forked from wolfSSL/wolfssl
mac compare in chacha-poly AEAD and remove unneeded null check
This commit is contained in:
Jacob Barthelmeh
@ -217,6 +217,7 @@ static INLINE void c16toa(word16 u16, byte* c)
|
|||||||
c[1] = u16 & 0xff;
|
c[1] = u16 & 0xff;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
static int ConstantCompare(const byte* a, const byte* b, int length);
|
||||||
|
|
||||||
#if !defined(NO_OLD_TLS) || defined(HAVE_CHACHA) || defined(HAVE_AESCCM) \
|
#if !defined(NO_OLD_TLS) || defined(HAVE_CHACHA) || defined(HAVE_AESCCM) \
|
||||||
|| defined(HAVE_AESGCM)
|
|| defined(HAVE_AESGCM)
|
||||||
@ -5440,14 +5441,14 @@ static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
|
|||||||
XMEMSET(nonce, 0, AEAD_NONCE_SZ);
|
XMEMSET(nonce, 0, AEAD_NONCE_SZ);
|
||||||
XMEMSET(cipher, 0, sizeof(cipher));
|
XMEMSET(cipher, 0, sizeof(cipher));
|
||||||
XMEMSET(additional, 0, CHACHA20_BLOCK_SIZE);
|
XMEMSET(additional, 0, CHACHA20_BLOCK_SIZE);
|
||||||
|
|
||||||
/* get nonce */
|
/* get nonce */
|
||||||
c32toa(ssl->keys.sequence_number, nonce + AEAD_IMP_IV_SZ
|
c32toa(ssl->keys.sequence_number, nonce + AEAD_IMP_IV_SZ
|
||||||
+ AEAD_SEQ_OFFSET);
|
+ AEAD_SEQ_OFFSET);
|
||||||
|
|
||||||
/* opaque SEQ number stored for AD */
|
/* opaque SEQ number stored for AD */
|
||||||
c32toa(GetSEQIncrement(ssl, 0), additional + AEAD_SEQ_OFFSET);
|
c32toa(GetSEQIncrement(ssl, 0), additional + AEAD_SEQ_OFFSET);
|
||||||
|
|
||||||
/* Store the type, version. Unfortunately, they are in
|
/* Store the type, version. Unfortunately, they are in
|
||||||
* the input buffer ahead of the plaintext. */
|
* the input buffer ahead of the plaintext. */
|
||||||
#ifdef WOLFSSL_DTLS
|
#ifdef WOLFSSL_DTLS
|
||||||
@ -5456,9 +5457,9 @@ static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
|
|||||||
additionalSrc -= DTLS_HANDSHAKE_EXTRA;
|
additionalSrc -= DTLS_HANDSHAKE_EXTRA;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
XMEMCPY(additional + AEAD_TYPE_OFFSET, additionalSrc, 3);
|
XMEMCPY(additional + AEAD_TYPE_OFFSET, additionalSrc, 3);
|
||||||
|
|
||||||
#ifdef CHACHA_AEAD_TEST
|
#ifdef CHACHA_AEAD_TEST
|
||||||
printf("Encrypt Additional : ");
|
printf("Encrypt Additional : ");
|
||||||
for (i = 0; i < CHACHA20_BLOCK_SIZE; i++) {
|
for (i = 0; i < CHACHA20_BLOCK_SIZE; i++) {
|
||||||
@ -5473,20 +5474,20 @@ static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
|
|||||||
}
|
}
|
||||||
printf("\n");
|
printf("\n");
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* set the nonce for chacha and get poly1305 key */
|
/* set the nonce for chacha and get poly1305 key */
|
||||||
if ((ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0)) != 0)
|
if ((ret = wc_Chacha_SetIV(ssl->encrypt.chacha, nonce, 0)) != 0)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
if ((ret = wc_Chacha_Process(ssl->encrypt.chacha, cipher,
|
if ((ret = wc_Chacha_Process(ssl->encrypt.chacha, cipher,
|
||||||
cipher, sizeof(cipher))) != 0)
|
cipher, sizeof(cipher))) != 0)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
/* encrypt the plain text */
|
/* encrypt the plain text */
|
||||||
if ((ret = wc_Chacha_Process(ssl->encrypt.chacha, out, input,
|
if ((ret = wc_Chacha_Process(ssl->encrypt.chacha, out, input,
|
||||||
sz - ssl->specs.aead_mac_size)) != 0)
|
sz - ssl->specs.aead_mac_size)) != 0)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
/* get the tag : future use of hmac could go here*/
|
/* get the tag : future use of hmac could go here*/
|
||||||
if (ssl->options.oldPoly == 1) {
|
if (ssl->options.oldPoly == 1) {
|
||||||
if ((ret = Poly1305TagOld(ssl, additional, (const byte* )out,
