[PATCH 2/2] Poly1305-AEAD: updated implementation to match draft-irtf-cfrg-chacha20-poly1305-03

Jussi Kivilinna jussi.kivilinna at iki.fi
Sun Dec 21 16:38:06 CET 2014


* cipher/cipher-internal.h (gcry_cipher_handle): Use separate byte
counters for AAD and data in Poly1305.
* cipher/cipher-poly1305.c (poly1305_fill_bytecount): Remove.
(poly1305_fill_bytecounts, poly1305_do_padding): New.
(poly1305_aad_finish): Fill padding to Poly1305 and do not fill AAD
length.
(_gcry_cipher_poly1305_authenticate, _gcry_cipher_poly1305_encrypt)
(_gcry_cipher_poly1305_decrypt): Update AAD and data length separately.
(_gcry_cipher_poly1305_tag): Fill padding and bytecounts to Poly1305.
(_gcry_cipher_poly1305_setkey, _gcry_cipher_poly1305_setiv): Reset
AAD and data byte counts; only allow 96-bit IV.
* cipher/cipher.c (_gcry_cipher_open_internal): Limit Poly1305-AEAD to
ChaCha20 cipher.
* tests/basic.c (_check_poly1305_cipher): Update test-vectors.
(check_ciphers): Limit Poly1305-AEAD checks to ChaCha20.
* tests/bench-slope.c (cipher_bench_one): Ditto.
--

Latest Internet-Draft version for "ChaCha20 and Poly1305 for IETF protocols"
has added additional padding to Poly1305-AEAD and limited support IV size to
96-bits:
 https://www.ietf.org/rfcdiff?url1=draft-nir-cfrg-chacha20-poly1305-03&difftype=--html&submit=Go!&url2=draft-irtf-cfrg-chacha20-poly1305-03

Patch makes Poly1305-AEAD implementation to match the changes and limits
Poly1305-AEAD to ChaCha20 only.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna at iki.fi>
---
 cipher/cipher-internal.h |    7 +++--
 cipher/cipher-poly1305.c |   70 +++++++++++++++++++++++++++++++++-------------
 cipher/cipher.c          |    4 +--
 tests/basic.c            |   70 +++++++++++++++++++++++++++++++++-------------
 tests/bench-slope.c      |    6 +---
 5 files changed, 108 insertions(+), 49 deletions(-)

diff --git a/cipher/cipher-internal.h b/cipher/cipher-internal.h
index fef0ecb..650d813 100644
--- a/cipher/cipher-internal.h
+++ b/cipher/cipher-internal.h
@@ -163,8 +163,11 @@ struct gcry_cipher_handle
 
     /* Mode specific storage for Poly1305 mode. */
     struct {
-      /* byte counter for AAD and data. */
-      u32 bytecount[2];
+      /* byte counter for AAD. */
+      u32 aadcount[2];
+
+      /* byte counter for data. */
+      u32 datacount[2];
 
       unsigned int aad_finalized:1;
       unsigned int bytecount_over_limits:1;
diff --git a/cipher/cipher-poly1305.c b/cipher/cipher-poly1305.c
index a22ffa3..f283333 100644
--- a/cipher/cipher-poly1305.c
+++ b/cipher/cipher-poly1305.c
@@ -53,12 +53,14 @@ poly1305_bytecounter_add (u32 ctr[2], size_t add)
 
 
 static void
-poly1305_fill_bytecount (gcry_cipher_hd_t c)
+poly1305_fill_bytecounts (gcry_cipher_hd_t c)
 {
-  u32 lenbuf[2];
+  u32 lenbuf[4];
 
-  lenbuf[0] = le_bswap32(c->u_mode.poly1305.bytecount[0]);
-  lenbuf[1] = le_bswap32(c->u_mode.poly1305.bytecount[1]);
+  lenbuf[0] = le_bswap32(c->u_mode.poly1305.aadcount[0]);
+  lenbuf[1] = le_bswap32(c->u_mode.poly1305.aadcount[1]);
+  lenbuf[2] = le_bswap32(c->u_mode.poly1305.datacount[0]);
+  lenbuf[3] = le_bswap32(c->u_mode.poly1305.datacount[1]);
   _gcry_poly1305_update (&c->u_mode.poly1305.ctx, (byte*)lenbuf,
 			 sizeof(lenbuf));
 
