1, /* block_size */
CHACHA_KEY_SIZE, /* key_len */
CHACHA_CTR_SIZE, /* iv_len, 128-bit counter in the context */
- 0, /* flags */
+ EVP_CIPH_CUSTOM_IV | EVP_CIPH_ALWAYS_CALL_INIT,
chacha_init_key,
chacha_cipher,
NULL,
const EVP_CIPHER *EVP_chacha20(void)
{
- return (&chacha20);
+ return &chacha20;
}
# ifndef OPENSSL_NO_POLY1305
memcpy(out, actx->tag, POLY1305_BLOCK_SIZE);
} else {
if (CRYPTO_memcmp(temp, in, POLY1305_BLOCK_SIZE)) {
- memset(out, 0, plen);
+ memset(out - plen, 0, plen);
return -1;
}
}
{
EVP_CHACHA_AEAD_CTX *actx = aead_data(ctx);
if (actx)
- OPENSSL_cleanse(ctx->cipher_data, sizeof(*ctx) + Poly1305_ctx_size());
+ OPENSSL_cleanse(ctx->cipher_data, sizeof(*actx) + Poly1305_ctx_size());
return 1;
}
case EVP_CTRL_COPY:
if (actx) {
- if ((((EVP_CIPHER_CTX *)ptr)->cipher_data =
- OPENSSL_memdup(actx,sizeof(*actx) + Poly1305_ctx_size()))
- == NULL) {
+ EVP_CIPHER_CTX *dst = (EVP_CIPHER_CTX *)ptr;
+
+ dst->cipher_data =
+ OPENSSL_memdup(actx, sizeof(*actx) + Poly1305_ctx_size());
+ if (dst->cipher_data == NULL) {
EVPerr(EVP_F_CHACHA20_POLY1305_CTRL, EVP_R_COPY_ERROR);
return 0;
}
len = aad[EVP_AEAD_TLS1_AAD_LEN - 2] << 8 |
aad[EVP_AEAD_TLS1_AAD_LEN - 1];
if (!ctx->encrypt) {
+ if (len < POLY1305_BLOCK_SIZE)
+ return 0;
len -= POLY1305_BLOCK_SIZE; /* discount attached tag */
memcpy(temp, aad, EVP_AEAD_TLS1_AAD_LEN - 2);
aad = temp;
actx->tls_payload_length = len;
/*
- * merge record sequence number as per
- * draft-ietf-tls-chacha20-poly1305-03
+ * merge record sequence number as per RFC7905
*/
actx->key.counter[1] = actx->nonce[0];
actx->key.counter[2] = actx->nonce[1] ^ CHACHA_U8TOU32(aad);