FEAT: updated TLS protocol to support TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 cipher suite

Author: Oldes

src/core/n-crypt.c

@@ -894,6 +894,7 @@ typedef struct {
 	chacha20poly1305_ctx *chacha;
 	unsigned char poly1305_key[POLY1305_KEYLEN];
 	size_t aad_size;
+	REBU64 sequence = 0;
 
 	if (ref_init) {
 		ctx_ser = Make_Series(sizeof(chacha20poly1305_ctx), (REBCNT)1, FALSE);
@@ -911,19 +912,16 @@ typedef struct {
 			Trap1(RE_INVALID_DATA, val_remote_key);
 		chacha20_keysetup(&chacha->remote_chacha, VAL_BIN_AT(val_remote_key), len);
 
-		chacha->local_sequence = 0;
-		chacha->remote_sequence = 0;
-
 		len = VAL_LEN(val_local_iv);
 		if (!(len == 12 || len == 8))
 			Trap1(RE_INVALID_DATA, val_local_iv);
-		chacha20_ivsetup(&chacha->local_chacha, VAL_BIN_AT(val_local_iv), len, 1, (u8 *)&chacha->local_sequence);
+		chacha20_ivsetup(&chacha->local_chacha, VAL_BIN_AT(val_local_iv), len, 1, (u8 *)&sequence);
 		memcpy(chacha->local_iv, VAL_BIN_AT(val_local_iv), len);
 
 		len = VAL_LEN(val_remote_iv);
 		if (!(len == 12 || len == 8))
 			Trap1(RE_INVALID_DATA, val_remote_iv);
-		chacha20_ivsetup(&chacha->remote_chacha, VAL_BIN_AT(val_remote_iv), len, 1, (u8 *)&chacha->remote_sequence);
+		chacha20_ivsetup(&chacha->remote_chacha, VAL_BIN_AT(val_remote_iv), len, 1, (u8 *)&sequence);
 		memcpy(chacha->remote_iv, VAL_BIN_AT(val_remote_iv), len);
 		return R_ARG1;
 	}
@@ -936,7 +934,7 @@ typedef struct {
 	chacha = (chacha20poly1305_ctx*)ctx_ser->data;
 
 	if (ref_encrypt) {
-		chacha20_ivsetup(&chacha->local_chacha, chacha->local_iv, 12, 1, (u8 *)&chacha->local_sequence);
+		chacha20_ivsetup(&chacha->local_chacha, chacha->local_iv, 12, 1,  VAL_BIN_AT(val_local_aad));
 		chacha20_poly1305_key(&chacha->local_chacha, poly1305_key);
 		//puts("poly1305_key:"); Dump_Bytes(poly1305_key, POLY1305_KEYLEN);
 
@@ -1006,18 +1004,12 @@ typedef struct {
         poly1305_finish(&aead_ctx, mac_tag);
 
 		if (!poly1305_verify(mac_tag, VAL_BIN_TAIL(val_cipher) - POLY1305_TAGLEN)) {
-			puts("MAC verification failed!");
-		}
-		else {
-			puts("MAC OK!");
+			//puts("MAC verification failed!");
+			return R_NONE;
 		}
 
 		//puts("mac result:"); Dump_Bytes(mac_tag, POLY1305_TAGLEN);
 
-		chacha->remote_sequence++;
-
-
-
 		SERIES_TAIL(ctx_ser) = len;
 		SET_BINARY(val_ctx, ctx_ser);
 	}

src/core/u-chacha20.c

@@ -307,11 +307,13 @@ int chacha20_poly1305_aead(struct chacha20_ctx *ctx,  u8 *pt, u32 len, u8 *aad,
 	if (rem)
 		poly1305_update(&aead_ctx, zeropad, 16 - rem);
 
-	U32TO8_LE(&trail[0], aad_len);
+	U32TO8_LE(&trail[0], (aad_len == 5) ? 5 : 13);
 	*(int *)&trail[4] = 0;
 	U32TO8_LE(&trail[8], len);
 	*(int *)&trail[12] = 0;
 
+	//puts("trail:"); Dump_Bytes(trail, 16);
+
 	poly1305_update(&aead_ctx, trail, 16);
 	poly1305_finish(&aead_ctx, out + len);
 

src/core/u-poly1305.c

@@ -86,6 +86,9 @@ poly1305_auth(u8 mac[16], const u8 *m, size_t bytes, const u8 key[32]) {
 int
 poly1305_verify(const u8 mac1[16], const u8 mac2[16]) {
 	size_t i;
+
+	//puts("mac1:"); Dump_Bytes(mac1, 16);
+	//puts("mac2:"); Dump_Bytes(mac2, 16);
 	unsigned int dif = 0;
 	for (i = 0; i < 16; i++)
 		dif |= (mac1[i] ^ mac2[i]);

src/include/sys-chacha20.h

@@ -51,10 +51,8 @@ typedef struct chacha20_ctx chacha20_ctx;
 
 typedef struct chacha20poly1305_ctx {
 	chacha20_ctx local_chacha;
-	uint64_t     local_sequence;
 	uint8_t      local_iv[12];
 	chacha20_ctx remote_chacha;
-	uint64_t     remote_sequence;
 	uint8_t      remote_iv[12];
 } chacha20poly1305_ctx;