Move poly1305_get_tag() into poly1305.c, hide poly1305_init().

The crypto library on Windows exposes a symbol named poly1305_init(),
which clashes with ours. We can avoid this by moving poly1305_get_tag()
to poly1305.[ch], where it belongs better, and this allows us to make
all the lower-level Poly1305 functions static.

Also remove the support for associated data while we are at it, since we
are never using it.

src/chacha-poly1305/chacha.h

@@ -31,4 +31,3 @@ void chacha_encrypt_bytes(struct chacha_ctx *x, const unsigned char *m,
                           unsigned char *c, uint32_t bytes);
 
 #endif  /* CHACHA_H */
-

src/chacha-poly1305/chachapoly.c

@@ -53,52 +53,6 @@ static int memcmp_eq(const void *av, const void *bv, int n) {
 	return res;
 }
 
-/**
- * Poly1305 tag generation. This concatenates a string according to the rules
- * outlined in RFC 7539 and calculates the tag.
- *
- * \param poly_key 32 byte secret one-time key for poly1305
- * \param ad associated data
- * \param ad_len associated data length in bytes
- * \param ct ciphertext
- * \param ct_len ciphertext length in bytes
- * \param tag pointer to 16 bytes for tag storage
- */
-static void poly1305_get_tag(unsigned char *poly_key, const void *ad,
-                             int ad_len, const void *ct, int ct_len, unsigned char *tag) {
-	struct poly1305_context poly;
-	unsigned left_over;
-	uint64_t len;
-	unsigned char pad[16];
-
-	poly1305_init(&poly, poly_key);
-	memset(&pad, 0, sizeof(pad));
-
-	/* associated data and padding */
-	poly1305_update(&poly, ad, ad_len);
-	left_over = ad_len % 16;
-
-	if(left_over) {
-		poly1305_update(&poly, pad, 16 - left_over);
-	}
-
-	/* payload and padding */
-	poly1305_update(&poly, ct, ct_len);
-	left_over = ct_len % 16;
-
-	if(left_over) {
-		poly1305_update(&poly, pad, 16 - left_over);
-	}
-
-	/* lengths */
-	len = ad_len;
-	poly1305_update(&poly, (unsigned char *)&len, 8);
-	len = ct_len;
-	poly1305_update(&poly, (unsigned char *)&len, 8);
-
-	poly1305_finish(&poly, tag);
-}
-
 int chachapoly_init(struct chachapoly_ctx *ctx, const void *key, int key_len) {
 	assert(key_len == 128 || key_len == 256);
 
@@ -108,7 +62,7 @@ int chachapoly_init(struct chachapoly_ctx *ctx, const void *key, int key_len) {
 }
 
 int chachapoly_crypt(struct chachapoly_ctx *ctx, const void *nonce,
-                     const void *ad, int ad_len, void *input, int input_len,
+                     void *input, int input_len,
                      void *output, void *tag, int tag_len, int encrypt) {
 	unsigned char poly_key[CHACHA_BLOCKLEN];
 	unsigned char calc_tag[POLY1305_TAGLEN];
@@ -121,7 +75,7 @@ int chachapoly_crypt(struct chachapoly_ctx *ctx, const void *nonce,
 
 	/* check tag if decrypting */
 	if(encrypt == 0 && tag_len) {
-		poly1305_get_tag(poly_key, ad, ad_len, input, input_len, calc_tag);
+		poly1305_get_tag(poly_key, input, input_len, calc_tag);
 
 		if(memcmp_eq(calc_tag, tag, tag_len) != 0) {
 			return CHACHAPOLY_INVALID_MAC;
@@ -135,15 +89,15 @@ int chachapoly_crypt(struct chachapoly_ctx *ctx, const void *nonce,
 
 	/* add tag if encrypting */
 	if(encrypt && tag_len) {
-		poly1305_get_tag(poly_key, ad, ad_len, output, input_len, calc_tag);
+		poly1305_get_tag(poly_key, output, input_len, calc_tag);
 		memcpy(tag, calc_tag, tag_len);
 	}
 
 	return CHACHAPOLY_OK;
 }
 
 int chachapoly_crypt_short(struct chachapoly_ctx *ctx, const void *nonce,
-                           const void *ad, int ad_len, void *input, int input_len,
+                           void *input, int input_len,
                            void *output, void *tag, int tag_len, int encrypt) {
 	unsigned char keystream[CHACHA_BLOCKLEN];
 	unsigned char calc_tag[POLY1305_TAGLEN];
@@ -159,7 +113,7 @@ int chachapoly_crypt_short(struct chachapoly_ctx *ctx, const void *nonce,
 
