chacha20+poly1305 authenticated encryption

Loganaden Velvindron loganaden at gmail.com
Sat Nov 16 03:46:41 EST 2013


On Fri, Nov 15, 2013 at 2:03 PM, Damien Miller <djm at mindrot.org> wrote:
> On Thu, 14 Nov 2013, James Cloos wrote:
>
>> >>>>> "DM" == Damien Miller <djm at mindrot.org> writes:
>>
>> DM> Here's a diff to implement ChaCha20+Poly1305 as an authenticated
>> DM> encryption mode. It authenticates the packet length and payload,
>> DM> and uses a separate ChaCh20 instance to encrypt the packet length
>> DM> to preserve privacy of packet lengths* while avoiding any decryption
>> DM> oracle for the main packet payload.
>>
>> Cool.
>>
>> I'd like to test it out, but for logistics reasons I'll have to do so on
>> a linux box.  Is anything written on what is needed to convert from the
>> openbsd cvs tree to the portable tree?  Or do you have a version of the
>> patch applicable to the portable's cvs?
>
> Here's one that applies to portable OpenSSH. Also available at
> http://www.mindrot.org/files/chachapoly1305_04_portable.diff

No issues so far :-)

Yeah, I made sure to specify the new cipher using -c.


>
> Index: Makefile.in
> ===================================================================
> RCS file: /var/cvs/openssh/Makefile.in,v
> retrieving revision 1.344
> diff -u -p -r1.344 Makefile.in
> --- Makefile.in 8 Nov 2013 13:17:41 -0000       1.344
> +++ Makefile.in 15 Nov 2013 00:08:29 -0000
> @@ -74,7 +74,8 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o
>         kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
>         msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
>         jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \
> -       kexc25519.o kexc25519c.o
> +       kexc25519.o kexc25519c.o chacha.o chacha20poly1305aead.o \
> +       poly1305-donna-unrolled.o
>
>  SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
>         sshconnect.o sshconnect1.o sshconnect2.o mux.o \
> Index: PROTOCOL
> ===================================================================
> RCS file: /var/cvs/openssh/PROTOCOL,v
> retrieving revision 1.20
> diff -u -p -r1.20 PROTOCOL
> --- PROTOCOL    17 Oct 2013 00:48:53 -0000      1.20
> +++ PROTOCOL    15 Nov 2013 00:08:29 -0000
> @@ -91,6 +91,11 @@ an MAC algorithm. Additionally, if AES-G
>  the exchanged MAC algorithms are ignored and there doesn't have to be
>  a matching MAC.
>
> +1.7 transport: chacha20-poly1305 at openssh.com authenticated encryption
> +
> +OpenSSH supports authenticated encryption using ChaCha20 and Poly1305
> +as described in PROTOCOL.chacha20poly1305.
> +
>  2. Connection protocol changes
>
>  2.1. connection: Channel write close extension "eow at openssh.com"
> Index: PROTOCOL.chacha20poly1305
> ===================================================================
> RCS file: PROTOCOL.chacha20poly1305
> diff -N PROTOCOL.chacha20poly1305
> --- /dev/null   1 Jan 1970 00:00:00 -0000
> +++ PROTOCOL.chacha20poly1305   15 Nov 2013 00:08:29 -0000
> @@ -0,0 +1,99 @@
> +This document describes the chacha20-poly1305 at openssh.com authenticated
> +encryption cipher supported by OpenSSH.
> +
> +Background
> +----------
> +
> +ChaCha20 is a stream cipher designed by Daniel Bernstein and described
> +in [1]. It operates by permuting 128 fixed bits, 128 or 256 bits of key,
> +a 64 bit nonce and a 64 bit counter into 64 bytes of stream output.
> +
> +Poly1305[2] also by Daniel Bernstien is a one-time Carter-Wegman MAC
> +that computes a 128 bit integrity tag given a message and a 256 bit key.
> +
> +The chacha20-poly1305 at openssh.com combines these two primitives into an
> +autenticated encryption mode. The construction used is based on that
> +proposed for TLS by Adam Langley in [3], but differs in the layout of
> +data passed to the MAC and in the addition of encyption of the packet
> +lengths.
> +
> +Negotiation
> +-----------
> +
> +The chacha20-poly1305 at openssh.com offers both encryption and
> +authentication. As such, no separate MAC is required. If the
> +chacha20-poly1305 at openssh.com cipher is selected in key exchange,
> +the offered MAC algorithms are ignored and no MAC is required to be
> +negotiated.
> +
> +Detailed Construction
> +---------------------
> +
> +The chacha20-poly1305 at openssh.com cipher required 512 bits of key
> +material as output from the SSH key exchange. This forms two 256 bit
> +keys (K_1 and K_2), used by two separate instances of chacha20.
> +
> +The instance keyed by K_1 is a pure stream cipher that is used only
> +to encrypt the 4 byte packet length field. The second instance,
> +keyed by K_2, is used in conjunction with poly1305 to build an AEAD
> +(Authenticated Encryption with Associated Data) that is used to encrypt
> +and authenticate entire packet.
> +
> +Two separate cipher instances are used here so as to keep the packet
> +lengths confidential but not create an oracle for the packet payload
> +encryption by decrypting and using the packet length prior to checking
> +the MAC. By using an independently-keyed cipher instance to encrypt the
> +length, an active attacker seeking to exploit the packet input handling
> +as a decryption oracle can learn nothing about the payload contents or
> +its MAC (assuming key derivation is secure).
> +
> +The AEAD is constructed as follows: for each packet, generate a Poly1305
> +key by taking the first 256 bits of ChaCha20 stream output generated
> +using K_2, an IV consisting of the packet sequence number encoded as an
> +uint64 under the SSH wire encoding rules and a ChaCha20 block counter of
> +zero. The K_2 ChaCha20 block counter is then set to the little-endian
> +encoding of 1 (i.e. {1, 0, 0, 0, 0, 0, 0, 0}) and this instance is used
> +for encryption of the packet payload.
> +
> +Packet Handling
> +---------------
> +
> +When receiving a packet, the length must be decrypted first. When 4
> +bytes of ciphertext length have been received, they may be decrypted
> +using K_1 to obtain the plaintext length.
