poly1305: deprecate public package
Fixes golang/go#36646
Change-Id: Ic19dd2171c84472fc9d3f44803224b87fc5c0417
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/345649
Trust: Filippo Valsorda <filippo@golang.org>
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
diff --git a/chacha20poly1305/chacha20poly1305.go b/chacha20poly1305/chacha20poly1305.go
index 0d7bac3..93da732 100644
--- a/chacha20poly1305/chacha20poly1305.go
+++ b/chacha20poly1305/chacha20poly1305.go
@@ -26,6 +26,10 @@
// NonceSizeX is the size of the nonce used with the XChaCha20-Poly1305
// variant of this AEAD, in bytes.
NonceSizeX = 24
+
+ // Overhead is the size of the Poly1305 authentication tag, and the
+ // difference between a ciphertext length and its plaintext.
+ Overhead = 16
)
type chacha20poly1305 struct {
@@ -47,7 +51,7 @@
}
func (c *chacha20poly1305) Overhead() int {
- return 16
+ return Overhead
}
func (c *chacha20poly1305) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
diff --git a/chacha20poly1305/chacha20poly1305_generic.go b/chacha20poly1305/chacha20poly1305_generic.go
index fe191d3..96b2fd8 100644
--- a/chacha20poly1305/chacha20poly1305_generic.go
+++ b/chacha20poly1305/chacha20poly1305_generic.go
@@ -8,8 +8,8 @@
"encoding/binary"
"golang.org/x/crypto/chacha20"
+ "golang.org/x/crypto/internal/poly1305"
"golang.org/x/crypto/internal/subtle"
- "golang.org/x/crypto/poly1305"
)
func writeWithPadding(p *poly1305.MAC, b []byte) {
diff --git a/chacha20poly1305/xchacha20poly1305.go b/chacha20poly1305/xchacha20poly1305.go
index d9d46b9..1cebfe9 100644
--- a/chacha20poly1305/xchacha20poly1305.go
+++ b/chacha20poly1305/xchacha20poly1305.go
@@ -35,7 +35,7 @@
}
func (*xchacha20poly1305) Overhead() int {
- return 16
+ return Overhead
}
func (x *xchacha20poly1305) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
diff --git a/poly1305/bits_compat.go b/internal/poly1305/bits_compat.go
similarity index 100%
rename from poly1305/bits_compat.go
rename to internal/poly1305/bits_compat.go
diff --git a/poly1305/bits_go1.13.go b/internal/poly1305/bits_go1.13.go
similarity index 100%
rename from poly1305/bits_go1.13.go
rename to internal/poly1305/bits_go1.13.go
diff --git a/poly1305/mac_noasm.go b/internal/poly1305/mac_noasm.go
similarity index 100%
rename from poly1305/mac_noasm.go
rename to internal/poly1305/mac_noasm.go
diff --git a/poly1305/poly1305.go b/internal/poly1305/poly1305.go
similarity index 97%
rename from poly1305/poly1305.go
rename to internal/poly1305/poly1305.go
index 9d7a6af..4aaea81 100644
--- a/poly1305/poly1305.go
+++ b/internal/poly1305/poly1305.go
@@ -15,7 +15,7 @@
// used with a fixed key in order to generate one-time keys from an nonce.
// However, in this package AES isn't used and the one-time key is specified
// directly.
-package poly1305 // import "golang.org/x/crypto/poly1305"
+package poly1305
import "crypto/subtle"
diff --git a/poly1305/poly1305_test.go b/internal/poly1305/poly1305_test.go
similarity index 100%
rename from poly1305/poly1305_test.go
rename to internal/poly1305/poly1305_test.go
diff --git a/poly1305/sum_amd64.go b/internal/poly1305/sum_amd64.go
similarity index 100%
rename from poly1305/sum_amd64.go
rename to internal/poly1305/sum_amd64.go
diff --git a/poly1305/sum_amd64.s b/internal/poly1305/sum_amd64.s
similarity index 100%
rename from poly1305/sum_amd64.s
rename to internal/poly1305/sum_amd64.s
diff --git a/poly1305/sum_generic.go b/internal/poly1305/sum_generic.go
similarity index 100%
rename from poly1305/sum_generic.go
rename to internal/poly1305/sum_generic.go
diff --git a/poly1305/sum_ppc64le.go b/internal/poly1305/sum_ppc64le.go
similarity index 100%
rename from poly1305/sum_ppc64le.go
rename to internal/poly1305/sum_ppc64le.go
diff --git a/poly1305/sum_ppc64le.s b/internal/poly1305/sum_ppc64le.s
similarity index 100%
rename from poly1305/sum_ppc64le.s
rename to internal/poly1305/sum_ppc64le.s
diff --git a/poly1305/sum_s390x.go b/internal/poly1305/sum_s390x.go
similarity index 100%
rename from poly1305/sum_s390x.go
rename to internal/poly1305/sum_s390x.go
diff --git a/poly1305/sum_s390x.s b/internal/poly1305/sum_s390x.s
similarity index 100%
rename from poly1305/sum_s390x.s
rename to internal/poly1305/sum_s390x.s
diff --git a/poly1305/vectors_test.go b/internal/poly1305/vectors_test.go
similarity index 100%
rename from poly1305/vectors_test.go
rename to internal/poly1305/vectors_test.go
diff --git a/nacl/secretbox/secretbox.go b/nacl/secretbox/secretbox.go
index a98d1bd..a2973e6 100644
--- a/nacl/secretbox/secretbox.go
+++ b/nacl/secretbox/secretbox.go
@@ -35,8 +35,8 @@
package secretbox // import "golang.org/x/crypto/nacl/secretbox"
import (
+ "golang.org/x/crypto/internal/poly1305"
"golang.org/x/crypto/internal/subtle"
- "golang.org/x/crypto/poly1305"
"golang.org/x/crypto/salsa20/salsa"
)
diff --git a/poly1305/poly1305.go b/poly1305/poly1305_compat.go
similarity index 80%
copy from poly1305/poly1305.go
copy to poly1305/poly1305_compat.go
index 9d7a6af..dd975a3 100644
--- a/poly1305/poly1305.go
+++ b/poly1305/poly1305_compat.go
@@ -15,27 +15,32 @@
// used with a fixed key in order to generate one-time keys from an nonce.