@@ -67,15 +69,33 @@ poly1305_fill_bytecount (gcry_cipher_hd_t c)
 
 
 static void
+poly1305_do_padding (gcry_cipher_hd_t c, u32 ctr[2])
+{
+  static const byte zero_padding_buf[15] = {};
+  u32 padding_count;
+
+  /* Padding to 16 byte boundary. */
+  if (ctr[0] % 16 > 0)
+    {
+      padding_count = 16 - ctr[0] % 16;
+
+      _gcry_poly1305_update (&c->u_mode.poly1305.ctx, zero_padding_buf,
+			     padding_count);
+    }
+}
+
+
+static void
 poly1305_aad_finish (gcry_cipher_hd_t c)
 {
-  /* Start of encryption marks end of AAD stream. */
-  poly1305_fill_bytecount(c);
+  /* After AAD, feed padding bytes so we get 16 byte alignment. */
+  poly1305_do_padding (c, c->u_mode.poly1305.aadcount);
 
+  /* Start of encryption marks end of AAD stream. */
   c->u_mode.poly1305.aad_finalized = 1;
 
-  c->u_mode.poly1305.bytecount[0] = 0;
-  c->u_mode.poly1305.bytecount[1] = 0;
+  c->u_mode.poly1305.datacount[0] = 0;
+  c->u_mode.poly1305.datacount[1] = 0;
 }
 
 
@@ -102,7 +122,7 @@ _gcry_cipher_poly1305_authenticate (gcry_cipher_hd_t c,
   if (!c->marks.iv)
     poly1305_set_zeroiv(c);
 
-  if (poly1305_bytecounter_add(c->u_mode.poly1305.bytecount, aadbuflen))
+  if (poly1305_bytecounter_add(c->u_mode.poly1305.aadcount, aadbuflen))
     {
       c->u_mode.poly1305.bytecount_over_limits = 1;
       return GPG_ERR_INV_LENGTH;
@@ -138,7 +158,7 @@ _gcry_cipher_poly1305_encrypt (gcry_cipher_hd_t c,
   if (!c->u_mode.poly1305.aad_finalized)
     poly1305_aad_finish(c);
 
-  if (poly1305_bytecounter_add(c->u_mode.poly1305.bytecount, inbuflen))
+  if (poly1305_bytecounter_add(c->u_mode.poly1305.datacount, inbuflen))
     {
       c->u_mode.poly1305.bytecount_over_limits = 1;
       return GPG_ERR_INV_LENGTH;
@@ -176,7 +196,7 @@ _gcry_cipher_poly1305_decrypt (gcry_cipher_hd_t c,
   if (!c->u_mode.poly1305.aad_finalized)
     poly1305_aad_finish(c);
 
-  if (poly1305_bytecounter_add(c->u_mode.poly1305.bytecount, inbuflen))
+  if (poly1305_bytecounter_add(c->u_mode.poly1305.datacount, inbuflen))
     {
       c->u_mode.poly1305.bytecount_over_limits = 1;
       return GPG_ERR_INV_LENGTH;
@@ -212,8 +232,11 @@ _gcry_cipher_poly1305_tag (gcry_cipher_hd_t c,
 
   if (!c->marks.tag)
     {
-      /* Write data-length to poly1305. */
-      poly1305_fill_bytecount(c);
+      /* After data, feed padding bytes so we get 16 byte alignment. */
+      poly1305_do_padding (c, c->u_mode.poly1305.datacount);
+
+      /* Write byte counts to poly1305. */
+      poly1305_fill_bytecounts(c);
 
       _gcry_poly1305_finish(&c->u_mode.poly1305.ctx, c->u_iv.iv);
 
@@ -247,8 +270,11 @@ _gcry_cipher_poly1305_check_tag (gcry_cipher_hd_t c, const unsigned char *intag,
 void
 _gcry_cipher_poly1305_setkey (gcry_cipher_hd_t c)
 {
-  c->u_mode.poly1305.bytecount[0] = 0;
-  c->u_mode.poly1305.bytecount[1] = 0;
+  c->u_mode.poly1305.aadcount[0] = 0;
+  c->u_mode.poly1305.aadcount[1] = 0;
+
+  c->u_mode.poly1305.datacount[0] = 0;
+  c->u_mode.poly1305.datacount[1] = 0;
 
   c->u_mode.poly1305.bytecount_over_limits = 0;
   c->u_mode.poly1305.aad_finalized = 0;
@@ -260,16 +286,20 @@ _gcry_cipher_poly1305_setkey (gcry_cipher_hd_t c)
 gcry_err_code_t
 _gcry_cipher_poly1305_setiv (gcry_cipher_hd_t c, const byte *iv, size_t ivlen)
 {
-  byte tmpbuf[64]; /* size of ChaCha20/Salsa20 block */
+  byte tmpbuf[64]; /* size of ChaCha20 block */
   gcry_err_code_t err;
 
