From: Guus Sliepen Date: Tue, 31 Aug 2021 14:27:47 +0000 (+0200) Subject: Move poly1305_get_tag() into poly1305.c, hide poly1305_init(). X-Git-Url: https://git.tinc-vpn.org/git/browse?a=commitdiff_plain;h=refs%2Fheads%2Ffeature%2Falt-ciphersuite;p=tinc Move poly1305_get_tag() into poly1305.c, hide poly1305_init(). The crypto library on Windows exposes a symbol named poly1305_init(), which clashes with ours. We can avoid this by moving poly1305_get_tag() to poly1305.[ch], where it belongs better, and this allows us to make all the lower-level Poly1305 functions static. Also remove the support for associated data while we are at it, since we are never using it. --- diff --git a/src/chacha-poly1305/chacha.h b/src/chacha-poly1305/chacha.h index a137ab6b..d4784f49 100644 --- a/src/chacha-poly1305/chacha.h +++ b/src/chacha-poly1305/chacha.h @@ -31,4 +31,3 @@ void chacha_encrypt_bytes(struct chacha_ctx *x, const unsigned char *m, unsigned char *c, uint32_t bytes); #endif /* CHACHA_H */ - diff --git a/src/chacha-poly1305/chachapoly.c b/src/chacha-poly1305/chachapoly.c index 9a6620ce..68f04edd 100644 --- a/src/chacha-poly1305/chachapoly.c +++ b/src/chacha-poly1305/chachapoly.c @@ -53,52 +53,6 @@ static int memcmp_eq(const void *av, const void *bv, int n) { return res; } -/** - * Poly1305 tag generation. This concatenates a string according to the rules - * outlined in RFC 7539 and calculates the tag. - * - * \param poly_key 32 byte secret one-time key for poly1305 - * \param ad associated data - * \param ad_len associated data length in bytes - * \param ct ciphertext - * \param ct_len ciphertext length in bytes - * \param tag pointer to 16 bytes for tag storage - */ -static void poly1305_get_tag(unsigned char *poly_key, const void *ad, - int ad_len, const void *ct, int ct_len, unsigned char *tag) { - struct poly1305_context poly; - unsigned left_over; - uint64_t len; - unsigned char pad[16]; - - poly1305_init(&poly, poly_key); - memset(&pad, 0, sizeof(pad)); - - /* associated data and padding */ - poly1305_update(&poly, ad, ad_len); - left_over = ad_len % 16; - - if(left_over) { - poly1305_update(&poly, pad, 16 - left_over); - } - - /* payload and padding */ - poly1305_update(&poly, ct, ct_len); - left_over = ct_len % 16; - - if(left_over) { - poly1305_update(&poly, pad, 16 - left_over); - } - - /* lengths */ - len = ad_len; - poly1305_update(&poly, (unsigned char *)&len, 8); - len = ct_len; - poly1305_update(&poly, (unsigned char *)&len, 8); - - poly1305_finish(&poly, tag); -} - int chachapoly_init(struct chachapoly_ctx *ctx, const void *key, int key_len) { assert(key_len == 128 || key_len == 256); @@ -108,7 +62,7 @@ int chachapoly_init(struct chachapoly_ctx *ctx, const void *key, int key_len) { } int chachapoly_crypt(struct chachapoly_ctx *ctx, const void *nonce, - const void *ad, int ad_len, void *input, int input_len, + void *input, int input_len, void *output, void *tag, int tag_len, int encrypt) { unsigned char poly_key[CHACHA_BLOCKLEN]; unsigned char calc_tag[POLY1305_TAGLEN]; @@ -121,7 +75,7 @@ int chachapoly_crypt(struct chachapoly_ctx *ctx, const void *nonce, /* check tag if decrypting */ if(encrypt == 0 && tag_len) { - poly1305_get_tag(poly_key, ad, ad_len, input, input_len, calc_tag); + poly1305_get_tag(poly_key, input, input_len, calc_tag); if(memcmp_eq(calc_tag, tag, tag_len) != 0) { return CHACHAPOLY_INVALID_MAC; @@ -135,7 +89,7 @@ int chachapoly_crypt(struct chachapoly_ctx *ctx, const void *nonce, /* add tag if encrypting */ if(encrypt && tag_len) { - poly1305_get_tag(poly_key, ad, ad_len, output, input_len, calc_tag); + poly1305_get_tag(poly_key, output, input_len, calc_tag); memcpy(tag, calc_tag, tag_len); } @@ -143,7 +97,7 @@ int chachapoly_crypt(struct chachapoly_ctx *ctx, const void *nonce, } int chachapoly_crypt_short(struct chachapoly_ctx *ctx, const void *nonce, - const void *ad, int ad_len, void *input, int input_len, + void *input, int input_len, void *output, void *tag, int tag_len, int encrypt) { unsigned char keystream[CHACHA_BLOCKLEN]; unsigned char calc_tag[POLY1305_TAGLEN]; @@ -159,7 +113,7 @@ int chachapoly_crypt_short(struct chachapoly_ctx *ctx, const void *nonce, /* check tag if decrypting */ if(encrypt == 0 && tag_len) { - poly1305_get_tag(keystream, ad, ad_len, input, input_len, calc_tag); + poly1305_get_tag(keystream, input, input_len, calc_tag); if(memcmp_eq(calc_tag, tag, tag_len) != 0) { return CHACHAPOLY_INVALID_MAC; @@ -174,7 +128,7 @@ int chachapoly_crypt_short(struct chachapoly_ctx *ctx, const void *nonce, /* add tag if encrypting */ if(encrypt && tag_len) { - poly1305_get_tag(keystream, ad, ad_len, output, input_len, calc_tag); + poly1305_get_tag(keystream, output, input_len, calc_tag); memcpy(tag, calc_tag, tag_len); } diff --git a/src/chacha-poly1305/chachapoly.h b/src/chacha-poly1305/chachapoly.h index ffc9576d..5d01f525 100644 --- a/src/chacha-poly1305/chachapoly.h +++ b/src/chacha-poly1305/chachapoly.h @@ -52,8 +52,6 @@ int chachapoly_init(struct chachapoly_ctx *ctx, const void *key, int key_len); * * \param ctx context data * \param nonce nonce (12 bytes) - * \param ad associated data - * \param ad_len associated data length in bytes * \param input plaintext/ciphertext input * \param input_len input length in bytes; * \param output plaintext/ciphertext output @@ -65,7 +63,7 @@ int chachapoly_init(struct chachapoly_ctx *ctx, const void *key, int key_len); * failed when decrypting */ int chachapoly_crypt(struct chachapoly_ctx *ctx, const void *nonce, - const void *ad, int ad_len, void *input, int input_len, + void *input, int input_len, void *output, void *tag, int tag_len, int encrypt); /** @@ -76,7 +74,7 @@ int chachapoly_crypt(struct chachapoly_ctx *ctx, const void *nonce, * chachapoly_crypt. */ int chachapoly_crypt_short(struct chachapoly_ctx *ctx, const void *nonce, - const void *ad, int ad_len, void *input, int input_len, + void *input, int input_len, void *output, void *tag, int tag_len, int encrypt); #endif diff --git a/src/chacha-poly1305/poly1305.c b/src/chacha-poly1305/poly1305.c index 0c90564c..b25435a7 100644 --- a/src/chacha-poly1305/poly1305.c +++ b/src/chacha-poly1305/poly1305.c @@ -5,6 +5,20 @@ public domain #include "poly1305.h" +/* use memcpy() to copy blocks of memory (typically faster) */ +#define USE_MEMCPY 1 +/* use unaligned little-endian load/store (can be faster) */ +#define USE_UNALIGNED 0 + +struct poly1305_context { + uint32_t r[5]; + uint32_t h[5]; + uint32_t pad[4]; + size_t leftover; + unsigned char buffer[POLY1305_BLOCK_SIZE]; + unsigned char final; +}; + #if (USE_UNALIGNED == 1) #define U8TO32(p) \ (*((uint32_t *)(p))) @@ -33,7 +47,7 @@ U32TO8(unsigned char *p, uint32_t v) { } #endif -void +static void poly1305_init(struct poly1305_context *st, const unsigned char key[32]) { /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */ st->r[0] = (U8TO32(&key[ 0])) & 0x3ffffff; @@ -131,7 +145,7 @@ poly1305_blocks(struct poly1305_context *st, const unsigned char *m, size_t byte st->h[4] = h4; } -void +static void