> +
> +Once the entire packet has been received, the MAC MUST be checked
> +before decryption. A per-packet Poly1305 key is generated as described
> +above and the MAC tag calculated using Poly1305 with this key over the
> +ciphertext of the packet length and the payload together. The calculated
> +MAC is then compared with the one appended to the packet and the packet
> +decrypted using ChaCha20 as described above (with K_2, the packet
> +sequence number as nonce and a starting block counter of 1).
> +
> +To send a packet, first encode the 4 byte length and encrypt it using
> +K_1. Encrypt the packet payload (using K_2) and append it to the
> +encrypted length. Finally, calculate a MAC tag and append it.
> +
> +Rekeying
> +--------
> +
> +ChaCha20 must never reuse a {key, nonce} for encryption nor may it be
> +used to encrypt more than 2^70 bytes under the same {key, nonce}. The
> +SSH Transport protocol (RFC4253) recommends rekeying every 1GB of data
> +sent or received. If this recommendation is followed, then
> +chacha20-poly1305 at openssh.com requires no special handling in this area.
> +
> +References
> +----------
> +
> +[1] "ChaCha, a variant of Salsa20", Daniel Bernstein
> +    http://cr.yp.to/chacha/chacha-20080128.pdf
> +
> +[2] "The Poly1305-AES message-authentication code", Daniel Bernstein
> +    http://cr.yp.to/mac/poly1305-20050329.pdf
> +
> +[3] "ChaCha20 and Poly1305 based Cipher Suites for TLS", Adam Langley
> +    http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
> +
> +$OpenBSD$
> +
> Index: authfile.c
> ===================================================================
> RCS file: /var/cvs/openssh/authfile.c,v
> retrieving revision 1.101
> diff -u -p -r1.101 authfile.c
> --- authfile.c  1 Jun 2013 21:31:18 -0000       1.101
> +++ authfile.c  15 Nov 2013 00:08:29 -0000
> @@ -149,7 +149,7 @@ key_private_rsa1_to_blob(Key *key, Buffe
>
>         cipher_set_key_string(&ciphercontext, cipher, passphrase,
>             CIPHER_ENCRYPT);
> -       cipher_crypt(&ciphercontext, cp,
> +       cipher_crypt(&ciphercontext, 0, cp,
>             buffer_ptr(&buffer), buffer_len(&buffer), 0, 0);
>         cipher_cleanup(&ciphercontext);
>         memset(&ciphercontext, 0, sizeof(ciphercontext));
> @@ -473,7 +473,7 @@ key_parse_private_rsa1(Buffer *blob, con
>         /* Rest of the buffer is encrypted.  Decrypt it using the passphrase. */
>         cipher_set_key_string(&ciphercontext, cipher, passphrase,
>             CIPHER_DECRYPT);
> -       cipher_crypt(&ciphercontext, cp,
> +       cipher_crypt(&ciphercontext, 0, cp,
>             buffer_ptr(&copy), buffer_len(&copy), 0, 0);
>         cipher_cleanup(&ciphercontext);
>         memset(&ciphercontext, 0, sizeof(ciphercontext));
> Index: chacha.c
> ===================================================================
> RCS file: chacha.c
> diff -N chacha.c
> --- /dev/null   1 Jan 1970 00:00:00 -0000
> +++ chacha.c    15 Nov 2013 00:08:29 -0000
> @@ -0,0 +1,217 @@
> +/*
> +chacha-merged.c version 20080118
> +D. J. Bernstein
> +Public domain.
> +*/
> +#include <stddef.h>
> +#include "chacha.h"
> +
> +/* $OpenBSD$ */
> +
> +typedef unsigned char u8;
> +typedef unsigned int u32;
> +
> +typedef struct chacha_ctx chacha_ctx;
> +
> +#define U8C(v) (v##U)
> +#define U32C(v) (v##U)
> +
> +#define U8V(v) ((u8)(v) & U8C(0xFF))
> +#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
> +
> +#define ROTL32(v, n) \
> +  (U32V((v) << (n)) | ((v) >> (32 - (n))))
> +
> +#define U8TO32_LITTLE(p) \
> +  (((u32)((p)[0])      ) | \
> +   ((u32)((p)[1]) <<  8) | \
> +   ((u32)((p)[2]) << 16) | \
> +   ((u32)((p)[3]) << 24))
> +
> +#define U32TO8_LITTLE(p, v) \
> +  do { \
> +    (p)[0] = U8V((v)      ); \
> +    (p)[1] = U8V((v) >>  8); \
> +    (p)[2] = U8V((v) >> 16); \
> +    (p)[3] = U8V((v) >> 24); \
> +  } while (0)
> +
> +#define ROTATE(v,c) (ROTL32(v,c))
> +#define XOR(v,w) ((v) ^ (w))
> +#define PLUS(v,w) (U32V((v) + (w)))
> +#define PLUSONE(v) (PLUS((v),1))
> +
> +#define QUARTERROUND(a,b,c,d) \
> +  a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
> +  c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
> +  a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
> +  c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
> +
> +static const char sigma[16] = "expand 32-byte k";
> +static const char tau[16] = "expand 16-byte k";
> +
> +void
> +chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits)
> +{
> +  const char *constants;
> +
> +  x->input[4] = U8TO32_LITTLE(k + 0);
> +  x->input[5] = U8TO32_LITTLE(k + 4);
> +  x->input[6] = U8TO32_LITTLE(k + 8);
> +  x->input[7] = U8TO32_LITTLE(k + 12);
> +  if (kbits == 256) { /* recommended */