|
if ((ret = Poly1305TagOld(ssl, additional, (const byte* )out,
|
||||||
@ -5498,13 +5499,13 @@ static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
|
|||||||
cipher, sz, tag)) != 0)
|
cipher, sz, tag)) != 0)
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* append tag to ciphertext */
|
/* append tag to ciphertext */
|
||||||
XMEMCPY(out + sz - ssl->specs.aead_mac_size, tag, sizeof(tag));
|
XMEMCPY(out + sz - ssl->specs.aead_mac_size, tag, sizeof(tag));
|
||||||
|
|
||||||
AeadIncrementExpIV(ssl);
|
AeadIncrementExpIV(ssl);
|
||||||
ForceZero(nonce, AEAD_NONCE_SZ);
|
ForceZero(nonce, AEAD_NONCE_SZ);
|
||||||
|
|
||||||
#ifdef CHACHA_AEAD_TEST
|
#ifdef CHACHA_AEAD_TEST
|
||||||
printf("mac tag :\n");
|
printf("mac tag :\n");
|
||||||
for (i = 0; i < 16; i++) {
|
for (i = 0; i < 16; i++) {
|
||||||
@ -5520,7 +5521,7 @@ static int ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
|
|||||||
}
|
}
|
||||||
printf("\n");
|
printf("\n");
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -5532,15 +5533,15 @@ static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
|
|||||||
byte nonce[AEAD_NONCE_SZ];
|
byte nonce[AEAD_NONCE_SZ];
|
||||||
byte tag[POLY1305_AUTH_SZ];
|
byte tag[POLY1305_AUTH_SZ];
|
||||||
byte cipher[CHACHA20_256_KEY_SIZE]; /* generated key for mac */
|
byte cipher[CHACHA20_256_KEY_SIZE]; /* generated key for mac */
|
||||||
int i;
|
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
|
|
||||||
XMEMSET(tag, 0, sizeof(tag));
|
XMEMSET(tag, 0, sizeof(tag));
|
||||||
XMEMSET(cipher, 0, sizeof(cipher));
|
XMEMSET(cipher, 0, sizeof(cipher));
|
||||||
XMEMSET(nonce, 0, AEAD_NONCE_SZ);
|
XMEMSET(nonce, 0, AEAD_NONCE_SZ);
|
||||||
XMEMSET(additional, 0, CHACHA20_BLOCK_SIZE);
|
XMEMSET(additional, 0, CHACHA20_BLOCK_SIZE);
|
||||||
|
|
||||||
#ifdef CHACHA_AEAD_TEST
|
#ifdef CHACHA_AEAD_TEST
|
||||||
|
int i;
|
||||||
printf("input before decrypt :\n");
|
printf("input before decrypt :\n");
|
||||||
for (i = 0; i < sz; i++) {
|
for (i = 0; i < sz; i++) {
|
||||||
printf("%02x", input[i]);
|
printf("%02x", input[i]);
|
||||||
@ -5549,25 +5550,25 @@ static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
|
|||||||
}
|
}
|
||||||
printf("\n");
|
printf("\n");
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* get nonce */
|
/* get nonce */
|
||||||
c32toa(ssl->keys.peer_sequence_number, nonce + AEAD_IMP_IV_SZ
|
c32toa(ssl->keys.peer_sequence_number, nonce + AEAD_IMP_IV_SZ
|
||||||
+ AEAD_SEQ_OFFSET);
|
+ AEAD_SEQ_OFFSET);
|
||||||
|
|
||||||
/* sequence number field is 64-bits, we only use 32-bits */
|
/* sequence number field is 64-bits, we only use 32-bits */
|
||||||
c32toa(GetSEQIncrement(ssl, 1), additional + AEAD_SEQ_OFFSET);
|
c32toa(GetSEQIncrement(ssl, 1), additional + AEAD_SEQ_OFFSET);
|
||||||
|
|
||||||
/* get AD info */
|
/* get AD info */
|
||||||
additional[AEAD_TYPE_OFFSET] = ssl->curRL.type;
|
additional[AEAD_TYPE_OFFSET] = ssl->curRL.type;
|
||||||
additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor;
|
additional[AEAD_VMAJ_OFFSET] = ssl->curRL.pvMajor;
|
||||||
additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor;
|
additional[AEAD_VMIN_OFFSET] = ssl->curRL.pvMinor;
|
||||||
|
|
||||||
/* Store the type, version. */
|
/* Store the type, version. */
|
||||||
#ifdef WOLFSSL_DTLS
|
#ifdef WOLFSSL_DTLS
|
||||||
if (ssl->options.dtls)
|
if (ssl->options.dtls)
|
||||||
c16toa(ssl->keys.dtls_state.curEpoch, additional);
|
c16toa(ssl->keys.dtls_state.curEpoch, additional);
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef CHACHA_AEAD_TEST
|
#ifdef CHACHA_AEAD_TEST
|
||||||
