Howto implement chacha20-poly1305?

Stef Bon stefbon at
Thu Jan 12 16:28:34 CET 2017


I still do not have the chacha20 cipher running.
When I look at it again, I get errors from the openssh server like:

sshd[13449]: padding error: need 60 block 8 mod 4 [preauth]
sshd[13449]: ssh_dispatch_run_fatal: Connection from port
46440: message authentication code incorrect [preauth]

It looks like that the mac is constructed from the packet buffer minus
the first four bytes. Right now my software gets the mac from the
packet buffer, which is also according to the rfc:

I read on the PROTOCOL.chacha20poly1305:

"The second instance, keyed by K_2, is used in conjunction with
poly1305 to build an AEAD
(Authenticated Encryption with Associated Data) that is used to
encrypt and authenticate the entire packet."

Well not the entire packet obviously?
Do you know how to write and verify the mac? When writing the mac (or
aead) the data to read starts at packetbuffer or at packetbuffer + 4?
In the last case that explains the error from openssh: it's not good alligned.


More information about the Gcrypt-devel mailing list