> +    k += 16;
> +    constants = sigma;
> +  } else { /* kbits == 128 */
> +    constants = tau;
> +  }
> +  x->input[8] = U8TO32_LITTLE(k + 0);
> +  x->input[9] = U8TO32_LITTLE(k + 4);
> +  x->input[10] = U8TO32_LITTLE(k + 8);
> +  x->input[11] = U8TO32_LITTLE(k + 12);
> +  x->input[0] = U8TO32_LITTLE(constants + 0);
> +  x->input[1] = U8TO32_LITTLE(constants + 4);
> +  x->input[2] = U8TO32_LITTLE(constants + 8);
> +  x->input[3] = U8TO32_LITTLE(constants + 12);
> +}
> +
> +void
> +chacha_ivsetup(chacha_ctx *x, const u8 *iv, const u8 *counter)
> +{
> +  x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0);
> +  x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4);
> +  x->input[14] = U8TO32_LITTLE(iv + 0);
> +  x->input[15] = U8TO32_LITTLE(iv + 4);
> +}
> +
> +void
> +chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
> +{
> +  u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
> +  u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
> +  u8 *ctarget = NULL;
> +  u8 tmp[64];
> +  u_int i;
> +
> +  if (!bytes) return;
> +
> +  j0 = x->input[0];
> +  j1 = x->input[1];
> +  j2 = x->input[2];
> +  j3 = x->input[3];
> +  j4 = x->input[4];
> +  j5 = x->input[5];
> +  j6 = x->input[6];
> +  j7 = x->input[7];
> +  j8 = x->input[8];
> +  j9 = x->input[9];
> +  j10 = x->input[10];
> +  j11 = x->input[11];
> +  j12 = x->input[12];
> +  j13 = x->input[13];
> +  j14 = x->input[14];
> +  j15 = x->input[15];
> +
> +  for (;;) {
> +    if (bytes < 64) {
> +      for (i = 0;i < bytes;++i) tmp[i] = m[i];
> +      m = tmp;
> +      ctarget = c;
> +      c = tmp;
> +    }
> +    x0 = j0;
> +    x1 = j1;
> +    x2 = j2;
> +    x3 = j3;
> +    x4 = j4;
> +    x5 = j5;
> +    x6 = j6;
> +    x7 = j7;
> +    x8 = j8;
> +    x9 = j9;
> +    x10 = j10;
> +    x11 = j11;
> +    x12 = j12;
> +    x13 = j13;
> +    x14 = j14;
> +    x15 = j15;
> +    for (i = 20;i > 0;i -= 2) {
> +      QUARTERROUND( x0, x4, x8,x12)
> +      QUARTERROUND( x1, x5, x9,x13)
> +      QUARTERROUND( x2, x6,x10,x14)
> +      QUARTERROUND( x3, x7,x11,x15)
> +      QUARTERROUND( x0, x5,x10,x15)
> +      QUARTERROUND( x1, x6,x11,x12)
> +      QUARTERROUND( x2, x7, x8,x13)
> +      QUARTERROUND( x3, x4, x9,x14)
> +    }
> +    x0 = PLUS(x0,j0);
> +    x1 = PLUS(x1,j1);
> +    x2 = PLUS(x2,j2);
> +    x3 = PLUS(x3,j3);
> +    x4 = PLUS(x4,j4);
> +    x5 = PLUS(x5,j5);
> +    x6 = PLUS(x6,j6);
> +    x7 = PLUS(x7,j7);
> +    x8 = PLUS(x8,j8);
> +    x9 = PLUS(x9,j9);
> +    x10 = PLUS(x10,j10);
> +    x11 = PLUS(x11,j11);
> +    x12 = PLUS(x12,j12);
> +    x13 = PLUS(x13,j13);
> +    x14 = PLUS(x14,j14);
> +    x15 = PLUS(x15,j15);
> +
> +    x0 = XOR(x0,U8TO32_LITTLE(m + 0));
> +    x1 = XOR(x1,U8TO32_LITTLE(m + 4));
> +    x2 = XOR(x2,U8TO32_LITTLE(m + 8));
> +    x3 = XOR(x3,U8TO32_LITTLE(m + 12));
> +    x4 = XOR(x4,U8TO32_LITTLE(m + 16));
> +    x5 = XOR(x5,U8TO32_LITTLE(m + 20));
> +    x6 = XOR(x6,U8TO32_LITTLE(m + 24));
> +    x7 = XOR(x7,U8TO32_LITTLE(m + 28));
> +    x8 = XOR(x8,U8TO32_LITTLE(m + 32));
> +    x9 = XOR(x9,U8TO32_LITTLE(m + 36));
> +    x10 = XOR(x10,U8TO32_LITTLE(m + 40));
> +    x11 = XOR(x11,U8TO32_LITTLE(m + 44));
> +    x12 = XOR(x12,U8TO32_LITTLE(m + 48));
> +    x13 = XOR(x13,U8TO32_LITTLE(m + 52));
> +    x14 = XOR(x14,U8TO32_LITTLE(m + 56));
> +    x15 = XOR(x15,U8TO32_LITTLE(m + 60));
> +
> +    j12 = PLUSONE(j12);
> +    if (!j12) {
> +      j13 = PLUSONE(j13);
> +      /* stopping at 2^70 bytes per nonce is user's responsibility */
> +    }
> +
> +    U32TO8_LITTLE(c + 0,x0);
> +    U32TO8_LITTLE(c + 4,x1);
> +    U32TO8_LITTLE(c + 8,x2);
> +    U32TO8_LITTLE(c + 12,x3);
> +    U32TO8_LITTLE(c + 16,x4);
> +    U32TO8_LITTLE(c + 20,x5);
> +    U32TO8_LITTLE(c + 24,x6);
> +    U32TO8_LITTLE(c + 28,x7);
> +    U32TO8_LITTLE(c + 32,x8);
> +    U32TO8_LITTLE(c + 36,x9);
> +    U32TO8_LITTLE(c + 40,x10);
> +    U32TO8_LITTLE(c + 44,x11);
> +    U32TO8_LITTLE(c + 48,x12);
> +    U32TO8_LITTLE(c + 52,x13);
> +    U32TO8_LITTLE(c + 56,x14);
> +    U32TO8_LITTLE(c + 60,x15);
> +
> +    if (bytes <= 64) {
> +      if (bytes < 64) {
> +        for (i = 0;i < bytes;++i) ctarget[i] = c[i];
> +      }
> +      x->input[12] = j12;
> +      x->input[13] = j13;
> +      return;
> +    }
> +    bytes -= 64;
> +    c += 64;
> +    m += 64;
> +  }
> +}
> Index: chacha.h
> ===================================================================
> RCS file: chacha.h
> diff -N chacha.h
> --- /dev/null   1 Jan 1970 00:00:00 -0000
> +++ chacha.h    15 Nov 2013 00:08:29 -0000
> @@ -0,0 +1,35 @@
> +/* $OpenBSD$ */
> +
> +/*
> +chacha-merged.c version 20080118
> +D. J. Bernstein
> +Public domain.