printf("Decrypt Additional : ");
|
printf("Decrypt Additional : ");
|
||||||
for (i = 0; i < CHACHA20_BLOCK_SIZE; i++) {
|
for (i = 0; i < CHACHA20_BLOCK_SIZE; i++) {
|
||||||
@ -5575,15 +5576,15 @@ static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
|
|||||||
}
|
}
|
||||||
printf("\n\n");
|
printf("\n\n");
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* set nonce and get poly1305 key */
|
/* set nonce and get poly1305 key */
|
||||||
if ((ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0)) != 0)
|
if ((ret = wc_Chacha_SetIV(ssl->decrypt.chacha, nonce, 0)) != 0)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
if ((ret = wc_Chacha_Process(ssl->decrypt.chacha, cipher,
|
if ((ret = wc_Chacha_Process(ssl->decrypt.chacha, cipher,
|
||||||
cipher, sizeof(cipher))) != 0)
|
cipher, sizeof(cipher))) != 0)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
/* get the tag : future use of hmac could go here*/
|
/* get the tag : future use of hmac could go here*/
|
||||||
if (ssl->options.oldPoly == 1) {
|
if (ssl->options.oldPoly == 1) {
|
||||||
if ((ret = Poly1305TagOld(ssl, additional, input, cipher,
|
if ((ret = Poly1305TagOld(ssl, additional, input, cipher,
|
||||||
@ -5595,26 +5596,21 @@ static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
|
|||||||
sz, tag)) != 0)
|
sz, tag)) != 0)
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* check mac sent along with packet */
|
/* check mac sent along with packet */
|
||||||
ret = 0;
|
if (ConstantCompare(input + sz - ssl->specs.aead_mac_size, tag,
|
||||||
for (i = 0; i < ssl->specs.aead_mac_size; i++) {
|
ssl->specs.aead_mac_size) != 0) {
|
||||||
if ((input + sz - ssl->specs.aead_mac_size)[i] != tag[i])
|
|
||||||
ret = 1;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (ret == 1) {
|
|
||||||
WOLFSSL_MSG("Mac did not match");
|
WOLFSSL_MSG("Mac did not match");
|
||||||
SendAlert(ssl, alert_fatal, bad_record_mac);
|
SendAlert(ssl, alert_fatal, bad_record_mac);
|
||||||
ForceZero(nonce, AEAD_NONCE_SZ);
|
ForceZero(nonce, AEAD_NONCE_SZ);
|
||||||
return VERIFY_MAC_ERROR;
|
return VERIFY_MAC_ERROR;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* if mac was good decrypt message */
|
/* if mac was good decrypt message */
|
||||||
if ((ret = wc_Chacha_Process(ssl->decrypt.chacha, plain, input,
|
if ((ret = wc_Chacha_Process(ssl->decrypt.chacha, plain, input,
|
||||||
sz - ssl->specs.aead_mac_size)) != 0)
|
sz - ssl->specs.aead_mac_size)) != 0)
|
||||||
return ret;
|
return ret;
|
||||||
|
|
||||||
#ifdef CHACHA_AEAD_TEST
|
#ifdef CHACHA_AEAD_TEST
|
||||||
printf("plain after decrypt :\n");
|
printf("plain after decrypt :\n");
|
||||||
for (i = 0; i < sz; i++) {
|
for (i = 0; i < sz; i++) {
|
||||||
@ -5624,7 +5620,7 @@ static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
|
|||||||
}
|
}
|
||||||
printf("\n");
|
printf("\n");
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
#endif /* HAVE_CHACHA && HAVE_POLY1305 */
|
#endif /* HAVE_CHACHA && HAVE_POLY1305 */
|
||||||
|
|||||||
@ -150,9 +150,6 @@ int wc_ecc25519_shared_secret(ecc25519_key* private_key, ecc25519_key* public_ke
|
|||||||
outlen == NULL)
|
outlen == NULL)
|
||||||
return BAD_FUNC_ARG;
|
return BAD_FUNC_ARG;
|
||||||
|
|
||||||
if (private_key->k.point == NULL || public_key->p.point == NULL)
|
|
||||||
return BAD_FUNC_ARG;
|
|
||||||
|
|
||||||
/* avoid implementation fingerprinting */
|
/* avoid implementation fingerprinting */
|
||||||
if (public_key->p.point[0] > 0x7F)
|
if (public_key->p.point[0] > 0x7F)
|
||||||
return ECC_BAD_ARG_E;
|
return ECC_BAD_ARG_E;
|
||||||
|
|||||||
Reference in New Issue
Block a user