 	/* check tag if decrypting */
 	if(encrypt == 0 && tag_len) {
-		poly1305_get_tag(keystream, ad, ad_len, input, input_len, calc_tag);
+		poly1305_get_tag(keystream, input, input_len, calc_tag);
 
 		if(memcmp_eq(calc_tag, tag, tag_len) != 0) {
 			return CHACHAPOLY_INVALID_MAC;
@@ -174,7 +128,7 @@ int chachapoly_crypt_short(struct chachapoly_ctx *ctx, const void *nonce,
 
 	/* add tag if encrypting */
 	if(encrypt && tag_len) {
-		poly1305_get_tag(keystream, ad, ad_len, output, input_len, calc_tag);
+		poly1305_get_tag(keystream, output, input_len, calc_tag);
 		memcpy(tag, calc_tag, tag_len);
 	}
 

src/chacha-poly1305/chachapoly.h

@@ -52,8 +52,6 @@ int chachapoly_init(struct chachapoly_ctx *ctx, const void *key, int key_len);
  *
  * \param ctx context data
  * \param nonce nonce (12 bytes)
- * \param ad associated data
- * \param ad_len associated data length in bytes
  * \param input plaintext/ciphertext input
  * \param input_len input length in bytes;
  * \param output plaintext/ciphertext output
@@ -65,7 +63,7 @@ int chachapoly_init(struct chachapoly_ctx *ctx, const void *key, int key_len);
  *         failed when decrypting
  */
 int chachapoly_crypt(struct chachapoly_ctx *ctx, const void *nonce,
-                     const void *ad, int ad_len, void *input, int input_len,
+                     void *input, int input_len,
                      void *output, void *tag, int tag_len, int encrypt);
 
 /**
@@ -76,7 +74,7 @@ int chachapoly_crypt(struct chachapoly_ctx *ctx, const void *nonce,
  * chachapoly_crypt.
  */
 int chachapoly_crypt_short(struct chachapoly_ctx *ctx, const void *nonce,
-                           const void *ad, int ad_len, void *input, int input_len,
+                           void *input, int input_len,
                            void *output, void *tag, int tag_len, int encrypt);
 
 #endif

src/chacha-poly1305/poly1305.c

@@ -5,6 +5,20 @@ public domain
 
 #include "poly1305.h"
 
+/* use memcpy() to copy blocks of memory (typically faster) */
+#define USE_MEMCPY          1
+/* use unaligned little-endian load/store (can be faster) */
+#define USE_UNALIGNED       0
+
+struct poly1305_context {
+	uint32_t r[5];
+	uint32_t h[5];
+	uint32_t pad[4];
+	size_t leftover;
+	unsigned char buffer[POLY1305_BLOCK_SIZE];
+	unsigned char final;
+};
+
 #if (USE_UNALIGNED == 1)
 #define U8TO32(p) \
 	(*((uint32_t *)(p)))
@@ -33,7 +47,7 @@ U32TO8(unsigned char *p, uint32_t v) {
 }
 #endif
 
-void
+static void
 poly1305_init(struct poly1305_context *st, const unsigned char key[32]) {
 	/* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
 	st->r[0] = (U8TO32(&key[ 0])) & 0x3ffffff;
@@ -131,7 +145,7 @@ poly1305_blocks(struct poly1305_context *st, const unsigned char *m, size_t byte
 	st->h[4] = h4;
 }
 
-void
+static void
 poly1305_finish(struct poly1305_context *st, unsigned char mac[16]) {
 	uint32_t h0, h1, h2, h3, h4, c;
 	uint32_t g0, g1, g2, g3, g4;
@@ -241,8 +255,7 @@ poly1305_finish(struct poly1305_context *st, unsigned char mac[16]) {
 	st->pad[3] = 0;
 }
 