> +*/
> +
> +#ifndef CHACHA_H
> +#define CHACHA_H
> +
> +#include <sys/types.h>
> +
> +struct chacha_ctx {
> +       u_int input[16];
> +};
> +
> +#define CHACHA_MINKEYLEN       16
> +#define CHACHA_NONCELEN                8
> +#define CHACHA_CTRLEN          8
> +#define CHACHA_STATELEN                (CHACHA_NONCELEN+CHACHA_CTRLEN)
> +#define CHACHA_BLOCKLEN                64
> +
> +void chacha_keysetup(struct chacha_ctx *x, const u_char *k, u_int kbits)
> +    __attribute__((__bounded__(__minbytes__, 2, CHACHA_MINKEYLEN)));
> +void chacha_ivsetup(struct chacha_ctx *x, const u_char *iv, const u_char *ctr)
> +    __attribute__((__bounded__(__minbytes__, 2, CHACHA_NONCELEN)))
> +    __attribute__((__bounded__(__minbytes__, 3, CHACHA_CTRLEN)));
> +void chacha_encrypt_bytes(struct chacha_ctx *x, const u_char *m,
> +    u_char *c, u_int bytes)
> +    __attribute__((__bounded__(__buffer__, 2, 4)))
> +    __attribute__((__bounded__(__buffer__, 3, 4)));
> +
> +#endif /* CHACHA_H */
> +
> Index: chacha20poly1305aead.c
> ===================================================================
> RCS file: chacha20poly1305aead.c
> diff -N chacha20poly1305aead.c
> --- /dev/null   1 Jan 1970 00:00:00 -0000
> +++ chacha20poly1305aead.c      15 Nov 2013 00:08:29 -0000
> @@ -0,0 +1,111 @@
> +/*
> + * Copyright (c) 2013 Damien Miller <djm at mindrot.org>
> + *
> + * Permission to use, copy, modify, and distribute this software for any
> + * purpose with or without fee is hereby granted, provided that the above
> + * copyright notice and this permission notice appear in all copies.
> + *
> + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
> + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
> + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
> + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
> + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
> + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
> + */
> +
> +#include <sys/types.h>
> +#include <sys/time.h> /* needed for misc.h */
> +#include <stdarg.h> /* needed for log.h */
> +#include <string.h>
> +#include <stdio.h>  /* needed for misc.h */
> +
> +#include "log.h"
> +#include "misc.h"
> +#include "chacha20poly1305aead.h"
> +
> +void cp_aead_init(struct chacha_poly_aead_ctx *ctx,
> +    const u_char *key, u_int keylen)
> +{
> +       if (keylen != (32 + 32)) /* 2 x 256 bit keys */
> +               fatal("%s: invalid keylen %u", __func__, keylen);
> +       chacha_keysetup(&ctx->main_ctx, key, 256);
> +       chacha_keysetup(&ctx->header_ctx, key + 32, 256);
> +}
> +
> +/*
> + * cp_aead_crypt() operates as following:
> + * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'.
> + * Theses bytes are treated as additional authenticated data.
> + * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'.
> + * Use POLY1305_TAGLEN bytes at offset 'len'+'aadlen' as the
> + * authentication tag.
> + * This tag is written on encryption and verified on decryption.
> + * Both 'aadlen' and 'authlen' can be set to 0.
> + */
> +int
> +cp_aead_crypt(struct chacha_poly_aead_ctx *ctx, u_int seqnr, u_char *dest,
> +    const u_char *src, u_int len, u_int aadlen, u_int authlen, int do_encrypt)
> +{
> +       u_char seqbuf[8];
> +       u_char one[8] = { 1, 0, 0, 0, 0, 0, 0, 0 }; /* NB. little-endian */
> +       u_char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN];
> +       int r = -1;
> +
> +       /*
> +        * Run ChaCha20 once to generate the Poly1305 key. The IV is the
> +        * packet sequence number.
> +        */
> +       bzero(poly_key, sizeof(poly_key));
> +       put_u64(seqbuf, seqnr);
> +       chacha_ivsetup(&ctx->main_ctx, seqbuf, NULL);
> +       chacha_encrypt_bytes(&ctx->main_ctx,
> +           poly_key, poly_key, sizeof(poly_key));
> +       /* Set Chacha's block counter to 1 */
> +       chacha_ivsetup(&ctx->main_ctx, seqbuf, one);
> +
> +       /* If decrypting, check tag before anything else */
> +       if (!do_encrypt) {
> +               const u_char *tag = src + aadlen + len;
> +
> +               poly1305_auth(expected_tag, src, aadlen + len, poly_key);
> +               if (!timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN))
> +                       goto out;
> +       }
> +       /* Crypt additional data */
> +        if (aadlen) {
> +               chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL);
> +               chacha_encrypt_bytes(&ctx->header_ctx, src, dest, aadlen);
> +       }
> +       chacha_encrypt_bytes(&ctx->main_ctx, src + aadlen,
> +           dest + aadlen, len);
> +
> +       /* If encrypting, calculate and append tag */
> +       if (do_encrypt) {
> +               poly1305_auth(dest + aadlen + len, dest, aadlen + len,
> +                   poly_key);
> +       }
> +       r = 0;
> +
> + out:
> +       bzero(expected_tag, sizeof(expected_tag));
> +       bzero(seqbuf, sizeof(seqbuf));
> +       bzero(poly_key, sizeof(poly_key));
> +       return r;
> +}
> +
> +int
> +cp_aead_get_length(struct chacha_poly_aead_ctx *ctx,
> +    u_int *plenp, u_int seqnr, const u_char *cp, u_int len)
> +{
> +       u_char buf[4], seqbuf[8];
> +
> +       if (len < 4)
> +               return -1; /* Insufficient length */
> +       put_u64(seqbuf, seqnr);
> +       chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL);
> +       chacha_encrypt_bytes(&ctx->header_ctx, cp, buf, 4);
> +       *plenp = get_u32(buf);
> +       return 0;
> +}
> +
> Index: chacha20poly1305aead.h
> ===================================================================
> RCS file: chacha20poly1305aead.h
> diff -N chacha20poly1305aead.h
> --- /dev/null   1 Jan 1970 00:00:00 -0000
> +++ chacha20poly1305aead.h      15 Nov 2013 00:08:29 -0000
> @@ -0,0 +1,41 @@
> +/* $OpenBSD$ */
> +
> +/*
> + * Copyright (c) Damien Miller 2013 <djm at mindrot.org>
> + *
> + * Permission to use, copy, modify, and distribute this software for any
> + * purpose with or without fee is hereby granted, provided that the above
> + * copyright notice and this permission notice appear in all copies.
