Poly1305-AEAD: updated implementation to match draft-irtf-cfrg-chacha20-poly1305-03

* cipher/cipher-internal.h (gcry_cipher_handle): Use separate byte
counters for AAD and data in Poly1305.
* cipher/cipher-poly1305.c (poly1305_fill_bytecount): Remove.
(poly1305_fill_bytecounts, poly1305_do_padding): New.
(poly1305_aad_finish): Fill padding to Poly1305 and do not fill AAD
length.
(_gcry_cipher_poly1305_authenticate, _gcry_cipher_poly1305_encrypt)
(_gcry_cipher_poly1305_decrypt): Update AAD and data length separately.
(_gcry_cipher_poly1305_tag): Fill padding and bytecounts to Poly1305.
(_gcry_cipher_poly1305_setkey, _gcry_cipher_poly1305_setiv): Reset
AAD and data byte counts; only allow 96-bit IV.
* cipher/cipher.c (_gcry_cipher_open_internal): Limit Poly1305-AEAD to
ChaCha20 cipher.
* tests/basic.c (_check_poly1305_cipher): Update test-vectors.
(check_ciphers): Limit Poly1305-AEAD checks to ChaCha20.
* tests/bench-slope.c (cipher_bench_one): Ditto.
--

Latest Internet-Draft version for "ChaCha20 and Poly1305 for IETF protocols"
has added additional padding to Poly1305-AEAD and limited support IV size to
96-bits:
 https://www.ietf.org/rfcdiff?url1=draft-nir-cfrg-chacha20-poly1305-03&difftype=--html&submit=Go!&url2=draft-irtf-cfrg-chacha20-poly1305-03

Patch makes Poly1305-AEAD implementation to match the changes and limits
Poly1305-AEAD to ChaCha20 only.

Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi>

1 files changed, 1 insertions, 3 deletions

diff --git a/cipher/cipher.c b/cipher/cipher.c
index 5c44c0d9..78cad210 100644
--- a/cipher/cipher.c
+++ b/cipher/cipher.c
@@ -421,9 +421,7 @@ _gcry_cipher_open_internal (gcry_cipher_hd_t *handle,
       case GCRY_CIPHER_MODE_POLY1305:
 	if (!spec->stencrypt || !spec->stdecrypt || !spec->setiv)
 	  err = GPG_ERR_INV_CIPHER_MODE;
-	else if (spec->algo != GCRY_CIPHER_SALSA20 &&
-		 spec->algo != GCRY_CIPHER_SALSA20R12 &&
-		 spec->algo != GCRY_CIPHER_CHACHA20)
+	else if (spec->algo != GCRY_CIPHER_CHACHA20)
 	  err = GPG_ERR_INV_CIPHER_MODE;
 	break;