-
-void
+static void
 poly1305_update(struct poly1305_context *st, const unsigned char *m, size_t bytes) {
 	size_t i;
 
@@ -293,10 +306,37 @@ poly1305_update(struct poly1305_context *st, const unsigned char *m, size_t byte
 	}
 }
 
+/**
+ * Poly1305 tag generation. This concatenates a string according to the rules
+ * outlined in RFC 7539 and calculates the tag.
+ *
+ * \param key 32 byte secret one-time key for poly1305
+ * \param ct ciphertext
+ * \param ct_len ciphertext length in bytes
+ * \param tag pointer to 16 bytes for tag storage
+ */
 void
-poly1305_auth(unsigned char mac[16], const unsigned char *m, size_t bytes, const unsigned char key[32]) {
+poly1305_get_tag(const unsigned char key[32], const void *ct, int ct_len, unsigned char tag[16]) {
 	struct poly1305_context ctx;
+	unsigned left_over;
+	uint64_t len;
+	unsigned char pad[16];
+
 	poly1305_init(&ctx, key);
-	poly1305_update(&ctx, m, bytes);
-	poly1305_finish(&ctx, mac);
+	memset(&pad, 0, sizeof(pad));
+
+	/* payload and padding */
+	poly1305_update(&ctx, ct, ct_len);
+	left_over = ct_len % 16;
+
+	if(left_over) {
+		poly1305_update(&ctx, pad, 16 - left_over);
+	}
+
+	/* lengths */
+	len = 0;
+	poly1305_update(&ctx, (unsigned char *)&len, 8);
+	len = ct_len;
+	poly1305_update(&ctx, (unsigned char *)&len, 8);
+	poly1305_finish(&ctx, tag);
 }

src/chacha-poly1305/poly1305.h

@@ -9,24 +9,6 @@
 #define POLY1305_TAGLEN     16
 #define POLY1305_BLOCK_SIZE 16
 
-/* use memcpy() to copy blocks of memory (typically faster) */
-#define USE_MEMCPY          1
-/* use unaligned little-endian load/store (can be faster) */
-#define USE_UNALIGNED       0
-
-struct poly1305_context {
-	uint32_t r[5];
-	uint32_t h[5];
-	uint32_t pad[4];
-	size_t leftover;
-	unsigned char buffer[POLY1305_BLOCK_SIZE];
-	unsigned char final;
-};
-
-void poly1305_init(struct poly1305_context *ctx, const unsigned char key[32]);
-void poly1305_update(struct poly1305_context *ctx, const unsigned char *m, size_t bytes);
-void poly1305_finish(struct poly1305_context *ctx, unsigned char mac[16]);
-void poly1305_auth(unsigned char mac[16], const unsigned char *m, size_t bytes, const unsigned char key[32]);
+void poly1305_get_tag(const unsigned char key[32], const void *ct, int ct_len, unsigned char tag[16]);
 
 #endif /* POLY1305_H */
-

src/sptps.c

@@ -168,7 +168,7 @@ static bool cipher_encrypt(uint8_t suite, void *ctx, uint32_t seqno, const uint8
 #ifndef HAVE_OPENSSL
 
 	case SPTPS_CHACHA_POLY1305: {
-		if(chachapoly_crypt(ctx, nonce, NULL, 0, (void *)in, inlen, out, out + inlen, 16, 1) != CHACHAPOLY_OK) {
+		if(chachapoly_crypt(ctx, nonce, (void *)in, inlen, out, out + inlen, 16, 1) != CHACHAPOLY_OK) {
 			return false;
 		}
 
@@ -249,7 +249,7 @@ static bool cipher_decrypt(uint8_t suite, void *ctx, uint32_t seqno, const uint8
 #ifndef HAVE_OPENSSL
 
 	case SPTPS_CHACHA_POLY1305:
-		if(chachapoly_crypt(ctx, nonce, NULL, 0, (void *)in, inlen, out, (void *)(in + inlen), 16, 0) != CHACHAPOLY_OK) {
+		if(chachapoly_crypt(ctx, nonce, (void *)in, inlen, out, (void *)(in + inlen), 16, 0) != CHACHAPOLY_OK) {
 			return false;
 		}