diff options
| author | Péter Dimitrov <[email protected]> | 2019-04-02 15:50:15 +0200 |
|---|---|---|
| committer | Péter Dimitrov <[email protected]> | 2019-04-02 16:13:47 +0200 |
| commit | 7f014fd65d13575c352b178894187356b2d7d3b5 (patch) | |
| tree | 3d0578c61abb693796577ba06615ea9b44fc6ee7 | |
| parent | be44d6827e2374a43068b35de85ed16441c771be (diff) | |
| download | otp-7f014fd65d13575c352b178894187356b2d7d3b5.tar.gz otp-7f014fd65d13575c352b178894187356b2d7d3b5.tar.bz2 otp-7f014fd65d13575c352b178894187356b2d7d3b5.zip | |
ssl: Fix Chacha20 IV length and nonce calculation
This commit fixes the IV length (12 bytes) and the calculation of
the nonce for the Chacha20-Poly1305 ciphers.
Change-Id: I4c9efc0bf012bc287c84c7b62c252ecf49ffe32f
| -rw-r--r-- | lib/ssl/src/ssl_cipher.erl | 5 | ||||
| -rw-r--r-- | lib/ssl/src/ssl_record.erl | 14 |
2 files changed, 11 insertions, 8 deletions
diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl index 97878431a6..850dee7d4f 100644 --- a/lib/ssl/src/ssl_cipher.erl +++ b/lib/ssl/src/ssl_cipher.erl @@ -838,8 +838,7 @@ effective_key_bits(Cipher) when Cipher == aes_256_cbc; 256. iv_size(Cipher) when Cipher == null; - Cipher == rc4_128; - Cipher == chacha20_poly1305-> + Cipher == rc4_128 -> 0; iv_size(Cipher) when Cipher == aes_128_gcm; Cipher == aes_256_gcm; @@ -848,6 +847,8 @@ iv_size(Cipher) when Cipher == aes_128_gcm; Cipher == aes_128_ccm_8; Cipher == aes_256_ccm_8 -> 4; +iv_size(chacha20_poly1305) -> + 12; iv_size(Cipher) -> block_size(Cipher). diff --git a/lib/ssl/src/ssl_record.erl b/lib/ssl/src/ssl_record.erl index 9cc131c3cb..867d2cfc5a 100644 --- a/lib/ssl/src/ssl_record.erl +++ b/lib/ssl/src/ssl_record.erl @@ -395,7 +395,7 @@ decipher_aead(Type, #cipher_state{key = Key} = CipherState, AAD0, CipherFragment try Nonce = decrypt_nonce(Type, CipherState, CipherFragment), {AAD, CipherText, CipherTag} = aead_ciphertext_split(Type, CipherState, CipherFragment, AAD0), - case ssl_cipher:aead_decrypt(Type, Key, Nonce, CipherText, CipherTag, AAD) of + case ssl_cipher:aead_decrypt(Type, Key, Nonce, CipherText, CipherTag, AAD) of Content when is_binary(Content) -> Content; _ -> @@ -473,7 +473,7 @@ initial_security_params(ConnectionEnd) -> do_cipher_aead(?CHACHA20_POLY1305 = Type, Fragment, #cipher_state{key=Key, tag_len = TagLen} = CipherState, AAD0) -> AAD = ?end_additional_data(AAD0, erlang:iolist_size(Fragment)), - Nonce = encrypt_nonce(Type, CipherState), + Nonce = chacha_nonce(CipherState), {Content, CipherTag} = ssl_cipher:aead_encrypt(Type, Key, Nonce, Fragment, AAD, TagLen), {<<Content/binary, CipherTag/binary>>, CipherState}; do_cipher_aead(Type, Fragment, #cipher_state{key=Key, tag_len = TagLen, nonce = ExplicitNonce} = CipherState, AAD0) -> @@ -482,16 +482,18 @@ do_cipher_aead(Type, Fragment, #cipher_state{key=Key, tag_len = TagLen, nonce = {Content, CipherTag} = ssl_cipher:aead_encrypt(Type, Key, Nonce, Fragment, AAD, TagLen), {<<ExplicitNonce:64/integer, Content/binary, CipherTag/binary>>, CipherState#cipher_state{nonce = ExplicitNonce + 1}}. -encrypt_nonce(?CHACHA20_POLY1305, #cipher_state{nonce = Nonce, iv = IV}) -> - crypto:exor(<<?UINT32(0), Nonce/binary>>, IV); + +chacha_nonce(#cipher_state{nonce = Nonce, iv = IV}) -> + crypto:exor(<<?UINT32(0), Nonce/binary>>, IV). + encrypt_nonce(Type, #cipher_state{iv = IV, nonce = ExplicitNonce}) when Type == ?AES_GCM; Type == ?AES_CCM; Type == ?AES_CCM_8 -> <<Salt:4/bytes, _/binary>> = IV, <<Salt/binary, ExplicitNonce:64/integer>>. -decrypt_nonce(?CHACHA20_POLY1305, #cipher_state{nonce = Nonce, iv = IV}, _) -> - crypto:exor(<<Nonce:96/unsigned-big-integer>>, IV); +decrypt_nonce(?CHACHA20_POLY1305, CipherState, _) -> + chacha_nonce(CipherState); decrypt_nonce(Type, #cipher_state{iv = <<Salt:4/bytes, _/binary>>}, <<ExplicitNonce:8/bytes, _/binary>>) when Type == ?AES_GCM; Type == ?AES_CCM; |