2
2
mirror of https://github.com/octoleo/restic.git synced 2024-11-22 04:45:15 +00:00

Remove redundant poly1305 key masking

The implementation in crypto/poly1305 already performs the exact same
masking.
This commit is contained in:
Michael Eischer 2024-01-20 12:36:59 +01:00
parent 6696195f38
commit fee83e1c09

View File

@ -45,28 +45,6 @@ type EncryptionKey [32]byte
type MACKey struct {
K [16]byte // for AES-128
R [16]byte // for Poly1305
masked bool // remember if the MAC key has already been masked
}
// mask for key, (cf. http://cr.yp.to/mac/poly1305-20050329.pdf)
var poly1305KeyMask = [16]byte{
0xff,
0xff,
0xff,
0x0f, // 3: top four bits zero
0xfc, // 4: bottom two bits zero
0xff,
0xff,
0x0f, // 7: top four bits zero
0xfc, // 8: bottom two bits zero
0xff,
0xff,
0x0f, // 11: top four bits zero
0xfc, // 12: bottom two bits zero
0xff,
0xff,
0x0f, // 15: top four bits zero
}
func poly1305MAC(msg []byte, nonce []byte, key *MACKey) []byte {
@ -78,32 +56,16 @@ func poly1305MAC(msg []byte, nonce []byte, key *MACKey) []byte {
return out[:]
}
// mask poly1305 key
func maskKey(k *MACKey) {
if k == nil || k.masked {
return
}
for i := 0; i < poly1305.TagSize; i++ {
k.R[i] = k.R[i] & poly1305KeyMask[i]
}
k.masked = true
}
// construct mac key from slice (k||r), with masking
func macKeyFromSlice(mk *MACKey, data []byte) {
copy(mk.K[:], data[:16])
copy(mk.R[:], data[16:32])
maskKey(mk)
}
// prepare key for low-level poly1305.Sum(): r||n
func poly1305PrepareKey(nonce []byte, key *MACKey) [32]byte {
var k [32]byte
maskKey(key)
cipher, err := aes.NewCipher(key.K[:])
if err != nil {
panic(err)
@ -143,7 +105,6 @@ func NewRandomKey() *Key {
panic("unable to read enough random bytes for MAC key")
}
maskKey(&k.MACKey)
return k
}