chacha20+poly1305 authenticated encryption
Christian Weisgerber
naddy at mips.inka.de
Sun Nov 17 07:11:15 EST 2013
Damien Miller <djm at mindrot.org> wrote:
> Here's a diff to implement ChaCha20+Poly1305 as an authenticated
> encryption mode.
Unless I'm hallucinating, this patch has a catastrophic bug.
I updated and ran the regression tests, and the integrity check
fails:
test integrity: chacha20-poly1305 at openssh.com @2900
ssh -c chacha20-poly1305 at openssh.com succeeds with bit-flip at 2900
unexpected error mac chacha20-poly1305 at openssh.com at 2900
test integrity: chacha20-poly1305 at openssh.com @2901
ssh -c chacha20-poly1305 at openssh.com succeeds with bit-flip at 2901
unexpected error mac chacha20-poly1305 at openssh.com at 2901
[etc.]
In cp_aead_crypt()...
> + /* If decrypting, check tag before anything else */
> + if (!do_encrypt) {
> + const u_char *tag = src + aadlen + len;
> +
> + poly1305_auth(expected_tag, src, aadlen + len, poly_key);
> + if (!timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN))
> + goto out;
> + }
... the condition for the tag comparison is inverted. It only
seems to work because the authentication actually fails all the
time.
There must be a bug somewhere else, but I don't see it.
--
Christian "naddy" Weisgerber naddy at mips.inka.de
More information about the openssh-unix-dev
mailing list