);
|
||||||
void rfc7539_finish(chacha20poly1305_ctx *ctx, int64_t alen, int64_t plen, uint8_t mac[16]);
|
void rfc7539_finish(chacha20poly1305_ctx *ctx, int64_t alen, int64_t plen, uint8_t mac[16]);
|
||||||
|
|
||||||
#endif // RFC7539_H
|
#endif // RFC7539_H
|
||||||
|
Loading…
Reference in New Issue
Block a user