1
mirror of https://github.com/jedisct1/libsodium.git synced 2024-12-23 20:15:19 -07:00

secretbox_open: no need to encrypt the first block twice

This commit is contained in:
Frank Denis 2020-10-29 18:29:21 +01:00
parent 1801900486
commit 31436eb1df

View File

@ -51,9 +51,7 @@ crypto_secretbox_detached(unsigned char *c, unsigned char *mac,
for (i = 0U; i < mlen0; i++) {
block0[i + crypto_secretbox_ZEROBYTES] = m[i];
}
crypto_stream_salsa20_xor(block0, block0,
mlen0 + crypto_secretbox_ZEROBYTES,
n + 16, subkey);
crypto_stream_salsa20_xor(block0, block0, 64U, n + 16, subkey);
COMPILER_ASSERT(crypto_secretbox_ZEROBYTES >=
crypto_onetimeauth_poly1305_KEYBYTES);
crypto_onetimeauth_poly1305_init(&state, block0);
@ -100,8 +98,16 @@ crypto_secretbox_open_detached(unsigned char *m, const unsigned char *c,
unsigned long long mlen0;
crypto_core_hsalsa20(subkey, n, k, NULL);
crypto_stream_salsa20(block0, crypto_stream_salsa20_KEYBYTES,
n + 16, subkey);
memset(block0, 0U, crypto_secretbox_ZEROBYTES);
mlen0 = clen;
if (mlen0 > 64U - crypto_secretbox_ZEROBYTES) {
mlen0 = 64U - crypto_secretbox_ZEROBYTES;
}
for (i = 0U; i < mlen0; i++) {
block0[crypto_secretbox_ZEROBYTES + i] = c[i];
}
crypto_stream_salsa20_xor(block0, block0, 64, n + 16, subkey);
if (crypto_onetimeauth_poly1305_verify(mac, c, clen, block0) != 0) {
sodium_memzero(subkey, sizeof subkey);
return -1;
@ -109,6 +115,7 @@ crypto_secretbox_open_detached(unsigned char *m, const unsigned char *c,
if (m == NULL) {
return 0;
}
/*
* Allow the m and and c buffer to partially overlap, by calling
* memmove() if necessary.
@ -124,18 +131,8 @@ crypto_secretbox_open_detached(unsigned char *m, const unsigned char *c,
memmove(m, c, clen);
c = m;
}
mlen0 = clen;
if (mlen0 > 64U - crypto_secretbox_ZEROBYTES) {
mlen0 = 64U - crypto_secretbox_ZEROBYTES;
}
for (i = 0U; i < mlen0; i++) {
block0[crypto_secretbox_ZEROBYTES + i] = c[i];
}
crypto_stream_salsa20_xor(block0, block0,
crypto_secretbox_ZEROBYTES + mlen0,
n + 16, subkey);
for (i = 0U; i < mlen0; i++) {
m[i] = block0[i + crypto_secretbox_ZEROBYTES];
m[i] = block0[crypto_secretbox_ZEROBYTES + i];
}
if (clen > mlen0) {
crypto_stream_salsa20_xor_ic(m + mlen0, c + mlen0, clen - mlen0,