diff options
author | Jack Lloyd <[email protected]> | 2016-03-23 16:47:33 -0400 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2016-03-23 16:47:33 -0400 |
commit | 646ddaef38845a7ce33e4dcc7a02500a674c7033 (patch) | |
tree | 7d73e0ac634210ea9cb2f03ec983cd60b9e300d0 /src/lib/modes/aead | |
parent | b971daaade75a6923a4c97b9b40b5fdfe2df4992 (diff) |
Fix bug in IETF version of ChaCha20Poly1305
If the input lengths are exact multiples of 16 bytes then no padding
should be added. Previously 16 bytes of zero padding were added instead.
Diffstat (limited to 'src/lib/modes/aead')
-rw-r--r-- | src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp | 31 |
1 files changed, 20 insertions, 11 deletions
diff --git a/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp b/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp index 2350e2e6a..ca4cc15ed 100644 --- a/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp +++ b/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp @@ -1,12 +1,12 @@ /* * ChaCha20Poly1305 AEAD -* (C) 2014 Jack Lloyd +* (C) 2014,2016 Jack Lloyd * * Botan is released under the Simplified BSD License (see license.txt) */ -#include <botan/internal/mode_utils.h> #include <botan/chacha20poly1305.h> +#include <botan/internal/mode_utils.h> namespace Botan { @@ -60,18 +60,21 @@ secure_vector<byte> ChaCha20Poly1305_Mode::start_raw(const byte nonce[], size_t m_chacha->set_iv(nonce, nonce_len); - secure_vector<byte> zeros(64); - m_chacha->encrypt(zeros); + secure_vector<byte> init(64); // zeros + m_chacha->encrypt(init); - m_poly1305->set_key(zeros.data(), 32); + m_poly1305->set_key(init.data(), 32); // Remainder of output is discard m_poly1305->update(m_ad); if(cfrg_version()) { - std::vector<byte> padding(16 - m_ad.size() % 16); - m_poly1305->update(padding); + if(m_ad.size() % 16) + { + const byte zeros[16] = { 0 }; + m_poly1305->update(zeros, 16 - m_ad.size() % 16); + } } else { @@ -97,8 +100,11 @@ void ChaCha20Poly1305_Encryption::finish(secure_vector<byte>& buffer, size_t off update(buffer, offset); if(cfrg_version()) { - std::vector<byte> padding(16 - m_ctext_len % 16); - m_poly1305->update(padding); + if(m_ctext_len % 16) + { + const byte zeros[16] = { 0 }; + m_poly1305->update(zeros, 16 - m_ctext_len % 16); + } update_len(m_ad.size()); } update_len(m_ctext_len); @@ -138,8 +144,11 @@ void ChaCha20Poly1305_Decryption::finish(secure_vector<byte>& buffer, size_t off if(cfrg_version()) { - for(size_t i = 0; i != 16 - m_ctext_len % 16; ++i) - m_poly1305->update(0); + if(m_ctext_len % 16) + { + const byte zeros[16] = { 0 }; + m_poly1305->update(zeros, 16 - m_ctext_len % 16); + } update_len(m_ad.size()); } |