commit c084706c2272f3d44b722e988e70d4a58e60e7f4
author Filippo Valsorda <filippo@golang.org> Fri Aug 27 08:44:45 2021 -0400
committer Filippo Valsorda <filippo@golang.org> Wed Sep 15 21:47:49 2021 +0000
tree e25982f01c65904da975b9459c6d2dc8bbd37524
parent 32db794688a5a24a23a43f2a984cecd5b3d8da58

poly1305: deprecate public package

Fixes golang/go#36646

Change-Id: Ic19dd2171c84472fc9d3f44803224b87fc5c0417
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/345649
Trust: Filippo Valsorda <filippo@golang.org>
Trust: Katie Hockman <katie@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>

chacha20poly1305/chacha20poly1305.go

diff --git a/chacha20poly1305/chacha20poly1305.go b/chacha20poly1305/chacha20poly1305.go
index 0d7bac3..93da732 100644
--- a/chacha20poly1305/chacha20poly1305.go
+++ b/chacha20poly1305/chacha20poly1305.go
@@ -26,6 +26,10 @@
 	// NonceSizeX is the size of the nonce used with the XChaCha20-Poly1305
 	// variant of this AEAD, in bytes.
 	NonceSizeX = 24
+
+	// Overhead is the size of the Poly1305 authentication tag, and the
+	// difference between a ciphertext length and its plaintext.
+	Overhead = 16
 )
 
 type chacha20poly1305 struct {
@@ -47,7 +51,7 @@
 }
 
 func (c *chacha20poly1305) Overhead() int {
-	return 16
+	return Overhead
 }
 
 func (c *chacha20poly1305) Seal(dst, nonce, plaintext, additionalData []byte) []byte {

chacha20poly1305/chacha20poly1305_generic.go

diff --git a/chacha20poly1305/chacha20poly1305_generic.go b/chacha20poly1305/chacha20poly1305_generic.go
index fe191d3..96b2fd8 100644
--- a/chacha20poly1305/chacha20poly1305_generic.go
+++ b/chacha20poly1305/chacha20poly1305_generic.go
@@ -8,8 +8,8 @@
 	"encoding/binary"
 
 	"golang.org/x/crypto/chacha20"
+	"golang.org/x/crypto/internal/poly1305"
 	"golang.org/x/crypto/internal/subtle"
-	"golang.org/x/crypto/poly1305"
 )
 
 func writeWithPadding(p *poly1305.MAC, b []byte) {

chacha20poly1305/xchacha20poly1305.go

diff --git a/chacha20poly1305/xchacha20poly1305.go b/chacha20poly1305/xchacha20poly1305.go
index d9d46b9..1cebfe9 100644
--- a/chacha20poly1305/xchacha20poly1305.go
+++ b/chacha20poly1305/xchacha20poly1305.go
@@ -35,7 +35,7 @@
 }
 
 func (*xchacha20poly1305) Overhead() int {
-	return 16
+	return Overhead
 }
 
 func (x *xchacha20poly1305) Seal(dst, nonce, plaintext, additionalData []byte) []byte {

internal/poly1305/bits_compat.go

diff --git a/poly1305/bits_compat.go b/internal/poly1305/bits_compat.go
similarity index 100%
rename from poly1305/bits_compat.go
rename to internal/poly1305/bits_compat.go

internal/poly1305/bits_go1.13.go

diff --git a/poly1305/bits_go1.13.go b/internal/poly1305/bits_go1.13.go
similarity index 100%
rename from poly1305/bits_go1.13.go
rename to internal/poly1305/bits_go1.13.go

internal/poly1305/mac_noasm.go

diff --git a/poly1305/mac_noasm.go b/internal/poly1305/mac_noasm.go
similarity index 100%
rename from poly1305/mac_noasm.go
rename to internal/poly1305/mac_noasm.go