> + *
> + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
> + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
> + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
> + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
> + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
> + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
> + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
> + */
> +#ifndef CHACHA_POLY_AEAD_H
> +#define CHACHA_POLY_AEAD_H
> +
> +#include <sys/types.h>
> +#include "chacha.h"
> +#include "poly1305-donna-unrolled.h"
> +
> +#define CHACHA_KEYLEN  32 /* Only 256 bit keys used here */
> +
> +struct chacha_poly_aead_ctx {
> +       struct chacha_ctx main_ctx, header_ctx;
> +};
> +
> +void   cp_aead_init(struct chacha_poly_aead_ctx *cpctx,
> +    const u_char *key, u_int keylen)
> +    __attribute__((__bounded__(__buffer__, 2, 3)));
> +int    cp_aead_crypt(struct chacha_poly_aead_ctx *cpctx, u_int seqnr,
> +    u_char *dest, const u_char *src, u_int len, u_int aadlen, u_int authlen,
> +    int do_encrypt);
> +int    cp_aead_get_length(struct chacha_poly_aead_ctx *cpctx,
> +    u_int *plenp, u_int seqnr, const u_char *cp, u_int len)
> +    __attribute__((__bounded__(__buffer__, 4, 5)));
> +
> +#endif /* CHACHA_POLY_AEAD_H */
> Index: cipher.c
> ===================================================================
> RCS file: /var/cvs/openssh/cipher.c,v
> retrieving revision 1.97
> diff -u -p -r1.97 cipher.c
> --- cipher.c    8 Nov 2013 01:16:50 -0000       1.97
> +++ cipher.c    15 Nov 2013 00:08:29 -0000
> @@ -43,9 +43,11 @@
>
>  #include <string.h>
>  #include <stdarg.h>
> +#include <stdio.h>
>
>  #include "xmalloc.h"
>  #include "log.h"
> +#include "misc.h"
>  #include "cipher.h"
>
>  /* compatibility with old or broken OpenSSL versions */
> @@ -63,7 +65,9 @@ struct Cipher {
>         u_int   iv_len;         /* defaults to block_size */
>         u_int   auth_len;
>         u_int   discard_len;
> -       u_int   cbc_mode;
> +       u_int   flags;
> +#define CFLAG_CBC      (1<<0)
> +#define CFLAG_CP_AEAD  (1<<1)
>         const EVP_CIPHER        *(*evptype)(void);
>  };
>
> @@ -95,6 +99,8 @@ static const struct Cipher ciphers[] = {
>         { "aes256-gcm at openssh.com",
>                         SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
>  #endif
> +       { "chacha20-poly1305 at openssh.com",
> +                       SSH_CIPHER_SSH2, 8, 64, 0, 8, 0, CFLAG_CP_AEAD, NULL },
>         { NULL,         SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
>  };
>
> @@ -142,7 +148,12 @@ cipher_authlen(const Cipher *c)
>  u_int
>  cipher_ivlen(const Cipher *c)
>  {
> -       return (c->iv_len ? c->iv_len : c->block_size);
> +       /*
> +        * Default is cipher block size, except for chacha20+poly1305 that
> +        * needs no IV. XXX make iv_len == -1 default?
> +        */
> +       return (c->iv_len != 0 || (c->flags & CFLAG_CP_AEAD) != 0) ?
> +           c->iv_len : c->block_size;
>  }
>
>  u_int
> @@ -154,7 +165,7 @@ cipher_get_number(const Cipher *c)
>  u_int
>  cipher_is_cbc(const Cipher *c)
>  {
> -       return (c->cbc_mode);
> +       return (c->flags & CFLAG_CBC) != 0;
>  }
>
>  u_int
> @@ -274,8 +285,11 @@ cipher_init(CipherContext *cc, const Cip
>                     ivlen, cipher->name);
>         cc->cipher = cipher;
>
> +       if ((cc->cipher->flags & CFLAG_CP_AEAD) != 0) {
> +               cp_aead_init(&cc->cp_ctx, key, keylen);
> +               return;
> +       }
>         type = (*cipher->evptype)();
> -
>         EVP_CIPHER_CTX_init(&cc->evp);
>  #ifdef SSH_OLD_EVP
>         if (type->key_len > 0 && type->key_len != keylen) {
> @@ -330,9 +344,15 @@ cipher_init(CipherContext *cc, const Cip
>   * Both 'aadlen' and 'authlen' can be set to 0.
>   */
>  void
> -cipher_crypt(CipherContext *cc, u_char *dest, const u_char *src,
> +cipher_crypt(CipherContext *cc, u_int seqnr, u_char *dest, const u_char *src,
>      u_int len, u_int aadlen, u_int authlen)
>  {
> +       if ((cc->cipher->flags & CFLAG_CP_AEAD) != 0) {
> +               if (cp_aead_crypt(&cc->cp_ctx, seqnr, dest, src, len, aadlen,
> +                   authlen, cc->encrypt) != 0)
> +                       fatal("Decryption integrity check failed");
> +               return;
> +       }
>         if (authlen) {
>                 u_char lastiv[1];
>
> @@ -374,10 +394,29 @@ cipher_crypt(CipherContext *cc, u_char *
>         }
>  }
>
> +/*
> + * Extract the packet length for an AEAD cipher, including any decryption
> + * necessary beforehand.