// However, in this package AES isn't used and the one-time key is specified
// directly.
+//
+// Deprecated: Poly1305 as implemented by this package is a cryptographic
+// building block that is not safe for general purpose use.
+// For encryption, use the full ChaCha20-Poly1305 construction implemented by
+// golang.org/x/crypto/chacha20poly1305. For authentication, use a general
+// purpose MAC such as HMAC implemented by crypto/hmac.
package poly1305 // import "golang.org/x/crypto/poly1305"
-import "crypto/subtle"
+import "golang.org/x/crypto/internal/poly1305"
// TagSize is the size, in bytes, of a poly1305 authenticator.
+//
+// For use with golang.org/x/crypto/chacha20poly1305, chacha20poly1305.Overhead
+// can be used instead.
const TagSize = 16
// Sum generates an authenticator for msg using a one-time key and puts the
// 16-byte result into out. Authenticating two different messages with the same
// key allows an attacker to forge messages at will.
func Sum(out *[16]byte, m []byte, key *[32]byte) {
- h := New(key)
- h.Write(m)
- h.Sum(out[:0])
+ poly1305.Sum(out, m, key)
}
// Verify returns true if mac is a valid authenticator for m with the given key.
func Verify(mac *[16]byte, m []byte, key *[32]byte) bool {
- var tmp [16]byte
- Sum(&tmp, m, key)
- return subtle.ConstantTimeCompare(tmp[:], mac[:]) == 1
+ return poly1305.Verify(mac, m, key)
}
// New returns a new MAC computing an authentication
@@ -48,9 +53,7 @@
// two different messages with the same key allows an attacker
// to forge messages at will.
func New(key *[32]byte) *MAC {
- m := &MAC{}
- initialize(key, &m.macState)
- return m
+ return &MAC{mac: poly1305.New(key)}
}
// MAC is an io.Writer computing an authentication tag
@@ -61,9 +64,7 @@
// Therefore writing data to a running MAC after calling
// Sum or Verify causes it to panic.
type MAC struct {
- mac // platform-dependent implementation
-
- finalized bool
+ mac *poly1305.MAC
}
// Size returns the number of bytes Sum will return.
@@ -74,26 +75,17 @@
//
// It must not be called after the first call of Sum or Verify.
func (h *MAC) Write(p []byte) (n int, err error) {
- if h.finalized {
- panic("poly1305: write to MAC after Sum or Verify")
- }
return h.mac.Write(p)
}
// Sum computes the authenticator of all data written to the
// message authentication code.
func (h *MAC) Sum(b []byte) []byte {
- var mac [TagSize]byte
- h.mac.Sum(&mac)
- h.finalized = true
- return append(b, mac[:]...)
+ return h.mac.Sum(b)
}
// Verify returns whether the authenticator of all data written to
// the message authentication code matches the expected value.
func (h *MAC) Verify(expected []byte) bool {
- var mac [TagSize]byte
- h.mac.Sum(&mac)
- h.finalized = true
- return subtle.ConstantTimeCompare(expected, mac[:]) == 1
+ return h.mac.Verify(expected)
}
diff --git a/ssh/cipher.go b/ssh/cipher.go
index 8bd6b3d..bddbde5 100644
--- a/ssh/cipher.go
+++ b/ssh/cipher.go
@@ -18,7 +18,7 @@
"io/ioutil"
"golang.org/x/crypto/chacha20"
- "golang.org/x/crypto/poly1305"
+ "golang.org/x/crypto/internal/poly1305"
)
const (