poly1305: mac_into appropriate bounds checks, also unsafe_mac_into

mirage · Jun 18, 2024 · 7805a7c · 7805a7c
1 parent 829ceb5
commit 7805a7c
Show file tree

Hide file tree

Showing 3 changed files with 29 additions and 6 deletions.
diff --git a/src/chacha20.ml b/src/chacha20.ml
@@ -93,11 +93,11 @@ let mac_into ~key ~adata src ~src_off len dst ~dst_off =
     Bytes.unsafe_to_string data
   in
   let p1 = pad16 (String.length adata) and p2 = pad16 len in
-  P.mac_into ~key [ adata, 0, String.length adata ;
-                    p1, 0, String.length p1 ;
-                    src, src_off, len ;
-                    p2, 0, String.length p2 ;
-                    len_buf, 0, String.length len_buf ]
+  P.unsafe_mac_into ~key [ adata, 0, String.length adata ;
+                           p1, 0, String.length p1 ;
+                           src, src_off, len ;
+                           p2, 0, String.length p2 ;
+                           len_buf, 0, String.length len_buf ]
     dst ~dst_off
 
 let unsafe_authenticate_encrypt_into ~key ~nonce ?(adata = "") src ~src_off dst ~dst_off ~tag_off len =

diff --git a/src/mirage_crypto.mli b/src/mirage_crypto.mli
@@ -76,6 +76,11 @@ module Poly1305 : sig
 
   val mac_into : key:string -> (string * int * int) list -> bytes -> dst_off:int -> unit
   (** [mac_into ~key datas dst dst_off] computes the [mac] of [datas]. *)
+
+  (**/**)
+  val unsafe_mac_into : key:string -> (string * int * int) list -> bytes -> dst_off:int -> unit
+  (** [unsafe_mac_into ~key datas dst dst_off] is {!mac_into} without bounds checks. *)
+  (**/**)
 end
 
 (** {1 Symmetric-key cryptography} *)

diff --git a/src/poly1305.ml b/src/poly1305.ml
@@ -12,6 +12,7 @@ module type S = sig
   val mac : key:string -> string -> string
   val maci : key:string -> string iter -> string
   val mac_into : key:string -> (string * int * int) list -> bytes -> dst_off:int -> unit
+  val unsafe_mac_into : key:string -> (string * int * int) list -> bytes -> dst_off:int -> unit
 end
 
 module It : S = struct
@@ -54,8 +55,25 @@ module It : S = struct
 
   let maci ~key iter = feedi (empty ~key) iter |> final
 
-  let mac_into ~key datas dst ~dst_off =
+  let unsafe_mac_into ~key datas dst ~dst_off =
     let ctx = empty ~key in
     List.iter (fun (d, off, len) -> P.update ctx d off len) datas;
     P.finalize ctx dst dst_off
+
+  let mac_into ~key datas dst ~dst_off =
+    if Bytes.length dst - dst_off < mac_size then
+      Uncommon.invalid_arg "Poly1305: dst length %u - off %u < len %u"
+        (Bytes.length dst) dst_off mac_size;
+    if dst_off < 0 then
+      Uncommon.invalid_arg "Poly1305: dst_off %u < 0" dst_off;
+    let ctx = empty ~key in
+    List.iter (fun (d, off, len) ->
+        if off < 0 then
+          Uncommon.invalid_arg "Poly1305: d off %u < 0" off;
+        if String.length d - off < len then
+          Uncommon.invalid_arg "Poly1305: d length %u - off %u < len %u"
+            (String.length d) off len;
+        P.update ctx d off len)
+      datas;
+    P.finalize ctx dst dst_off
 end