Hi, > The following code in the ChaCha20_ctr32 function in > crypto/chacha/chacha_enc.c looks like you are actually using an IV=[64bit > counter||64 bit nonce] as specified in the "original Bernstein ChaCha" > instead of IV=[32bit counter||96bit nonce] as specified in RFC7539.
Correct. While it's indeed confusing, it doesn't affect RFC7539 compliant operation, because subroutine in question takes in full-length 128-bit counter value and is essentially is agnostic to where nonce starts. So that caller has control over effective length of the nonce, as well as indirectly width of the counter. Latter can be achieved by limiting the amount of processed data. I mean if caller passes 0XYZ counter value (every digit/letter representing 32-bit value and XYZ being nonce) but never asks to process more than 2^38 bytes, that counter would never overstep the boundary. > u32 input[16]; > [...] > /* advance counter */ > if (++input[12] == 0) > input[13]++; But even though it doesn't actually affect operation, it's appropriate to remove the overflow handling at least to harmonize with subroutine name, ChaCha20_ctr32, as well as with assembly implementations. Thanks for report. -- Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4512 Please log in as guest with password guest if prompted -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
