From 0aae407dbe49fd40021cca12a62b551af56764b5 Mon Sep 17 00:00:00 2001
From: Paul Miller <paul@paulmillr.com>
Date: Tue, 26 Nov 2024 13:29:25 +0000
Subject: [PATCH] chacha, salsa: do not check dst alignment

---
 src/chacha.ts |  6 +++---
 src/salsa.ts  | 12 ++++--------
 2 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/src/chacha.ts b/src/chacha.ts
index 8ab770a..17aa178 100644
--- a/src/chacha.ts
+++ b/src/chacha.ts
@@ -7,7 +7,7 @@ import {
   clean,
   createView,
   equalBytes,
-  getDst,
+  getOutput,
   setBigUint64,
   wrapCipher,
 } from './utils.js';
@@ -239,7 +239,7 @@ export const _poly1305_aead =
     return {
       encrypt(plaintext: Uint8Array, output?: Uint8Array) {
         const plength = plaintext.length;
-        output = getDst(plength + tagLength, output);
+        output = getOutput(plength + tagLength, output, false);
         xorStream(key, nonce, plaintext, output, 1);
         const tag = computeTag(xorStream, key, nonce, output.subarray(0, -tagLength), AAD);
         output.set(tag, plength); // append tag
@@ -247,7 +247,7 @@ export const _poly1305_aead =
         return output;
       },
       decrypt(ciphertext: Uint8Array, output?: Uint8Array) {
-        output = getDst(ciphertext.length - tagLength, output);
+        output = getOutput(ciphertext.length - tagLength, output, false);
         const data = ciphertext.subarray(0, -tagLength);
         const passedTag = ciphertext.subarray(-tagLength);
         const tag = computeTag(xorStream, key, nonce, data, AAD);
diff --git a/src/salsa.ts b/src/salsa.ts
index 0b9e1e0..4f98331 100644
--- a/src/salsa.ts
+++ b/src/salsa.ts
@@ -1,7 +1,7 @@
 import { createCipher, rotl } from './_arx.js';
 import { abytes } from './_assert.js';
 import { poly1305 } from './_poly1305.js';
-import { Cipher, clean, equalBytes, getDst, wrapCipher } from './utils.js';
+import { Cipher, clean, equalBytes, getOutput, wrapCipher } from './utils.js';
 
 // Salsa20 stream cipher was released in 2005.
 // Salsa's goal was to implement AES replacement that does not rely on S-Boxes,
@@ -126,12 +126,7 @@ export const xsalsa20poly1305 = /* @__PURE__ */ wrapCipher(
       encrypt(plaintext: Uint8Array, output?: Uint8Array) {
         // This is small optimization (calculate auth key with same call as encryption itself) makes it hard
         // to separate tag calculation and encryption itself, since 32 byte is half-block of salsa (64 byte)
-        const clength = plaintext.length + 32;
-        if (output) {
-          abytes(output, clength);
-        } else {
-          output = new Uint8Array(clength);
-        }
+        output = getOutput(plaintext.length + 32, output, false);
         output.set(plaintext, 32);
         xsalsa20(key, nonce, output, output);
         const authKey = output.subarray(0, 32);
@@ -142,7 +137,8 @@ export const xsalsa20poly1305 = /* @__PURE__ */ wrapCipher(
         return output.subarray(tagLength);
       },
       decrypt(ciphertext: Uint8Array, output?: Uint8Array) {
-        output = getDst(ciphertext.length + 32, output); // 32 is authKey length
+        abytes(ciphertext);
+        output = getOutput(ciphertext.length + 32, output, false);
         // Create new ciphertext array:
         // tmp part      auth tag                 ciphertext
         // [bytes 0..32] [bytes 32..48]           [bytes 48..]