diff options
| author | Andy Polyakov <appro@openssl.org> | 2015-12-10 21:53:01 +0100 |
|---|---|---|
| committer | Andy Polyakov <appro@openssl.org> | 2015-12-11 21:07:51 +0100 |
| commit | 30a5f32227fab78214a08775d38bfacbb5feaaa4 (patch) | |
| tree | ba0eebece8e782ce53e002058154a769575672b5 /crypto/evp/e_chacha20_poly1305.c | |
| parent | 80b1247fe60cece6a18a6e4fb97781a4b95d1a0a (diff) | |
evp/e_chacha20_poly1305.c: TLS interop fixes.
Thanks to: David Benjamin of Chromuim.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'crypto/evp/e_chacha20_poly1305.c')
| -rw-r--r-- | crypto/evp/e_chacha20_poly1305.c | 22 |
1 files changed, 10 insertions, 12 deletions
diff --git a/crypto/evp/e_chacha20_poly1305.c b/crypto/evp/e_chacha20_poly1305.c index bce247d7b5..0d80f95e21 100644 --- a/crypto/evp/e_chacha20_poly1305.c +++ b/crypto/evp/e_chacha20_poly1305.c @@ -244,6 +244,8 @@ static int chacha20_poly1305_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, actx->key.key.d, actx->key.counter); Poly1305_Init(POLY1305_ctx(actx), actx->key.buf); actx->key.counter[0] = 1; + actx->key.partial_len = 0; + actx->len.aad = actx->len.text = 0; actx->mac_inited = 1; } @@ -426,18 +428,14 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, return 0; { unsigned int len; - unsigned char temp[POLY1305_BLOCK_SIZE]; + unsigned char *aad = ptr, temp[POLY1305_BLOCK_SIZE]; - /* - * compose padded aad - */ - memset(temp, 0, sizeof(temp)); - memcpy(temp, ptr, EVP_AEAD_TLS1_AAD_LEN); - - len = temp[EVP_AEAD_TLS1_AAD_LEN - 2] << 8 | - temp[EVP_AEAD_TLS1_AAD_LEN - 1]; + len = aad[EVP_AEAD_TLS1_AAD_LEN - 2] << 8 | + aad[EVP_AEAD_TLS1_AAD_LEN - 1]; if (!ctx->encrypt) { len -= POLY1305_BLOCK_SIZE; /* discount attached tag */ + memcpy(temp, aad, EVP_AEAD_TLS1_AAD_LEN - 2); + aad = temp; temp[EVP_AEAD_TLS1_AAD_LEN - 2] = (unsigned char)(len >> 8); temp[EVP_AEAD_TLS1_AAD_LEN - 1] = (unsigned char)len; } @@ -448,10 +446,10 @@ static int chacha20_poly1305_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, * draft-ietf-tls-chacha20-poly1305-03 */ actx->key.counter[1] = actx->nonce[0]; - actx->key.counter[2] = actx->nonce[1] ^ CHACHA_U8TOU32(temp); - actx->key.counter[3] = actx->nonce[2] ^ CHACHA_U8TOU32(temp+4); + actx->key.counter[2] = actx->nonce[1] ^ CHACHA_U8TOU32(aad); + actx->key.counter[3] = actx->nonce[2] ^ CHACHA_U8TOU32(aad+4); actx->mac_inited = 0; - chacha20_poly1305_cipher(ctx, NULL, temp, POLY1305_BLOCK_SIZE); + chacha20_poly1305_cipher(ctx, NULL, aad, EVP_AEAD_TLS1_AAD_LEN); return POLY1305_BLOCK_SIZE; /* tag length */ } |