> + */
> +int
> +cipher_aead_get_length(CipherContext *cc, u_int *plenp, u_int seqnr,
> +    const u_char *cp, u_int len)
> +{
> +       if ((cc->cipher->flags & CFLAG_CP_AEAD) != 0)
> +               return cp_aead_get_length(&cc->cp_ctx, plenp, seqnr,
> +                   cp, len);
> +       if (len < 4)
> +               return -1;
> +       *plenp = get_u32(cp);
> +       return 0;
> +}
> +
>  void
>  cipher_cleanup(CipherContext *cc)
>  {
> -       if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
> +       if ((cc->cipher->flags & CFLAG_CP_AEAD) != 0)
> +               bzero(&cc->cp_ctx, sizeof(&cc->cp_ctx));
> +       else if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
>                 error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed");
>  }
>
> @@ -417,6 +456,8 @@ cipher_get_keyiv_len(const CipherContext
>
>         if (c->number == SSH_CIPHER_3DES)
>                 ivlen = 24;
> +       else if ((cc->cipher->flags & CFLAG_CP_AEAD) != 0)
> +               ivlen = 0;
>         else
>                 ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp);
>         return (ivlen);
> @@ -428,6 +469,12 @@ cipher_get_keyiv(CipherContext *cc, u_ch
>         const Cipher *c = cc->cipher;
>         int evplen;
>
> +       if ((cc->cipher->flags & CFLAG_CP_AEAD) != 0) {
> +               if (len != 0)
> +                       fatal("%s: wrong iv length %d != %d", __func__, len, 0);
> +               return;
> +       }
> +
>         switch (c->number) {
>         case SSH_CIPHER_SSH2:
>         case SSH_CIPHER_DES:
> @@ -463,6 +510,9 @@ cipher_set_keyiv(CipherContext *cc, u_ch
>  {
>         const Cipher *c = cc->cipher;
>         int evplen = 0;
> +
> +       if ((cc->cipher->flags & CFLAG_CP_AEAD) != 0)
> +               return;
>
>         switch (c->number) {
>         case SSH_CIPHER_SSH2:
> Index: cipher.h
> ===================================================================
> RCS file: /var/cvs/openssh/cipher.h,v
> retrieving revision 1.37
> diff -u -p -r1.37 cipher.h
> --- cipher.h    8 Nov 2013 01:16:50 -0000       1.37
> +++ cipher.h    15 Nov 2013 00:08:29 -0000
> @@ -38,6 +38,8 @@
>  #define CIPHER_H
>
>  #include <openssl/evp.h>
> +#include "chacha20poly1305aead.h"
> +
>  /*
>   * Cipher types for SSH-1.  New types can be added, but old types should not
>   * be removed for compatibility.  The maximum allowed value is 31.
> @@ -65,7 +67,9 @@ struct Cipher;
>  struct CipherContext {
>         int     plaintext;
>         int     encrypt;
> +       int     is_cp_aead;
>         EVP_CIPHER_CTX evp;
> +       struct chacha_poly_aead_ctx cp_ctx; /* XXX union with evp? */
>         const Cipher *cipher;
>  };
>
> @@ -78,8 +82,10 @@ int   ciphers_valid(const char *);
>  char   *cipher_alg_list(char);
>  void    cipher_init(CipherContext *, const Cipher *, const u_char *, u_int,
>      const u_char *, u_int, int);
> -void    cipher_crypt(CipherContext *, u_char *, const u_char *,
> +void    cipher_crypt(CipherContext *, u_int, u_char *, const u_char *,
>      u_int, u_int, u_int);
> +int     cipher_aead_get_length(CipherContext *, u_int *, u_int,
> +    const u_char *, u_int);
>  void    cipher_cleanup(CipherContext *);
>  void    cipher_set_key_string(CipherContext *, const Cipher *, const char *, int);
>  u_int   cipher_blocksize(const Cipher *);
> Index: myproposal.h
> ===================================================================
> RCS file: /var/cvs/openssh/myproposal.h,v
> retrieving revision 1.43
> diff -u -p -r1.43 myproposal.h
> --- myproposal.h        9 Nov 2013 07:39:25 -0000       1.43
> +++ myproposal.h        15 Nov 2013 00:08:30 -0000
> @@ -104,6 +104,7 @@
>         "aes128-ctr,aes192-ctr,aes256-ctr," \
>         "arcfour256,arcfour128," \
>         AESGCM_CIPHER_MODES \
> +       "chacha20-poly1305 at openssh.com," \
>         "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
>         "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc at lysator.liu.se"
>
> Index: packet.c
> ===================================================================
> RCS file: /var/cvs/openssh/packet.c,v
> retrieving revision 1.196
> diff -u -p -r1.196 packet.c
> --- packet.c    8 Nov 2013 01:19:57 -0000       1.196
> +++ packet.c    15 Nov 2013 00:08:30 -0000
> @@ -713,7 +713,7 @@ packet_send1(void)
>         buffer_append(&active_state->output, buf, 4);
>         cp = buffer_append_space(&active_state->output,
>             buffer_len(&active_state->outgoing_packet));
> -       cipher_crypt(&active_state->send_context, cp,
> +       cipher_crypt(&active_state->send_context, 0, cp,
>             buffer_ptr(&active_state->outgoing_packet),
>             buffer_len(&active_state->outgoing_packet), 0, 0);
>
> @@ -946,8 +946,8 @@ packet_send2_wrapped(void)
>         }
>         /* encrypt packet and append to output buffer. */
>         cp = buffer_append_space(&active_state->output, len + authlen);
> -       cipher_crypt(&active_state->send_context, cp,