-  if (!iv && ivlen > 0)
+  /* IV must be 96-bits */
+  if (!iv && ivlen != (96 / 8))
     return GPG_ERR_INV_ARG;
 
   memset(&c->u_mode.poly1305.ctx, 0, sizeof(c->u_mode.poly1305.ctx));
 
-  c->u_mode.poly1305.bytecount[0] = 0;
-  c->u_mode.poly1305.bytecount[1] = 0;
+  c->u_mode.poly1305.aadcount[0] = 0;
+  c->u_mode.poly1305.aadcount[1] = 0;
+
+  c->u_mode.poly1305.datacount[0] = 0;
+  c->u_mode.poly1305.datacount[1] = 0;
 
   c->u_mode.poly1305.bytecount_over_limits = 0;
   c->u_mode.poly1305.aad_finalized = 0;
@@ -279,7 +309,7 @@ _gcry_cipher_poly1305_setiv (gcry_cipher_hd_t c, const byte *iv, size_t ivlen)
   /* Set up IV for stream cipher. */
   c->spec->setiv (&c->context.c, iv, ivlen);
 
-  /* Get the first block from ChaCha20/Salsa20. */
+  /* Get the first block from ChaCha20. */
   memset(tmpbuf, 0, sizeof(tmpbuf));
   c->spec->stencrypt(&c->context.c, tmpbuf, tmpbuf, sizeof(tmpbuf));
 
diff --git a/cipher/cipher.c b/cipher/cipher.c
index 5c44c0d..78cad21 100644
--- a/cipher/cipher.c
+++ b/cipher/cipher.c
@@ -421,9 +421,7 @@ _gcry_cipher_open_internal (gcry_cipher_hd_t *handle,
       case GCRY_CIPHER_MODE_POLY1305:
 	if (!spec->stencrypt || !spec->stdecrypt || !spec->setiv)
 	  err = GPG_ERR_INV_CIPHER_MODE;
-	else if (spec->algo != GCRY_CIPHER_SALSA20 &&
-		 spec->algo != GCRY_CIPHER_SALSA20R12 &&
-		 spec->algo != GCRY_CIPHER_CHACHA20)
+	else if (spec->algo != GCRY_CIPHER_CHACHA20)
 	  err = GPG_ERR_INV_CIPHER_MODE;
 	break;
 
