Pulled Poly1305 into compliance with RFC7539

dghgit · dghgit · commit 9d0edfbede2b · 2016-01-19T08:17:29.000+11:00
diff --git a/bc-build.properties b/bc-build.properties
@@ -1,8 +1,8 @@
 
-release.suffix: 154
-release.name: 1.54
-release.version: 1.54
-release.debug: false
+release.suffix: 155b02
+release.name: 1.55b02
+release.version: 1.55.0.2
+release.debug: true
 
 mail.jar.home: /opt/javamail/mail.jar
 activation.jar.home: /opt/jaf/activation.jar
diff --git a/core/src/main/java/org/bouncycastle/crypto/generators/Poly1305KeyGenerator.java b/core/src/main/java/org/bouncycastle/crypto/generators/Poly1305KeyGenerator.java
@@ -68,17 +68,17 @@ public static void clamp(byte[] key)
         /*
          * r[3], r[7], r[11], r[15] have top four bits clear (i.e., are {0, 1, . . . , 15})
          */
-        key[19] &= R_MASK_HIGH_4;
-        key[23] &= R_MASK_HIGH_4;
-        key[27] &= R_MASK_HIGH_4;
-        key[31] &= R_MASK_HIGH_4;
+        key[3] &= R_MASK_HIGH_4;
+        key[7] &= R_MASK_HIGH_4;
+        key[11] &= R_MASK_HIGH_4;
+        key[15] &= R_MASK_HIGH_4;
 
         /*
          * r[4], r[8], r[12] have bottom two bits clear (i.e., are in {0, 4, 8, . . . , 252}).
          */
-        key[20] &= R_MASK_LOW_2;
-        key[24] &= R_MASK_LOW_2;
-        key[28] &= R_MASK_LOW_2;
+        key[4] &= R_MASK_LOW_2;
+        key[8] &= R_MASK_LOW_2;
+        key[12] &= R_MASK_LOW_2;
     }
 
     /**
@@ -96,14 +96,14 @@ public static void checkKey(byte[] key)
             throw new IllegalArgumentException("Poly1305 key must be 256 bits.");
         }
 
-        checkMask(key[19], R_MASK_HIGH_4);
-        checkMask(key[23], R_MASK_HIGH_4);
-        checkMask(key[27], R_MASK_HIGH_4);
-        checkMask(key[31], R_MASK_HIGH_4);
+        checkMask(key[3], R_MASK_HIGH_4);
+        checkMask(key[7], R_MASK_HIGH_4);
+        checkMask(key[11], R_MASK_HIGH_4);
+        checkMask(key[15], R_MASK_HIGH_4);
 
-        checkMask(key[20], R_MASK_LOW_2);
-        checkMask(key[24], R_MASK_LOW_2);
-        checkMask(key[28], R_MASK_LOW_2);
+        checkMask(key[4], R_MASK_LOW_2);
+        checkMask(key[8], R_MASK_LOW_2);
+        checkMask(key[12], R_MASK_LOW_2);
     }
 
     private static void checkMask(byte b, byte mask)
diff --git a/core/src/main/java/org/bouncycastle/crypto/macs/Poly1305.java b/core/src/main/java/org/bouncycastle/crypto/macs/Poly1305.java
@@ -116,13 +116,13 @@ private void setKey(final byte[] key, final byte[] nonce)
             throw new IllegalArgumentException("Poly1305 requires a 128 bit IV.");
         }
 
-        Poly1305KeyGenerator.checkKey(key);
+        Poly1305KeyGenerator.clamp(key);
 
         // Extract r portion of key
-        int t0 = Pack.littleEndianToInt(key, BLOCK_SIZE + 0);
-        int t1 = Pack.littleEndianToInt(key, BLOCK_SIZE + 4);
-        int t2 = Pack.littleEndianToInt(key, BLOCK_SIZE + 8);
-        int t3 = Pack.littleEndianToInt(key, BLOCK_SIZE + 12);
+        int t0 = Pack.littleEndianToInt(key, 0);
+        int t1 = Pack.littleEndianToInt(key, 4);
+        int t2 = Pack.littleEndianToInt(key, 8);
+        int t3 = Pack.littleEndianToInt(key, 12);
 
         r0 = t0 & 0x3ffffff; t0 >>>= 26; t0 |= t1 << 6;
         r1 = t0 & 0x3ffff03; t1 >>>= 20; t1 |= t2 << 12;
@@ -140,19 +140,24 @@ private void setKey(final byte[] key, final byte[] nonce)
         if (cipher == null)
         {
             kBytes = key;
+
+            k0 = Pack.littleEndianToInt(kBytes, BLOCK_SIZE + 0);
+            k1 = Pack.littleEndianToInt(kBytes, BLOCK_SIZE + 4);
+            k2 = Pack.littleEndianToInt(kBytes, BLOCK_SIZE + 8);
+            k3 = Pack.littleEndianToInt(kBytes, BLOCK_SIZE + 12);
         }
         else
         {
             // Compute encrypted nonce
             kBytes = new byte[BLOCK_SIZE];
-            cipher.init(true, new KeyParameter(key, 0, BLOCK_SIZE));
+            cipher.init(true, new KeyParameter(key, BLOCK_SIZE, BLOCK_SIZE));
             cipher.processBlock(nonce, 0, kBytes, 0);
-        }
 
-        k0 = Pack.littleEndianToInt(kBytes, 0);
-        k1 = Pack.littleEndianToInt(kBytes, 4);
-        k2 = Pack.littleEndianToInt(kBytes, 8);
-        k3 = Pack.littleEndianToInt(kBytes, 12);
+            k0 = Pack.littleEndianToInt(kBytes, 0);
+            k1 = Pack.littleEndianToInt(kBytes, 4);
+            k2 = Pack.littleEndianToInt(kBytes, 8);
+            k3 = Pack.littleEndianToInt(kBytes, 12);
+        }
     }
 
     public String getAlgorithmName()
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/Chacha20Poly1305.java b/core/src/main/java/org/bouncycastle/crypto/tls/Chacha20Poly1305.java
@@ -150,9 +150,7 @@ protected KeyParameter generateRecordMACKey(StreamCipher cipher)
         byte[] firstBlock = new byte[64];
         cipher.processBytes(firstBlock, 0, firstBlock.length, firstBlock, 0);
 
-        // NOTE: The BC implementation puts 'r' after 'k'
-        System.arraycopy(firstBlock, 0, firstBlock, 32, 16);
-        KeyParameter macKey = new KeyParameter(firstBlock, 16, 32);
+        KeyParameter macKey = new KeyParameter(firstBlock, 0, 32);
         Arrays.fill(firstBlock, (byte)0);
         Poly1305KeyGenerator.clamp(macKey.getKey());
         return macKey;
diff --git a/core/src/test/java/org/bouncycastle/crypto/test/Poly1305Test.java b/core/src/test/java/org/bouncycastle/crypto/test/Poly1305Test.java
diff --git a/prov/src/test/java/org/bouncycastle/jce/provider/test/Poly1305Test.java b/prov/src/test/java/org/bouncycastle/jce/provider/test/Poly1305Test.java
