From 817238601b751c2c48f960c1e6867ca2556c7a83 Mon Sep 17 00:00:00 2001
From: Peter Dettman <peter.dettman@bouncycastle.org>
Date: Sun, 5 Apr 2020 13:36:50 +0700
Subject: Fix bad MAC padding length calculation

- affected files with data or AAD length >~2GB
- see also https://github.com/bcgit/bc-java/issues/673
- also allow null output buffer
---
 crypto/Readme.html                          | 26 ++++++++++++++++++++++++++
 crypto/src/crypto/modes/ChaCha20Poly1305.cs | 10 ++++++++--
 2 files changed, 34 insertions(+), 2 deletions(-)

diff --git a/crypto/Readme.html b/crypto/Readme.html
index e394195c9..6d1bc7421 100644
--- a/crypto/Readme.html
+++ b/crypto/Readme.html
@@ -304,6 +304,18 @@ We state, where EC MQV has not otherwise been disabled or removed:
 
         <h4><a class="mozTocH4" name="mozTocId85321"></a>Release 1.8.7, TBD</h4>
 
+        <h5>Defects Fixed</h5>
+        <ul>
+            <li>ChaCha20Poly1305 could fail for large (&gt;~2GB) files. This has been fixed.</li>
+        </ul>
+        <h5>Additional Notes</h5>
+        <ul>
+            <li>
+                See the (cumulative) list of GitHub pull requests that we have accepted at
+                <a href="https://github.com/bcgit/bc-csharp/pulls?q=is%3Apr+is%3Aclosed">bcgit/bc-csharp</a>.
+            </li>
+        </ul>
+
         <h4><a class="mozTocH4" name="mozTocId85320"></a>Release 1.8.6, Friday February 21, 2020</h4>
 
         <h5>Defects Fixed</h5>
@@ -319,6 +331,13 @@ We state, where EC MQV has not otherwise been disabled or removed:
             <li>Support has been added for ChaCha20-Poly1305 AEAD mode from RFC 7539.</li>
             <li>PKCS12: Improved support for certificate-only key stores without password.</li>
         </ul>
+        <h5>Additional Notes</h5>
+        <ul>
+            <li>
+                See the (cumulative) list of GitHub pull requests that we have accepted at
+                <a href="https://github.com/bcgit/bc-csharp/pulls?q=is%3Apr+is%3Aclosed">bcgit/bc-csharp</a>.
+            </li>
+        </ul>
 
         <h4><a class="mozTocH4" name="mozTocId85319"></a>Release 1.8.5, Thursday January 31, 2019</h4>
 
@@ -327,6 +346,13 @@ We state, where EC MQV has not otherwise been disabled or removed:
             <li>Support added for encoding and decoding of GOST3410-2012 keys</li>
             <li>Basic support added for CMP (RFC 4210) and CRMF (RFC 4211), including the PKI archive control.</li>
         </ul>
+        <h5>Additional Notes</h5>
+        <ul>
+            <li>
+                See the (cumulative) list of GitHub pull requests that we have accepted at
+                <a href="https://github.com/bcgit/bc-csharp/pulls?q=is%3Apr+is%3Aclosed">bcgit/bc-csharp</a>.
+            </li>
+        </ul>
 
         <h4><a class="mozTocH4" name="mozTocId85318"></a>Release 1.8.4, Saturday October 27, 2018</h4>
 
diff --git a/crypto/src/crypto/modes/ChaCha20Poly1305.cs b/crypto/src/crypto/modes/ChaCha20Poly1305.cs
index 9cc62174c..6ca32d9c6 100644
--- a/crypto/src/crypto/modes/ChaCha20Poly1305.cs
+++ b/crypto/src/crypto/modes/ChaCha20Poly1305.cs
@@ -251,8 +251,14 @@ namespace Org.BouncyCastle.Crypto.Modes
         {
             if (null == inBytes)
                 throw new ArgumentNullException("inBytes");
+            /*
+             * Following bc-java, we allow null when no output is expected (e.g. based on a
+             * GetUpdateOutputSize call).
+             */
             if (null == outBytes)
-                throw new ArgumentNullException("outBytes");
+            {
+                //throw new ArgumentNullException("outBytes");
+            }
             if (inOff < 0)
                 throw new ArgumentException("cannot be negative", "inOff");
             if (len < 0)
@@ -487,7 +493,7 @@ namespace Org.BouncyCastle.Crypto.Modes
 
         private void PadMac(ulong count)
         {
-            int partial = (int)count % MacSize;
+            int partial = (int)count & (MacSize - 1);
             if (0 != partial)
             {
                 mPoly1305.BlockUpdate(Zeroes, 0, MacSize - partial);
-- 
cgit 1.5.1