Problems with CipherBox and AEAD

Xuelei Fan xuelei.fan at oracle.com
Wed Oct 21 23:04:36 UTC 2015


On 10/22/2015 2:52 AM, Tim Whittington wrote:
> draft-agl-tls-chacha20poly1305-04 moved on (incompatibly) to
> https://tools.ietf.org/html/draft-mavrogiannopoulos-chacha-tls, which
> has since moved on to
> https://tools.ietf.org/html/draft-ietf-tls-chacha20-poly1305-00.
> 
Yes.  Good that the new proposal follow RFC 5116 specification, and does
not use zero fixedIv any more.

Thanks,
Xuelei

> tim
> 
>> On 13/10/2015, at 3:14 PM, Xuelei Fan <Xuelei.Fan at Oracle.COM> wrote:
>>
>> Were ChaCha20 and Poly1305 based cipher suites accepted as IETF RFC?
>> Looks like the proposal was not moving forward since May, 2014.
>>
>>  https://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-04
>>
>> Thanks,
>> Xuelei
>>
>> On 10/11/2015 3:59 PM, Thomas Lußnig wrote:
>>> Hi,
>>>
>>> when i extends "sun.security.ssl.CipherSuite" with
>>>  final static BulkCipher B_CHACHA20_POLY1305 = new
>>> BulkCipher("CHACHA20_POLY1305", AEAD_CIPHER  , 32 ,32,  0,  0, true );
>>> i found an Problem in "sun.security.ssl.CipherBox
>>> Method "applyExplicitNonce" there for the AEAD_CIPHER case is an NPE if
>>> the IV Length is zero. Then fixedIv become null
>>> and there is an NPE. The Workaround for this is
>>>  final byte[] iv;
>>>  if(this.fixedIv == null) { // FIX for CHACHA
>>>      iv = new byte[this.recordIvSize];              // CHACHA fix
>>>      bb.get(iv, 0, this.recordIvSize);
>>>  } else {
>>>      iv = Arrays.copyOf(this.fixedIv, this.fixedIv.length +
>>> this.recordIvSize);
>>>      bb.get(iv, this.fixedIv.length, this.recordIvSize);
>>>  }
>>> Another problem would occour if i use "new
>>> BulkCipher("CHACHA20_POLY1305", AEAD_CIPHER  , 32 ,32,  8,  8, true );"
>>> Then in createExplicitNonce the nonce should become zero size but is
>>> fixed length for AEAD of 8 bytes.
>>> Both was seen in JDK-1.8.0_60
>>>
>>> Gruß Thomas Lußnig
>>>
>>
> 



More information about the security-dev mailing list