> -           buffer_ptr(&active_state->outgoing_packet),
> +       cipher_crypt(&active_state->send_context, active_state->p_send.seqnr,
> +           cp, buffer_ptr(&active_state->outgoing_packet),
>             len - aadlen, aadlen, authlen);
>         /* append unencrypted MAC */
>         if (mac && mac->enabled) {
> @@ -1208,7 +1208,7 @@ packet_read_poll1(void)
>         /* Decrypt data to incoming_packet. */
>         buffer_clear(&active_state->incoming_packet);
>         cp = buffer_append_space(&active_state->incoming_packet, padded_len);
> -       cipher_crypt(&active_state->receive_context, cp,
> +       cipher_crypt(&active_state->receive_context, 0, cp,
>             buffer_ptr(&active_state->input), padded_len, 0, 0);
>
>         buffer_consume(&active_state->input, padded_len);
> @@ -1279,10 +1279,12 @@ packet_read_poll2(u_int32_t *seqnr_p)
>         aadlen = (mac && mac->enabled && mac->etm) || authlen ? 4 : 0;
>
>         if (aadlen && active_state->packlen == 0) {
> -               if (buffer_len(&active_state->input) < 4)
> +               if (cipher_aead_get_length(&active_state->receive_context,
> +                   &active_state->packlen,
> +                   active_state->p_read.seqnr,
> +                   buffer_ptr(&active_state->input),
> +                   buffer_len(&active_state->input)) != 0)
>                         return SSH_MSG_NONE;
> -               cp = buffer_ptr(&active_state->input);
> -               active_state->packlen = get_u32(cp);
>                 if (active_state->packlen < 1 + 4 ||
>                     active_state->packlen > PACKET_MAX_SIZE) {
>  #ifdef PACKET_DEBUG
> @@ -1302,7 +1304,8 @@ packet_read_poll2(u_int32_t *seqnr_p)
>                 buffer_clear(&active_state->incoming_packet);
>                 cp = buffer_append_space(&active_state->incoming_packet,
>                     block_size);
> -               cipher_crypt(&active_state->receive_context, cp,
> +               cipher_crypt(&active_state->receive_context,
> +                   active_state->p_read.seqnr, cp,
>                     buffer_ptr(&active_state->input), block_size, 0, 0);
>                 cp = buffer_ptr(&active_state->incoming_packet);
>                 active_state->packlen = get_u32(cp);
> @@ -1357,7 +1360,8 @@ packet_read_poll2(u_int32_t *seqnr_p)
>                 macbuf = mac_compute(mac, active_state->p_read.seqnr,
>                     buffer_ptr(&active_state->input), aadlen + need);
>         cp = buffer_append_space(&active_state->incoming_packet, aadlen + need);
> -       cipher_crypt(&active_state->receive_context, cp,
> +       cipher_crypt(&active_state->receive_context,
> +           active_state->p_read.seqnr, cp,
>             buffer_ptr(&active_state->input), need, aadlen, authlen);
>         buffer_consume(&active_state->input, aadlen + need + authlen);
>         /*
> Index: poly1305-donna-unrolled.c
> ===================================================================
> RCS file: poly1305-donna-unrolled.c
> diff -N poly1305-donna-unrolled.c
> --- /dev/null   1 Jan 1970 00:00:00 -0000
> +++ poly1305-donna-unrolled.c   15 Nov 2013 00:08:30 -0000
> @@ -0,0 +1,154 @@
> +/*
> + * Public Domain poly1305-donna from Andrew M.
> + * https://github.com/floodyberry/poly1305-donna
> + */
> +
> +#include <sys/types.h>
> +#include <stdint.h>
> +
> +#include "poly1305-donna-unrolled.h"
> +
> +#define mul32x32_64(a,b) ((uint64_t)(a) * (b))
> +
> +#define U8TO32_LE(p) \
> +       (((uint32_t)((p)[0])) | \
> +        ((uint32_t)((p)[1]) <<  8) | \
> +        ((uint32_t)((p)[2]) << 16) | \
> +        ((uint32_t)((p)[3]) << 24))
> +
> +#define U32TO8_LE(p, v) \
> +       do { \
> +               (p)[0] = (uint8_t)((v)); \
> +               (p)[1] = (uint8_t)((v) >>  8); \
> +               (p)[2] = (uint8_t)((v) >> 16); \
> +               (p)[3] = (uint8_t)((v) >> 24); \
> +       } while (0)
> +
> +void
> +poly1305_auth(unsigned char out[POLY1305_TAGLEN], const unsigned char *m, size_t inlen, const unsigned char key[POLY1305_KEYLEN]) {
> +       uint32_t t0,t1,t2,t3;
> +       uint32_t h0,h1,h2,h3,h4;
> +       uint32_t r0,r1,r2,r3,r4;
> +       uint32_t s1,s2,s3,s4;
> +       uint32_t b, nb;
> +       size_t j;
> +       uint64_t t[5];
> +       uint64_t f0,f1,f2,f3;
> +       uint32_t g0,g1,g2,g3,g4;
> +       uint64_t c;
> +       unsigned char mp[16];
> +
> +       /* clamp key */
> +       t0 = U8TO32_LE(key+0);
> +       t1 = U8TO32_LE(key+4);
> +       t2 = U8TO32_LE(key+8);
> +       t3 = U8TO32_LE(key+12);
> +
> +       /* precompute multipliers */
> +       r0 = t0 & 0x3ffffff; t0 >>= 26; t0 |= t1 << 6;
> +       r1 = t0 & 0x3ffff03; t1 >>= 20; t1 |= t2 << 12;
> +       r2 = t1 & 0x3ffc0ff; t2 >>= 14; t2 |= t3 << 18;
> +       r3 = t2 & 0x3f03fff; t3 >>= 8;
> +       r4 = t3 & 0x00fffff;
> +
> +       s1 = r1 * 5;
> +       s2 = r2 * 5;
> +       s3 = r3 * 5;
> +       s4 = r4 * 5;
> +
> +       /* init state */
> +       h0 = 0;
> +       h1 = 0;
> +       h2 = 0;