poly1305_finish(struct poly1305_context *st, unsigned char mac[16]) { uint32_t h0, h1, h2, h3, h4, c; uint32_t g0, g1, g2, g3, g4; @@ -241,8 +255,7 @@ poly1305_finish(struct poly1305_context *st, unsigned char mac[16]) { st->pad[3] = 0; } - -void +static void poly1305_update(struct poly1305_context *st, const unsigned char *m, size_t bytes) { size_t i; @@ -293,10 +306,37 @@ poly1305_update(struct poly1305_context *st, const unsigned char *m, size_t byte } } +/** + * Poly1305 tag generation. This concatenates a string according to the rules + * outlined in RFC 7539 and calculates the tag. + * + * \param key 32 byte secret one-time key for poly1305 + * \param ct ciphertext + * \param ct_len ciphertext length in bytes + * \param tag pointer to 16 bytes for tag storage + */ void -poly1305_auth(unsigned char mac[16], const unsigned char *m, size_t bytes, const unsigned char key[32]) { +poly1305_get_tag(const unsigned char key[32], const void *ct, int ct_len, unsigned char tag[16]) { struct poly1305_context ctx; + unsigned left_over; + uint64_t len; + unsigned char pad[16]; + poly1305_init(&ctx, key); - poly1305_update(&ctx, m, bytes); - poly1305_finish(&ctx, mac); + memset(&pad, 0, sizeof(pad)); + + /* payload and padding */ + poly1305_update(&ctx, ct, ct_len); + left_over = ct_len % 16; + + if(left_over) { + poly1305_update(&ctx, pad, 16 - left_over); + } + + /* lengths */ + len = 0; + poly1305_update(&ctx, (unsigned char *)&len, 8); + len = ct_len; + poly1305_update(&ctx, (unsigned char *)&len, 8); + poly1305_finish(&ctx, tag); } diff --git a/src/chacha-poly1305/poly1305.h b/src/chacha-poly1305/poly1305.h index 624a19a9..5fc3b903 100644 --- a/src/chacha-poly1305/poly1305.h +++ b/src/chacha-poly1305/poly1305.h @@ -9,24 +9,6 @@ #define POLY1305_TAGLEN 16 #define POLY1305_BLOCK_SIZE 16 -/* use memcpy() to copy blocks of memory (typically faster) */ -#define USE_MEMCPY 1 -/* use unaligned little-endian load/store (can be faster) */ -#define USE_UNALIGNED 0 - -struct poly1305_context { - uint32_t r[5]; - uint32_t h[5]; - uint32_t pad[4]; - size_t leftover; - unsigned char buffer[POLY1305_BLOCK_SIZE]; - unsigned char final; -}; - -void poly1305_init(struct poly1305_context *ctx, const unsigned char key[32]); -void poly1305_update(struct poly1305_context *ctx, const unsigned char *m, size_t bytes); -void poly1305_finish(struct poly1305_context *ctx, unsigned char mac[16]); -void poly1305_auth(unsigned char mac[16], const unsigned char *m, size_t bytes, const unsigned char key[32]); +void poly1305_get_tag(const unsigned char key[32], const void *ct, int ct_len, unsigned char tag[16]); #endif /* POLY1305_H */ - diff --git a/src/sptps.c b/src/sptps.c index 9e637bef..b36079d3 100644 --- a/src/sptps.c +++ b/src/sptps.c @@ -186,7 +186,7 @@ static bool cipher_encrypt(uint8_t suite, void *ctx, uint32_t seqno, const uint8 #ifndef HAVE_OPENSSL case SPTPS_CHACHA_POLY1305: { - if(chachapoly_crypt(ctx, nonce, NULL, 0, (void *)in, inlen, out, out + inlen, 16, 1) != CHACHAPOLY_OK) { + if(chachapoly_crypt(ctx, nonce, (void *)in, inlen, out, out + inlen, 16, 1) != CHACHAPOLY_OK) { return false; } @@ -267,7 +267,7 @@ static bool cipher_decrypt(uint8_t suite, void *ctx, uint32_t seqno, const uint8 #ifndef HAVE_OPENSSL case SPTPS_CHACHA_POLY1305: - if(chachapoly_crypt(ctx, nonce, NULL, 0, (void *)in, inlen, out, (void *)(in + inlen), 16, 0) != CHACHAPOLY_OK) { + if(chachapoly_crypt(ctx, nonce, (void *)in, inlen, out, (void *)(in + inlen), 16, 0) != CHACHAPOLY_OK) { return false; }