Re: GnuTLS testsuite error on ppc64 after nettle upgrade

Tue, 09 Feb 2021 12:07:26 -0800 

[email protected] (Niels Möller) writes:

> I would guess that means that we got 209 bytes, including the 16-byte
> poly1305 authentication tag. Message size is then 209 - 16 = 193 bytes.
> If the first byte is a TLS packet type, the "length: 192" in the next to
> last line makes sense if the packet type byte is excluded. Right?

I've found one problem, although I don't see that it would cause
precisely the reported problem. It would result in incorrect
encrypt/decrypt of the data immediately after a call to chacha_crypt or
chacha_crypt32 with 129 <= (length % 256) <= 192. In code used only on
ppc64 with the new altivec chacha code enabled.

Tentative patch below, but I need to extend the tests to get proper test
coverage of this case.

Regards,
/Niels

diff --git a/chacha-crypt.c b/chacha-crypt.c
index 081ebcf4..9db13183 100644
--- a/chacha-crypt.c
+++ b/chacha-crypt.c
@@ -80,13 +80,16 @@ _nettle_chacha_crypt_4core(struct chacha_ctx *ctx,
   while (length > 2*CHACHA_BLOCK_SIZE)
     {
       _nettle_chacha_4core (x, ctx->state, CHACHA_ROUNDS);
-      ctx->state[12] += 4;
-      ctx->state[13] += (ctx->state[12] < 4);
       if (length <= 4*CHACHA_BLOCK_SIZE)
        {
+         uint32_t blocks = 3 + (length > 3*CHACHA_BLOCK_SIZE);
+         ctx->state[12] += blocks;
+         ctx->state[13] += (ctx->state[12] < blocks);
          memxor3 (dst, src, x, length);
          return;
        }
+      ctx->state[12] += 4;
+      ctx->state[13] += (ctx->state[12] < 4);
       memxor3 (dst, src, x, 4*CHACHA_BLOCK_SIZE);
 
       length -= 4*CHACHA_BLOCK_SIZE;
@@ -200,12 +203,13 @@ _nettle_chacha_crypt32_4core(struct chacha_ctx *ctx,
   while (length > 2*CHACHA_BLOCK_SIZE)
     {
       _nettle_chacha_4core32 (x, ctx->state, CHACHA_ROUNDS);
-      ctx->state[12] += 4;
       if (length <= 4*CHACHA_BLOCK_SIZE)
        {
+         ctx->state[12] += 3 + (length > 3*CHACHA_BLOCK_SIZE);
          memxor3 (dst, src, x, length);
          return;
        }
+      ctx->state[12] += 4;
       memxor3 (dst, src, x, 4*CHACHA_BLOCK_SIZE);
 
       length -= 4*CHACHA_BLOCK_SIZE;

-- 
Niels Möller. PGP-encrypted email is preferred. Keyid 368C6677.
Internet email is subject to wholesale government surveillance.
_______________________________________________
nettle-bugs mailing list
[email protected]
http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs

Reply via email to