> +       h3 = 0;
> +       h4 = 0;
> +
> +       /* full blocks */
> +       if (inlen < 16) goto poly1305_donna_atmost15bytes;
> +poly1305_donna_16bytes:
> +       m += 16;
> +       inlen -= 16;
> +
> +       t0 = U8TO32_LE(m-16);
> +       t1 = U8TO32_LE(m-12);
> +       t2 = U8TO32_LE(m-8);
> +       t3 = U8TO32_LE(m-4);
> +
> +       h0 += t0 & 0x3ffffff;
> +       h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;
> +       h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;
> +       h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;
> +       h4 += (t3 >> 8) | (1 << 24);
> +
> +
> +poly1305_donna_mul:
> +       t[0]  = mul32x32_64(h0,r0) + mul32x32_64(h1,s4) + mul32x32_64(h2,s3) + mul32x32_64(h3,s2) + mul32x32_64(h4,s1);
> +       t[1]  = mul32x32_64(h0,r1) + mul32x32_64(h1,r0) + mul32x32_64(h2,s4) + mul32x32_64(h3,s3) + mul32x32_64(h4,s2);
> +       t[2]  = mul32x32_64(h0,r2) + mul32x32_64(h1,r1) + mul32x32_64(h2,r0) + mul32x32_64(h3,s4) + mul32x32_64(h4,s3);
> +       t[3]  = mul32x32_64(h0,r3) + mul32x32_64(h1,r2) + mul32x32_64(h2,r1) + mul32x32_64(h3,r0) + mul32x32_64(h4,s4);
> +       t[4]  = mul32x32_64(h0,r4) + mul32x32_64(h1,r3) + mul32x32_64(h2,r2) + mul32x32_64(h3,r1) + mul32x32_64(h4,r0);
> +
> +                       h0 = (uint32_t)t[0] & 0x3ffffff; c =           (t[0] >> 26);
> +       t[1] += c;      h1 = (uint32_t)t[1] & 0x3ffffff; b = (uint32_t)(t[1] >> 26);
> +       t[2] += b;      h2 = (uint32_t)t[2] & 0x3ffffff; b = (uint32_t)(t[2] >> 26);
> +       t[3] += b;      h3 = (uint32_t)t[3] & 0x3ffffff; b = (uint32_t)(t[3] >> 26);
> +       t[4] += b;      h4 = (uint32_t)t[4] & 0x3ffffff; b = (uint32_t)(t[4] >> 26);
> +       h0 += b * 5;
> +
> +       if (inlen >= 16) goto poly1305_donna_16bytes;
> +
> +       /* final bytes */
> +poly1305_donna_atmost15bytes:
> +       if (!inlen) goto poly1305_donna_finish;
> +
> +       for (j = 0; j < inlen; j++) mp[j] = m[j];
> +       mp[j++] = 1;
> +       for (; j < 16; j++)     mp[j] = 0;
> +       inlen = 0;
> +
> +       t0 = U8TO32_LE(mp+0);
> +       t1 = U8TO32_LE(mp+4);
> +       t2 = U8TO32_LE(mp+8);
> +       t3 = U8TO32_LE(mp+12);
> +
> +       h0 += t0 & 0x3ffffff;
> +       h1 += ((((uint64_t)t1 << 32) | t0) >> 26) & 0x3ffffff;
> +       h2 += ((((uint64_t)t2 << 32) | t1) >> 20) & 0x3ffffff;
> +       h3 += ((((uint64_t)t3 << 32) | t2) >> 14) & 0x3ffffff;
> +       h4 += (t3 >> 8);
> +
> +       goto poly1305_donna_mul;
> +
> +poly1305_donna_finish:
> +                    b = h0 >> 26; h0 = h0 & 0x3ffffff;
> +       h1 +=     b; b = h1 >> 26; h1 = h1 & 0x3ffffff;
> +       h2 +=     b; b = h2 >> 26; h2 = h2 & 0x3ffffff;
> +       h3 +=     b; b = h3 >> 26; h3 = h3 & 0x3ffffff;
> +       h4 +=     b; b = h4 >> 26; h4 = h4 & 0x3ffffff;
> +       h0 += b * 5; b = h0 >> 26; h0 = h0 & 0x3ffffff;
> +       h1 +=     b;
> +
> +       g0 = h0 + 5; b = g0 >> 26; g0 &= 0x3ffffff;
> +       g1 = h1 + b; b = g1 >> 26; g1 &= 0x3ffffff;
> +       g2 = h2 + b; b = g2 >> 26; g2 &= 0x3ffffff;
> +       g3 = h3 + b; b = g3 >> 26; g3 &= 0x3ffffff;
> +       g4 = h4 + b - (1 << 26);
> +
> +       b = (g4 >> 31) - 1;
> +       nb = ~b;
> +       h0 = (h0 & nb) | (g0 & b);
> +       h1 = (h1 & nb) | (g1 & b);
> +       h2 = (h2 & nb) | (g2 & b);
> +       h3 = (h3 & nb) | (g3 & b);
> +       h4 = (h4 & nb) | (g4 & b);
> +
> +       f0 = ((h0      ) | (h1 << 26)) + (uint64_t)U8TO32_LE(&key[16]);
> +       f1 = ((h1 >>  6) | (h2 << 20)) + (uint64_t)U8TO32_LE(&key[20]);
> +       f2 = ((h2 >> 12) | (h3 << 14)) + (uint64_t)U8TO32_LE(&key[24]);
> +       f3 = ((h3 >> 18) | (h4 <<  8)) + (uint64_t)U8TO32_LE(&key[28]);
> +
> +       U32TO8_LE(&out[ 0], f0); f1 += (f0 >> 32);
> +       U32TO8_LE(&out[ 4], f1); f2 += (f1 >> 32);
> +       U32TO8_LE(&out[ 8], f2); f3 += (f2 >> 32);
> +       U32TO8_LE(&out[12], f3);
> +}
> Index: poly1305-donna-unrolled.h
> ===================================================================
> RCS file: poly1305-donna-unrolled.h
> diff -N poly1305-donna-unrolled.h
> --- /dev/null   1 Jan 1970 00:00:00 -0000
> +++ poly1305-donna-unrolled.h   15 Nov 2013 00:08:30 -0000
> @@ -0,0 +1,22 @@
> +/* $OpenBSD$ */
> +
> +/*
> + * Public Domain poly1305-donna from Andrew M.
> + * https://github.com/floodyberry/poly1305-donna
> + */
> +
> +#ifndef POLY1305_H
> +#define POLY1305_H
> +
> +#include <sys/types.h>
> +
> +#define POLY1305_KEYLEN                32
> +#define POLY1305_TAGLEN                16
> +
> +void poly1305_auth(u_char out[POLY1305_TAGLEN], const u_char *m, size_t inlen,
> +    const u_char key[POLY1305_KEYLEN])
> +    __attribute__((__bounded__(__minbytes__, 1, POLY1305_TAGLEN)))
> +    __attribute__((__bounded__(__buffer__, 2, 3)))
> +    __attribute__((__bounded__(__minbytes__, 4, POLY1305_KEYLEN)));
> +
> +#endif /* POLY1305_H */
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



-- 
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.


More information about the openssh-unix-dev mailing list