diff --git a/src/libsodium/crypto_secretbox/crypto_secretbox_easy.c b/src/libsodium/crypto_secretbox/crypto_secretbox_easy.c index e0aa0930..213de5af 100644 --- a/src/libsodium/crypto_secretbox/crypto_secretbox_easy.c +++ b/src/libsodium/crypto_secretbox/crypto_secretbox_easy.c @@ -51,9 +51,7 @@ crypto_secretbox_detached(unsigned char *c, unsigned char *mac, for (i = 0U; i < mlen0; i++) { block0[i + crypto_secretbox_ZEROBYTES] = m[i]; } - crypto_stream_salsa20_xor(block0, block0, - mlen0 + crypto_secretbox_ZEROBYTES, - n + 16, subkey); + crypto_stream_salsa20_xor(block0, block0, 64U, n + 16, subkey); COMPILER_ASSERT(crypto_secretbox_ZEROBYTES >= crypto_onetimeauth_poly1305_KEYBYTES); crypto_onetimeauth_poly1305_init(&state, block0); @@ -100,8 +98,16 @@ crypto_secretbox_open_detached(unsigned char *m, const unsigned char *c, unsigned long long mlen0; crypto_core_hsalsa20(subkey, n, k, NULL); - crypto_stream_salsa20(block0, crypto_stream_salsa20_KEYBYTES, - n + 16, subkey); + + memset(block0, 0U, crypto_secretbox_ZEROBYTES); + mlen0 = clen; + if (mlen0 > 64U - crypto_secretbox_ZEROBYTES) { + mlen0 = 64U - crypto_secretbox_ZEROBYTES; + } + for (i = 0U; i < mlen0; i++) { + block0[crypto_secretbox_ZEROBYTES + i] = c[i]; + } + crypto_stream_salsa20_xor(block0, block0, 64, n + 16, subkey); if (crypto_onetimeauth_poly1305_verify(mac, c, clen, block0) != 0) { sodium_memzero(subkey, sizeof subkey); return -1; @@ -109,6 +115,7 @@ crypto_secretbox_open_detached(unsigned char *m, const unsigned char *c, if (m == NULL) { return 0; } + /* * Allow the m and and c buffer to partially overlap, by calling * memmove() if necessary. @@ -124,18 +131,8 @@ crypto_secretbox_open_detached(unsigned char *m, const unsigned char *c, memmove(m, c, clen); c = m; } - mlen0 = clen; - if (mlen0 > 64U - crypto_secretbox_ZEROBYTES) { - mlen0 = 64U - crypto_secretbox_ZEROBYTES; - } for (i = 0U; i < mlen0; i++) { - block0[crypto_secretbox_ZEROBYTES + i] = c[i]; - } - crypto_stream_salsa20_xor(block0, block0, - crypto_secretbox_ZEROBYTES + mlen0, - n + 16, subkey); - for (i = 0U; i < mlen0; i++) { - m[i] = block0[i + crypto_secretbox_ZEROBYTES]; + m[i] = block0[crypto_secretbox_ZEROBYTES + i]; } if (clen > mlen0) { crypto_stream_salsa20_xor_ic(m + mlen0, c + mlen0, clen - mlen0,