aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/modes/aead
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2016-03-23 16:47:33 -0400
committerJack Lloyd <[email protected]>2016-03-23 16:47:33 -0400
commit646ddaef38845a7ce33e4dcc7a02500a674c7033 (patch)
tree7d73e0ac634210ea9cb2f03ec983cd60b9e300d0 /src/lib/modes/aead
parentb971daaade75a6923a4c97b9b40b5fdfe2df4992 (diff)
Fix bug in IETF version of ChaCha20Poly1305
If the input lengths are exact multiples of 16 bytes then no padding should be added. Previously 16 bytes of zero padding were added instead.
Diffstat (limited to 'src/lib/modes/aead')
-rw-r--r--src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp31
1 files changed, 20 insertions, 11 deletions
diff --git a/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp b/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp
index 2350e2e6a..ca4cc15ed 100644
--- a/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp
+++ b/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp
@@ -1,12 +1,12 @@
/*
* ChaCha20Poly1305 AEAD
-* (C) 2014 Jack Lloyd
+* (C) 2014,2016 Jack Lloyd
*
* Botan is released under the Simplified BSD License (see license.txt)
*/
-#include <botan/internal/mode_utils.h>
#include <botan/chacha20poly1305.h>
+#include <botan/internal/mode_utils.h>
namespace Botan {
@@ -60,18 +60,21 @@ secure_vector<byte> ChaCha20Poly1305_Mode::start_raw(const byte nonce[], size_t
m_chacha->set_iv(nonce, nonce_len);
- secure_vector<byte> zeros(64);
- m_chacha->encrypt(zeros);
+ secure_vector<byte> init(64); // zeros
+ m_chacha->encrypt(init);
- m_poly1305->set_key(zeros.data(), 32);
+ m_poly1305->set_key(init.data(), 32);
// Remainder of output is discard
m_poly1305->update(m_ad);
if(cfrg_version())
{
- std::vector<byte> padding(16 - m_ad.size() % 16);
- m_poly1305->update(padding);
+ if(m_ad.size() % 16)
+ {
+ const byte zeros[16] = { 0 };
+ m_poly1305->update(zeros, 16 - m_ad.size() % 16);
+ }
}
else
{
@@ -97,8 +100,11 @@ void ChaCha20Poly1305_Encryption::finish(secure_vector<byte>& buffer, size_t off
update(buffer, offset);
if(cfrg_version())
{
- std::vector<byte> padding(16 - m_ctext_len % 16);
- m_poly1305->update(padding);
+ if(m_ctext_len % 16)
+ {
+ const byte zeros[16] = { 0 };
+ m_poly1305->update(zeros, 16 - m_ctext_len % 16);
+ }
update_len(m_ad.size());
}
update_len(m_ctext_len);
@@ -138,8 +144,11 @@ void ChaCha20Poly1305_Decryption::finish(secure_vector<byte>& buffer, size_t off
if(cfrg_version())
{
- for(size_t i = 0; i != 16 - m_ctext_len % 16; ++i)
- m_poly1305->update(0);
+ if(m_ctext_len % 16)
+ {
+ const byte zeros[16] = { 0 };
+ m_poly1305->update(zeros, 16 - m_ctext_len % 16);
+ }
update_len(m_ad.size());
}