internal/poly1305/poly1305.go

diff --git a/poly1305/poly1305.go b/internal/poly1305/poly1305.go
similarity index 97%
rename from poly1305/poly1305.go
rename to internal/poly1305/poly1305.go
index 9d7a6af..4aaea81 100644
--- a/poly1305/poly1305.go
+++ b/internal/poly1305/poly1305.go
@@ -15,7 +15,7 @@
 // used with a fixed key in order to generate one-time keys from an nonce.
 // However, in this package AES isn't used and the one-time key is specified
 // directly.
-package poly1305 // import "golang.org/x/crypto/poly1305"
+package poly1305
 
 import "crypto/subtle"
 

internal/poly1305/poly1305_test.go

diff --git a/poly1305/poly1305_test.go b/internal/poly1305/poly1305_test.go
similarity index 100%
rename from poly1305/poly1305_test.go
rename to internal/poly1305/poly1305_test.go

internal/poly1305/sum_amd64.go

diff --git a/poly1305/sum_amd64.go b/internal/poly1305/sum_amd64.go
similarity index 100%
rename from poly1305/sum_amd64.go
rename to internal/poly1305/sum_amd64.go

internal/poly1305/sum_amd64.s

diff --git a/poly1305/sum_amd64.s b/internal/poly1305/sum_amd64.s
similarity index 100%
rename from poly1305/sum_amd64.s
rename to internal/poly1305/sum_amd64.s

internal/poly1305/sum_generic.go

diff --git a/poly1305/sum_generic.go b/internal/poly1305/sum_generic.go
similarity index 100%
rename from poly1305/sum_generic.go
rename to internal/poly1305/sum_generic.go

internal/poly1305/sum_ppc64le.go

diff --git a/poly1305/sum_ppc64le.go b/internal/poly1305/sum_ppc64le.go
similarity index 100%
rename from poly1305/sum_ppc64le.go
rename to internal/poly1305/sum_ppc64le.go

internal/poly1305/sum_ppc64le.s

diff --git a/poly1305/sum_ppc64le.s b/internal/poly1305/sum_ppc64le.s
similarity index 100%
rename from poly1305/sum_ppc64le.s
rename to internal/poly1305/sum_ppc64le.s

internal/poly1305/sum_s390x.go

diff --git a/poly1305/sum_s390x.go b/internal/poly1305/sum_s390x.go
similarity index 100%
rename from poly1305/sum_s390x.go
rename to internal/poly1305/sum_s390x.go

internal/poly1305/sum_s390x.s

diff --git a/poly1305/sum_s390x.s b/internal/poly1305/sum_s390x.s
similarity index 100%
rename from poly1305/sum_s390x.s
rename to internal/poly1305/sum_s390x.s

internal/poly1305/vectors_test.go

diff --git a/poly1305/vectors_test.go b/internal/poly1305/vectors_test.go
similarity index 100%
rename from poly1305/vectors_test.go
rename to internal/poly1305/vectors_test.go

nacl/secretbox/secretbox.go

diff --git a/nacl/secretbox/secretbox.go b/nacl/secretbox/secretbox.go
index a98d1bd..a2973e6 100644
--- a/nacl/secretbox/secretbox.go
+++ b/nacl/secretbox/secretbox.go
@@ -35,8 +35,8 @@
 package secretbox // import "golang.org/x/crypto/nacl/secretbox"
 
 import (
+	"golang.org/x/crypto/internal/poly1305"
 	"golang.org/x/crypto/internal/subtle"
-	"golang.org/x/crypto/poly1305"
 	"golang.org/x/crypto/salsa20/salsa"
 )
 