diff --git a/tests/basic.c b/tests/basic.c
index e406db4..efafa68 100644
--- a/tests/basic.c
+++ b/tests/basic.c
@@ -1625,27 +1625,59 @@ _check_poly1305_cipher (unsigned int step)
   struct tv
   {
     int algo;
-    char key[MAX_DATA_LEN];
-    char iv[MAX_DATA_LEN];
+    const char *key;
+    const char *iv;
     int ivlen;
-    unsigned char aad[MAX_DATA_LEN];
+    const char *aad;
     int aadlen;
-    unsigned char plaintext[MAX_DATA_LEN];
+    const char *plaintext;
     int inlen;
-    char out[MAX_DATA_LEN];
-    char tag[MAX_DATA_LEN];
+    const char *out;
+    const char *tag;
   } tv[] =
     {
-      /* draft-agl-tls-chacha20poly1305-04 */
+      /* draft-nir-cfrg-chacha20-poly1305-04 */
       { GCRY_CIPHER_CHACHA20,
-        "\x42\x90\xbc\xb1\x54\x17\x35\x31\xf3\x14\xaf\x57\xf3\xbe\x3b\x50"
-	"\x06\xda\x37\x1e\xce\x27\x2a\xfa\x1b\x5d\xbd\xd1\x10\x0a\x10\x07",
-        "\xcd\x7c\xf6\x7b\xe3\x9c\x79\x4a", 8,
-        "\x87\xe2\x29\xd4\x50\x08\x45\xa0\x79\xc0", 10,
-        "\x86\xd0\x99\x74\x84\x0b\xde\xd2\xa5\xca", 10,
-        "\xe3\xe4\x46\xf7\xed\xe9\xa1\x9b\x62\xa4",
-        "\x67\x7d\xab\xf4\xe3\xd2\x4b\x87\x6b\xb2\x84\x75\x38\x96\xe1\xd6" },
-      /* draft-nir-cfrg-chacha20-poly1305-03 */
+	"\x1c\x92\x40\xa5\xeb\x55\xd3\x8a\xf3\x33\x88\x86\x04\xf6\xb5\xf0"
+	"\x47\x39\x17\xc1\x40\x2b\x80\x09\x9d\xca\x5c\xbc\x20\x70\x75\xc0",
+	"\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08", 12,
+	"\xf3\x33\x88\x86\x00\x00\x00\x00\x00\x00\x4e\x91", 12,
+	"\x49\x6e\x74\x65\x72\x6e\x65\x74\x2d\x44\x72\x61\x66\x74\x73\x20"
+	"\x61\x72\x65\x20\x64\x72\x61\x66\x74\x20\x64\x6f\x63\x75\x6d\x65"
+	"\x6e\x74\x73\x20\x76\x61\x6c\x69\x64\x20\x66\x6f\x72\x20\x61\x20"
+	"\x6d\x61\x78\x69\x6d\x75\x6d\x20\x6f\x66\x20\x73\x69\x78\x20\x6d"
+	"\x6f\x6e\x74\x68\x73\x20\x61\x6e\x64\x20\x6d\x61\x79\x20\x62\x65"
+	"\x20\x75\x70\x64\x61\x74\x65\x64\x2c\x20\x72\x65\x70\x6c\x61\x63"
+	"\x65\x64\x2c\x20\x6f\x72\x20\x6f\x62\x73\x6f\x6c\x65\x74\x65\x64"
+	"\x20\x62\x79\x20\x6f\x74\x68\x65\x72\x20\x64\x6f\x63\x75\x6d\x65"
+	"\x6e\x74\x73\x20\x61\x74\x20\x61\x6e\x79\x20\x74\x69\x6d\x65\x2e"
+	"\x20\x49\x74\x20\x69\x73\x20\x69\x6e\x61\x70\x70\x72\x6f\x70\x72"
+	"\x69\x61\x74\x65\x20\x74\x6f\x20\x75\x73\x65\x20\x49\x6e\x74\x65"
+	"\x72\x6e\x65\x74\x2d\x44\x72\x61\x66\x74\x73\x20\x61\x73\x20\x72"
+	"\x65\x66\x65\x72\x65\x6e\x63\x65\x20\x6d\x61\x74\x65\x72\x69\x61"
+	"\x6c\x20\x6f\x72\x20\x74\x6f\x20\x63\x69\x74\x65\x20\x74\x68\x65"
+	"\x6d\x20\x6f\x74\x68\x65\x72\x20\x74\x68\x61\x6e\x20\x61\x73\x20"
+	"\x2f\xe2\x80\x9c\x77\x6f\x72\x6b\x20\x69\x6e\x20\x70\x72\x6f\x67"
+	"\x72\x65\x73\x73\x2e\x2f\xe2\x80\x9d", 265,
+	"\x64\xa0\x86\x15\x75\x86\x1a\xf4\x60\xf0\x62\xc7\x9b\xe6\x43\xbd"
+	"\x5e\x80\x5c\xfd\x34\x5c\xf3\x89\xf1\x08\x67\x0a\xc7\x6c\x8c\xb2"
+	"\x4c\x6c\xfc\x18\x75\x5d\x43\xee\xa0\x9e\xe9\x4e\x38\x2d\x26\xb0"
+	"\xbd\xb7\xb7\x3c\x32\x1b\x01\x00\xd4\xf0\x3b\x7f\x35\x58\x94\xcf"
+	"\x33\x2f\x83\x0e\x71\x0b\x97\xce\x98\xc8\xa8\x4a\xbd\x0b\x94\x81"
+	"\x14\xad\x17\x6e\x00\x8d\x33\xbd\x60\xf9\x82\xb1\xff\x37\xc8\x55"
+	"\x97\x97\xa0\x6e\xf4\xf0\xef\x61\xc1\x86\x32\x4e\x2b\x35\x06\x38"
+	"\x36\x06\x90\x7b\x6a\x7c\x02\xb0\xf9\xf6\x15\x7b\x53\xc8\x67\xe4"
+	"\xb9\x16\x6c\x76\x7b\x80\x4d\x46\xa5\x9b\x52\x16\xcd\xe7\xa4\xe9"
+	"\x90\x40\xc5\xa4\x04\x33\x22\x5e\xe2\x82\xa1\xb0\xa0\x6c\x52\x3e"
+	"\xaf\x45\x34\xd7\xf8\x3f\xa1\x15\x5b\x00\x47\x71\x8c\xbc\x54\x6a"
+	"\x0d\x07\x2b\x04\xb3\x56\x4e\xea\x1b\x42\x22\x73\xf5\x48\x27\x1a"
+	"\x0b\xb2\x31\x60\x53\xfa\x76\x99\x19\x55\xeb\xd6\x31\x59\x43\x4e"
+	"\xce\xbb\x4e\x46\x6d\xae\x5a\x10\x73\xa6\x72\x76\x27\x09\x7a\x10"
+	"\x49\xe6\x17\xd9\x1d\x36\x10\x94\xfa\x68\xf0\xff\x77\x98\x71\x30"
+	"\x30\x5b\xea\xba\x2e\xda\x04\xdf\x99\x7b\x71\x4d\x6c\x6f\x2c\x29"
+	"\xa6\xad\x5c\xb4\x02\x2b\x02\x70\x9b",
+	"\xee\xad\x9d\x67\x89\x0c\xbb\x22\x39\x23\x36\xfe\xa1\x85\x1f\x38" },
+      /* draft-nir-cfrg-chacha20-poly1305-04 */
       { GCRY_CIPHER_CHACHA20,
 	"\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"
 	"\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f",
@@ -1661,11 +1693,11 @@ _check_poly1305_cipher (unsigned int step)
 	"\xfa\xb3\x24\xe4\xfa\xd6\x75\x94\x55\x85\x80\x8b\x48\x31\xd7\xbc"
 	"\x3f\xf4\xde\xf0\x8e\x4b\x7a\x9d\xe5\x76\xd2\x65\x86\xce\xc6\x4b"
 	"\x61\x16",
-	"\x18\xfb\x11\xa5\x03\x1a\xd1\x3a\x7e\x3b\x03\xd4\x6e\xe3\xa6\xa7" }
+	"\x1a\xe1\x0b\x59\x4f\x09\xe2\x6a\x7e\x90\x2e\xcb\xd0\x60\x06\x91" },
     };
 
