From 999328f2a02597e18708c79c310a7038ce40dee4 Mon Sep 17 00:00:00 2001
From: Jacob Barthelmeh <jacob@wolfssl.com>
Date: Fri, 14 Apr 2017 10:32:15 -0600
Subject: [PATCH] fix old version of AEAD cipher suite

---
 src/internal.c | 48 ++++++++++++++++++++++++++++++++++++++----------
 1 file changed, 38 insertions(+), 10 deletions(-)

diff --git a/src/internal.c b/src/internal.c
index 6d333e78b..bddcc272c 100755
--- a/src/internal.c
+++ b/src/internal.c
@@ -8878,6 +8878,20 @@ static int Poly1305TagOld(WOLFSSL* ssl, byte* additional, const byte* out,
 }
 
 
+/* When the flag oldPoly is not set this follows RFC7905. When oldPoly is set
+ * the implmentation follows an older draft for creating the nonce and MAC.
+ * The flag oldPoly gets set automaticlly depending on what cipher suite was
+ * negotiated in the handshake. This is able to be done because the IDs for the
+ * cipher suites was updated in RFC7905 giving unique values for the older
+ * draft in comparision to the more recent RFC.
+ *
+ * ssl   WOLFSSL structure to get cipher and TLS state from
+ * out   output buffer to hold encrypted data
+ * input data to encrypt
+ * sz    size of input
+ *
+ * Return 0 on success negative values in error case
+ */
 static int  ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
                               word16 sz)
 {
@@ -8897,14 +8911,14 @@ static int  ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
     XMEMSET(poly,  0, sizeof(poly));
     XMEMSET(add,   0, sizeof(add));
 
-    if (ssl->options.oldPoly != 0) {
-        /* get nonce */
-        WriteSEQ(ssl, CUR_ORDER, nonce + CHACHA20_OLD_OFFSET);
-    }
-
     /* opaque SEQ number stored for AD */
     WriteSEQ(ssl, CUR_ORDER, add);
 
+    if (ssl->options.oldPoly != 0) {
+        /* get nonce. SEQ should not be incremented again here */
+        XMEMCPY(nonce + CHACHA20_OLD_OFFSET, add, OPAQUE32_LEN * 2);
+    }
+
     /* Store the type, version. Unfortunately, they are in
      * the input buffer ahead of the plaintext. */
     #ifdef WOLFSSL_DTLS
@@ -9015,6 +9029,20 @@ static int  ChachaAEADEncrypt(WOLFSSL* ssl, byte* out, const byte* input,
 }
 
 
+/* When the flag oldPoly is not set this follows RFC7905. When oldPoly is set
+ * the implmentation follows an older draft for creating the nonce and MAC.
+ * The flag oldPoly gets set automaticlly depending on what cipher suite was
+ * negotiated in the handshake. This is able to be done because the IDs for the
+ * cipher suites was updated in RFC7905 giving unique values for the older
+ * draft in comparision to the more recent RFC.
+ *
+ * ssl   WOLFSSL structure to get cipher and TLS state from
+ * plain output buffer to hold decrypted data
+ * input data to decrypt
+ * sz    size of input
+ *
+ * Return 0 on success negative values in error case
+ */
 static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
                            word16 sz)
 {
@@ -9041,14 +9069,14 @@ static int ChachaAEADDecrypt(WOLFSSL* ssl, byte* plain, const byte* input,
     XMEMSET(nonce, 0, sizeof(nonce));
     XMEMSET(add,   0, sizeof(add));
 
-    if (ssl->options.oldPoly != 0) {
-        /* get nonce */
-        WriteSEQ(ssl, PEER_ORDER, nonce + CHACHA20_OLD_OFFSET);
-    }
-
     /* sequence number field is 64-bits */
     WriteSEQ(ssl, PEER_ORDER, add);
 
+    if (ssl->options.oldPoly != 0) {
+        /* get nonce, SEQ should not be incremented again here */
+        XMEMCPY(nonce + CHACHA20_OLD_OFFSET, add, OPAQUE32_LEN * 2);
+    }
+
     /* get AD info */
     /* Store the type, version. */
     add[AEAD_TYPE_OFFSET] = ssl->curRL.type;