Closed mmolchan closed 7 years ago
Actually I found out a requirement of TLS1.2 to include the following into AAD: " additional_data = seq_num + TLSCompressed.type + TLSCompressed.version + TLSCompressed.length;" So, closing this issue. Since seq_num requirement is so strict in this API, there is no way to verify chacha using unmodified test vectors.
Hello,
Test vectors with Additional Authenticated Data seems to be broken, for example this one from RFC7539:
With seq_num set to eight zero bytes (to avoid its impact on test vector IV when XORed), patched OpenSSL produces incorrect auth tag:
I checked the sources and see that ChaPoly EVP API expects AAD in the format of '8 bytes seq_num || actual AAD' when using "EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_TLS1_AAD, aad_len, aad)" to set both seq_num and AAD. aad_len should be 8 + actual_aad_len. XORing padded seq_num with IV works as expected, but later, when AAD and its length is included into Poly1305 MAC calculation, AAD is passed as 'seq_num || AAD', which breaks test vectors. Simple patch that excludes seq_num from AAD tag calculation fixes the test vectors, see last two lines below:
The patched version produces correct tag:
So my question is - is it an RFC feature to include seq_num into the auth tag calculation? If so, are there any test vectors for TLS implementation of ChaPoly?