   gcry_cipher_hd_t hde, hdd;
-  unsigned char out[MAX_DATA_LEN];
+  unsigned char out[1024];
   unsigned char tag[16];
   int i, keylen;
   gcry_error_t err = 0;
@@ -4333,9 +4365,7 @@ check_ciphers (void)
 		 gcry_cipher_algo_name (algos2[i]));
 
       check_one_cipher (algos2[i], GCRY_CIPHER_MODE_STREAM, 0);
-      if (algos2[i] == GCRY_CIPHER_CHACHA20 ||
-	  algos2[i] == GCRY_CIPHER_SALSA20 ||
-	  algos2[i] == GCRY_CIPHER_SALSA20R12)
+      if (algos2[i] == GCRY_CIPHER_CHACHA20)
 	check_one_cipher (algos2[i], GCRY_CIPHER_MODE_POLY1305, 0);
     }
   /* we have now run all cipher's selftests */
diff --git a/tests/bench-slope.c b/tests/bench-slope.c
index 7bf587f..ebf672e 100644
--- a/tests/bench-slope.c
+++ b/tests/bench-slope.c
@@ -1147,10 +1147,8 @@ cipher_bench_one (int algo, struct bench_cipher_mode *pmode)
       mode.name = mode.ops == &encrypt_ops ? "STREAM enc" : "STREAM dec";
     }
 
-  /* Poly1305 has restrictions for cipher algorithm */
-  if (mode.mode == GCRY_CIPHER_MODE_POLY1305 &&
-      (algo != GCRY_CIPHER_SALSA20 && algo != GCRY_CIPHER_SALSA20R12 &&
-       algo != GCRY_CIPHER_CHACHA20))
+  /* Poly1305 has restriction for cipher algorithm */
+  if (mode.mode == GCRY_CIPHER_MODE_POLY1305 && algo != GCRY_CIPHER_CHACHA20)
     return;
 
   /* CCM has restrictions for block-size */




More information about the Gcrypt-devel mailing list