3 files changed, 65 insertions, 18 deletions

diff --git a/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp b/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp
index 2350e2e6a..ca4cc15ed 100644
--- a/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp
+++ b/src/lib/modes/aead/chacha20poly1305/chacha20poly1305.cpp
@@ -1,12 +1,12 @@
 /*
 * ChaCha20Poly1305 AEAD
-* (C) 2014 Jack Lloyd
+* (C) 2014,2016 Jack Lloyd
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
 
-#include <botan/internal/mode_utils.h>
 #include <botan/chacha20poly1305.h>
+#include <botan/internal/mode_utils.h>
 
 namespace Botan {
 
@@ -60,18 +60,21 @@ secure_vector<byte> ChaCha20Poly1305_Mode::start_raw(const byte nonce[], size_t
 
    m_chacha->set_iv(nonce, nonce_len);
 
-   secure_vector<byte> zeros(64);
-   m_chacha->encrypt(zeros);
+   secure_vector<byte> init(64); // zeros
+   m_chacha->encrypt(init);
 
-   m_poly1305->set_key(zeros.data(), 32);
+   m_poly1305->set_key(init.data(), 32);
    // Remainder of output is discard
 
    m_poly1305->update(m_ad);
 
    if(cfrg_version())
       {
-      std::vector<byte> padding(16 - m_ad.size() % 16);
-      m_poly1305->update(padding);
+      if(m_ad.size() % 16)
+         {
+         const byte zeros[16] = { 0 };
+         m_poly1305->update(zeros, 16 - m_ad.size() % 16);
+         }
       }
    else
       {
@@ -97,8 +100,11 @@ void ChaCha20Poly1305_Encryption::finish(secure_vector<byte>& buffer, size_t off
    update(buffer, offset);
    if(cfrg_version())
       {
-      std::vector<byte> padding(16 - m_ctext_len % 16);
-      m_poly1305->update(padding);
+      if(m_ctext_len % 16)
+         {
+         const byte zeros[16] = { 0 };
+         m_poly1305->update(zeros, 16 - m_ctext_len % 16);
+         }
       update_len(m_ad.size());
       }
    update_len(m_ctext_len);
@@ -138,8 +144,11 @@ void ChaCha20Poly1305_Decryption::finish(secure_vector<byte>& buffer, size_t off
 
    if(cfrg_version())
       {
-      for(size_t i = 0; i != 16 - m_ctext_len % 16; ++i)
-         m_poly1305->update(0);
+      if(m_ctext_len % 16)
+         {
+         const byte zeros[16] = { 0 };
+         m_poly1305->update(zeros, 16 - m_ctext_len % 16);
+         }
       update_len(m_ad.size());
       }
 
diff --git a/src/tests/data/aead/chacha20poly1305.vec b/src/tests/data/aead/chacha20poly1305.vec
index e62b29c69..e258bb3af 100644
--- a/src/tests/data/aead/chacha20poly1305.vec
+++ b/src/tests/data/aead/chacha20poly1305.vec
@@ -1,5 +1,6 @@
 [ChaCha20Poly1305]
-# draft-agl-tls-chacha20poly1305-04
+
+# From draft-agl-tls-chacha20poly1305-04
 
 Key = 4290bcb154173531f314af57f3be3b5006da371ece272afa1b5dbdd1100a1007
 In = 86d09974840bded2a5ca
@@ -7,7 +8,8 @@ Nonce = cd7cf67be39c794a
 AD = 87e229d4500845a079c0
 Out = e3e446f7ede9a19b62a4677dabf4e3d24b876bb284753896e1d6
 
