HMAC over the (nonce||message) not just the message

This commit is contained in:
Mike Dilger
2023-12-16 15:13:06 +13:00
parent 3067258f2f
commit 063503dee7
+2
View File
@@ -127,6 +127,7 @@ fn encrypt_inner(
let mut cipher = ChaCha20::new(&keys.encryption().into(), &keys.nonce().into());
cipher.apply_keystream(&mut buffer);
let mut mac = Hmac::<Sha256>::new_from_slice(&keys.auth())?;
mac.update(&nonce);
mac.update(&buffer);
let mac_bytes = mac.finalize().into_bytes();
@@ -155,6 +156,7 @@ pub fn decrypt(conversation_key: &[u8; 32], base64_ciphertext: &str) -> Result<S
let mac = &binary_ciphertext[dlen - 32..dlen];
let keys = get_message_keys(conversation_key, &nonce.try_into().unwrap())?;
let mut calculated_mac = Hmac::<Sha256>::new_from_slice(&keys.auth())?;
calculated_mac.update(&nonce);
calculated_mac.update(&buffer);
let calculated_mac_bytes = calculated_mac.finalize().into_bytes();
if !constant_time_eq::constant_time_eq(mac, calculated_mac_bytes.as_slice()) {