From 56206c4db19f472b8429e71d3ae2570072bb5dac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 7 May 2018 12:18:34 +0200 Subject: [PATCH] Remove semi-internal chacha20_keystrem_block() It's actually easy to implement chachapoly without it, so let's not clutter the API (and avoid adding a burden to alt implementers). --- include/mbedtls/chacha20.h | 21 --------------------- library/chacha20.c | 37 ------------------------------------- library/chachapoly.c | 8 ++++++-- 3 files changed, 6 insertions(+), 60 deletions(-) diff --git a/include/mbedtls/chacha20.h b/include/mbedtls/chacha20.h index 7999702f5..d32da1b77 100644 --- a/include/mbedtls/chacha20.h +++ b/include/mbedtls/chacha20.h @@ -107,27 +107,6 @@ int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx, const unsigned char nonce[12], uint32_t counter ); -/** - * \brief Generates a block of keystream bytes for a specific counter value. - * - * This function uses the key and nonce previously set in - * the context (via mbedtls_chacha20_setkey and - * mbedtls_chacha20_starts), but ignores the previously - * set counter and uses the counter given as the parameter to - * this function. - * - * \param ctx The ChaCha20 context. This context is not modified. - * \param counter The counter value to use. - * \param keystream Buffer to where the generated keystream bytes are written. - * - * \return MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA if ctx or keystream are - * NULL. - * Otherwise, 0 is returned to indicate success. - */ -int mbedtls_chacha20_keystream_block( const mbedtls_chacha20_context *ctx, - uint32_t counter, - unsigned char keystream[64] ); - /** * \brief Encrypt or decrypt data. * diff --git a/library/chacha20.c b/library/chacha20.c index 1abb96ef9..5ede4553c 100644 --- a/library/chacha20.c +++ b/library/chacha20.c @@ -246,43 +246,6 @@ int mbedtls_chacha20_starts( mbedtls_chacha20_context* ctx, return( 0 ); } -int mbedtls_chacha20_keystream_block( const mbedtls_chacha20_context *ctx, - uint32_t counter, - unsigned char keystream[64] ) -{ - uint32_t initial_state[16]; - uint32_t working_state[16]; - - if ( ( ctx == NULL ) || ( keystream == NULL ) ) - { - return( MBEDTLS_ERR_CHACHA20_BAD_INPUT_DATA ); - } - - initial_state[0] = ctx->initial_state[0]; - initial_state[1] = ctx->initial_state[1]; - initial_state[2] = ctx->initial_state[2]; - initial_state[3] = ctx->initial_state[3]; - initial_state[4] = ctx->initial_state[4]; - initial_state[5] = ctx->initial_state[5]; - initial_state[6] = ctx->initial_state[6]; - initial_state[7] = ctx->initial_state[7]; - initial_state[8] = ctx->initial_state[8]; - initial_state[9] = ctx->initial_state[9]; - initial_state[10] = ctx->initial_state[10]; - initial_state[11] = ctx->initial_state[11]; - initial_state[12] = counter; - initial_state[13] = ctx->initial_state[13]; - initial_state[14] = ctx->initial_state[14]; - initial_state[15] = ctx->initial_state[15]; - - mbedtls_chacha20_block( initial_state, working_state, keystream ); - - mbedtls_zeroize( initial_state, sizeof( initial_state ) ); - mbedtls_zeroize( working_state, sizeof( working_state ) ); - - return( 0 ); -} - int mbedtls_chacha20_update( mbedtls_chacha20_context *ctx, size_t size, const unsigned char *input, diff --git a/library/chachapoly.c b/library/chachapoly.c index 3ba19542e..35ae99e11 100644 --- a/library/chachapoly.c +++ b/library/chachapoly.c @@ -143,15 +143,19 @@ int mbedtls_chachapoly_starts( mbedtls_chachapoly_context *ctx, return( MBEDTLS_ERR_CHACHAPOLY_BAD_INPUT_DATA ); } - result = mbedtls_chacha20_starts( &ctx->chacha20_ctx, nonce, 1U ); + /* Set counter = 0, will be update to 1 when generating Poly1305 key */ + result = mbedtls_chacha20_starts( &ctx->chacha20_ctx, nonce, 0U ); if ( result != 0 ) goto cleanup; /* Generate the Poly1305 key by getting the ChaCha20 keystream output with counter = 0. + * This is the same as encrypting a buffer of zeroes. * Only the first 256-bits (32 bytes) of the key is used for Poly1305. * The other 256 bits are discarded. */ - result = mbedtls_chacha20_keystream_block( &ctx->chacha20_ctx, 0U, poly1305_key ); + memset( poly1305_key, 0, sizeof( poly1305_key ) ); + result = mbedtls_chacha20_update( &ctx->chacha20_ctx, sizeof( poly1305_key ), + poly1305_key, poly1305_key ); if ( result != 0 ) goto cleanup;