poly1305/poly1305_compat.go

diff --git a/poly1305/poly1305.go b/poly1305/poly1305_compat.go
similarity index 80%
copy from poly1305/poly1305.go
copy to poly1305/poly1305_compat.go
index 9d7a6af..dd975a3 100644
--- a/poly1305/poly1305.go
+++ b/poly1305/poly1305_compat.go
@@ -15,27 +15,32 @@
 // used with a fixed key in order to generate one-time keys from an nonce.
 // However, in this package AES isn't used and the one-time key is specified
 // directly.
+//
+// Deprecated: Poly1305 as implemented by this package is a cryptographic
+// building block that is not safe for general purpose use.
+// For encryption, use the full ChaCha20-Poly1305 construction implemented by
+// golang.org/x/crypto/chacha20poly1305. For authentication, use a general
+// purpose MAC such as HMAC implemented by crypto/hmac.
 package poly1305 // import "golang.org/x/crypto/poly1305"
 
-import "crypto/subtle"
+import "golang.org/x/crypto/internal/poly1305"
 
 // TagSize is the size, in bytes, of a poly1305 authenticator.
+//
+// For use with golang.org/x/crypto/chacha20poly1305, chacha20poly1305.Overhead
+// can be used instead.
 const TagSize = 16
 
 // Sum generates an authenticator for msg using a one-time key and puts the
 // 16-byte result into out. Authenticating two different messages with the same
 // key allows an attacker to forge messages at will.
 func Sum(out *[16]byte, m []byte, key *[32]byte) {
-	h := New(key)
-	h.Write(m)
-	h.Sum(out[:0])
+	poly1305.Sum(out, m, key)
 }
 
 // Verify returns true if mac is a valid authenticator for m with the given key.
 func Verify(mac *[16]byte, m []byte, key *[32]byte) bool {
-	var tmp [16]byte
-	Sum(&tmp, m, key)
-	return subtle.ConstantTimeCompare(tmp[:], mac[:]) == 1
+	return poly1305.Verify(mac, m, key)
 }
 
 // New returns a new MAC computing an authentication
@@ -48,9 +53,7 @@
 // two different messages with the same key allows an attacker
 // to forge messages at will.
 func New(key *[32]byte) *MAC {
-	m := &MAC{}
-	initialize(key, &m.macState)
-	return m
+	return &MAC{mac: poly1305.New(key)}
 }
 
 // MAC is an io.Writer computing an authentication tag
@@ -61,9 +64,7 @@
 // Therefore writing data to a running MAC after calling
 // Sum or Verify causes it to panic.
 type MAC struct {
-	mac // platform-dependent implementation
-
-	finalized bool
+	mac *poly1305.MAC
 }
 
 // Size returns the number of bytes Sum will return.
@@ -74,26 +75,17 @@
 //
 // It must not be called after the first call of Sum or Verify.
 func (h *MAC) Write(p []byte) (n int, err error) {
-	if h.finalized {
-		panic("poly1305: write to MAC after Sum or Verify")
-	}
 	return h.mac.Write(p)
 }
 
 // Sum computes the authenticator of all data written to the
 // message authentication code.
 func (h *MAC) Sum(b []byte) []byte {
-	var mac [TagSize]byte
-	h.mac.Sum(&mac)
-	h.finalized = true
-	return append(b, mac[:]...)
+	return h.mac.Sum(b)
 }
 
 // Verify returns whether the authenticator of all data written to
 // the message authentication code matches the expected value.
 func (h *MAC) Verify(expected []byte) bool {
-	var mac [TagSize]byte
-	h.mac.Sum(&mac)
-	h.finalized = true
-	return subtle.ConstantTimeCompare(expected, mac[:]) == 1
+	return h.mac.Verify(expected)
 }

ssh/cipher.go

diff --git a/ssh/cipher.go b/ssh/cipher.go
index 8bd6b3d..bddbde5 100644
--- a/ssh/cipher.go
+++ b/ssh/cipher.go
@@ -18,7 +18,7 @@
 	"io/ioutil"
 
 	"golang.org/x/crypto/chacha20"
-	"golang.org/x/crypto/poly1305"
+	"golang.org/x/crypto/internal/poly1305"
 )
 
 const (