chacha20+poly1305 authenticated encryption
Christian Weisgerber
naddy at mips.inka.de
Sun Nov 17 13:49:48 EST 2013
Christian Weisgerber <naddy at mips.inka.de> wrote:
> There must be a bug somewhere else, but I don't see it.
Found it. The authentication tag size was wrong in the ciphers
table. With the changes below, this now passes the relevant
regression tests on alpha, amd64, and sparc64; and I verified that
these architectures all interoperate successfully.
--- chacha20poly1305aead.c.orig Sun Nov 17 02:38:00 2013
+++ chacha20poly1305aead.c Sun Nov 17 02:38:16 2013
@@ -68,7 +68,7 @@ cp_aead_crypt(struct chacha_poly_aead_ctx *ctx, u_int
const u_char *tag = src + aadlen + len;
poly1305_auth(expected_tag, src, aadlen + len, poly_key);
- if (!timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN))
+ if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0)
goto out;
}
/* Crypt additional data */
--- cipher.c.orig Sun Nov 17 02:37:52 2013
+++ cipher.c Sun Nov 17 02:38:30 2013
@@ -93,7 +93,7 @@ static const struct Cipher ciphers[] = {
{ "aes256-gcm at openssh.com",
SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
{ "chacha20-poly1305 at openssh.com",
- SSH_CIPHER_SSH2, 8, 64, 0, 8, 0, CFLAG_CP_AEAD, NULL },
+ SSH_CIPHER_SSH2, 8, 64, 0, 16, 0, CFLAG_CP_AEAD, NULL },
{ NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
};
--
Christian "naddy" Weisgerber naddy at mips.inka.de
More information about the openssh-unix-dev
mailing list