chacha20+poly1305 authenticated encryption

Christian Weisgerber naddy at mips.inka.de
Sun Nov 17 13:49:48 EST 2013


Christian Weisgerber <naddy at mips.inka.de> wrote:

> There must be a bug somewhere else, but I don't see it.

Found it.  The authentication tag size was wrong in the ciphers
table.  With the changes below, this now passes the relevant
regression tests on alpha, amd64, and sparc64; and I verified that
these architectures all interoperate successfully.

--- chacha20poly1305aead.c.orig	Sun Nov 17 02:38:00 2013
+++ chacha20poly1305aead.c	Sun Nov 17 02:38:16 2013
@@ -68,7 +68,7 @@ cp_aead_crypt(struct chacha_poly_aead_ctx *ctx, u_int 
 		const u_char *tag = src + aadlen + len;
 
 		poly1305_auth(expected_tag, src, aadlen + len, poly_key);
-		if (!timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN))
+		if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0)
 			goto out;
 	}
 	/* Crypt additional data */
--- cipher.c.orig	Sun Nov 17 02:37:52 2013
+++ cipher.c	Sun Nov 17 02:38:30 2013
@@ -93,7 +93,7 @@ static const struct Cipher ciphers[] = {
 	{ "aes256-gcm at openssh.com",
 			SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
 	{ "chacha20-poly1305 at openssh.com",
-			SSH_CIPHER_SSH2, 8, 64, 0, 8, 0, CFLAG_CP_AEAD, NULL },
+			SSH_CIPHER_SSH2, 8, 64, 0, 16, 0, CFLAG_CP_AEAD, NULL },
 
 	{ NULL,		SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
 };

-- 
Christian "naddy" Weisgerber                          naddy at mips.inka.de


More information about the openssh-unix-dev mailing list