Correct chacha20poly1305's empty padding case

ctz · ctz · commit b6cdf9f3dcf6 · 2017-02-24T20:17:08.000Z
Add a bunch of tests generated with libsodium.
diff --git a/extra_vecs/libsodium-extra.py b/extra_vecs/libsodium-extra.py
@@ -0,0 +1,24 @@
+import pysodium
+
+def test(msg, aad, nonce, key):
+    ct = pysodium.crypto_aead_chacha20poly1305_ietf_encrypt(msg, aad, nonce, key)
+    ct, tag = ct[:len(msg)], ct[len(msg):]
+
+    print """
+  vector("%s",
+         "%s",
+         "%s",
+         "%s",
+         "%s",
+         "%s");""" % (key.encode('hex'), nonce.encode('hex'), aad.encode('hex'), msg.encode('hex'), ct.encode('hex'), tag.encode('hex'))
+
+key = 'key.' * 8
+nonce = 'nonce.' * 2
+msg = 'message' * 5
+aad = 'aad' * 12
+
+for msgl in range(32):
+    test(msg[:msgl], aad, nonce, key)
+
+for aadl in range(32):
+    test(msg, aad[:aadl], nonce, key)
diff --git a/src/chacha20poly1305.c b/src/chacha20poly1305.c
@@ -56,7 +56,7 @@ static int process(const uint8_t key[static 32],
    * AAD || pad(AAD) || cipher || pad(cipher) || len_64(aad) || len_64(cipher) */
   uint8_t padbuf[16] = { 0 };
 
-#define PADLEN(x) (16 - ((x) & 0xf))
+#define PADLEN(x) ((16 - ((x) & 0xf)) & 0xf)
 
   /* AAD || pad(AAD) */
   cf_poly1305_update(&poly, header, nheader);
diff --git a/src/testchacha20poly1305.c b/src/testchacha20poly1305.c
