kevin/libsodium
1
Fork 0
mirror of https://github.com/jedisct1/libsodium.git synced 2024-12-19 10:05:05 -07:00
Code Releases Wiki Activity

secretbox_xchacha: don't do useless rounds for the first block

Browse Source
This commit is contained in:
Frank Denis 2020-10-29 18:34:50 +01:00
parent 31436eb1df
commit b302c8e8e1
1 changed files with 12 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
src/libsodium/crypto_secretbox/xchacha20poly1305/secretbox_xchacha20poly1305.c
View File

@ -107,8 +107,16 @@ crypto_secretbox_xchacha20poly1305_open_detached(unsigned char *m,
unsigned long long mlen0;
crypto_core_hchacha20(subkey, n, k, NULL);
crypto_stream_chacha20(block0, crypto_stream_chacha20_KEYBYTES,
n + 16, subkey);
memset(block0, 0, crypto_secretbox_xchacha20poly1305_ZEROBYTES);
mlen0 = clen;
if (mlen0 > 64U - crypto_secretbox_xchacha20poly1305_ZEROBYTES) {
mlen0 = 64U - crypto_secretbox_xchacha20poly1305_ZEROBYTES;
}
for (i = 0U; i < mlen0; i++) {
block0[crypto_secretbox_xchacha20poly1305_ZEROBYTES + i] = c[i];
}
crypto_stream_chacha20_xor(block0, block0, 64, n + 16, subkey);
if (crypto_onetimeauth_poly1305_verify(mac, c, clen, block0) != 0) {
sodium_memzero(subkey, sizeof subkey);
return -1;
@ -116,6 +124,7 @@ crypto_secretbox_xchacha20poly1305_open_detached(unsigned char *m,
if (m == NULL) {
return 0;
}
/*
* Allow the m and and c buffer to partially overlap, by calling
* memmove() if necessary.
@ -131,18 +140,8 @@ crypto_secretbox_xchacha20poly1305_open_detached(unsigned char *m,
memmove(m, c, clen);
c = m;
}
mlen0 = clen;
if (mlen0 > 64U - crypto_secretbox_xchacha20poly1305_ZEROBYTES) {
mlen0 = 64U - crypto_secretbox_xchacha20poly1305_ZEROBYTES;
}
for (i = 0U; i < mlen0; i++) {
block0[crypto_secretbox_xchacha20poly1305_ZEROBYTES + i] = c[i];
}
crypto_stream_chacha20_xor(block0, block0,
crypto_secretbox_xchacha20poly1305_ZEROBYTES + mlen0,
n + 16, subkey);
for (i = 0U; i < mlen0; i++) {
m[i] = block0[i + crypto_secretbox_xchacha20poly1305_ZEROBYTES];
m[i] = block0[crypto_secretbox_xchacha20poly1305_ZEROBYTES + i];
}
if (clen > mlen0) {
crypto_stream_chacha20_xor_ic(m + mlen0, c + mlen0, clen - mlen0,