-# draft-irtf-cfrg-chacha20-poly1305-03
+# From draft-irtf-cfrg-chacha20-poly1305-03
+
 In = 4C616469657320616E642047656E746C656D656E206F662074686520636C617373206F66202739393A204966204920636F756C64206F6666657220796F75206F6E6C79206F6E652074697020666F7220746865206675747572652C2073756E73637265656E20776F756C642062652069742E
 AD = 50515253C0C1C2C3C4C5C6C7
 Key = 808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9F
@@ -19,3 +21,32 @@ Nonce = 000000000102030405060708
 AD = F33388860000000000004E91
 In = 496E7465726E65742D4472616674732061726520647261667420646F63756D656E74732076616C696420666F722061206D6178696D756D206F6620736978206D6F6E74687320616E64206D617920626520757064617465642C207265706C616365642C206F72206F62736F6C65746564206279206F7468657220646F63756D656E747320617420616E792074696D652E20497420697320696E617070726F70726961746520746F2075736520496E7465726E65742D447261667473206173207265666572656E6365206D6174657269616C206F7220746F2063697465207468656D206F74686572207468616E206173202FE2809C776F726B20696E2070726F67726573732E2FE2809D
 Out = 64A0861575861AF460F062C79BE643BD5E805CFD345CF389F108670AC76C8CB24C6CFC18755D43EEA09EE94E382D26B0BDB7B73C321B0100D4F03B7F355894CF332F830E710B97CE98C8A84ABD0B948114AD176E008D33BD60F982B1FF37C8559797A06EF4F0EF61C186324E2B3506383606907B6A7C02B0F9F6157B53C867E4B9166C767B804D46A59B5216CDE7A4E99040C5A40433225EE282A1B0A06C523EAF4534D7F83FA1155B0047718CBC546A0D072B04B3564EEA1B422273F548271A0BB2316053FA76991955EBD63159434ECEBB4E466DAE5A1073A6727627097A1049E617D91D361094FA68F0FF77987130305BEABA2EDA04DF997B714D6C6F2C29A6AD5CB4022B02709BEEAD9D67890CBB22392336FEA1851F38
+
+# From RFC 7539
+
+Key = 808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f
+Nonce = 070000004041424344454647
+AD = 50515253c0c1c2c3c4c5c6c7
+In = 4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e
+Out = d31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e060b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fab324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d26586cec64b61161ae10b594f09e26a7e902ecbd0600691
+
+# Generated by OpenSSL; exposes bug handling plaintexts or AD params
+# with exact multiple of 16 bytes
+
+Key = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+Nonce = BBBBBBBBBBBBBBBBBBBBBBBB
+AD = CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
+In = DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
+Out = A0C9391216A037370BDFF40626C5DD137E93A01836AF9B8A5C1F929EF18C9350
+
+Key = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+Nonce = BBBBBBBBBBBBBBBBBBBBBBBB
+AD = CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
+In = DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD
+Out = A0C9391216A037370BDFF40626C5DD13422D6D1564BCE2074D98279498CE4C86
+
+Key = AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+Nonce = BBBBBBBBBBBBBBBBBBBBBBBB
+AD = CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC
+In  = DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+Out = A0C9391216A037370BDFF40626C5DD13D45447FBEBA3C985BF65FBCBE51663F9214F9C6757F9FC0CFF3135E68DC7251F
diff --git a/src/tests/test_aead.cpp b/src/tests/test_aead.cpp
index a31996fad..e7756d5bb 100644
--- a/src/tests/test_aead.cpp
+++ b/src/tests/test_aead.cpp
@@ -1,5 +1,5 @@
 /*
-* (C) 2014,2015 Jack Lloyd
+* (C) 2014,2015,2016 Jack Lloyd
 *
 * Botan is released under the Simplified BSD License (see license.txt)
 */
@@ -54,10 +54,17 @@ class AEAD_Tests : public Text_Based_Test
 
          buf.assign(expected.begin(), expected.end());
 
-         dec->set_key(key);
-         dec->set_associated_data_vec(ad);
-         dec->start(nonce);
-         dec->finish(buf);
+         try
+            {
+            dec->set_key(key);
+            dec->set_associated_data_vec(ad);
+            dec->start(nonce);
+            dec->finish(buf);
+            }
+         catch(Botan::Exception& e)
+            {
+            result.test_failure("Failure processing AEAD ciphertext");
+            }
 
          if(enc->authenticated())
             {