[openssl/openssl] a01152: ChaCha20-Poly1305 no longer supports truncated IV's.
Shane
noreply at github.com
Mon Jan 30 08:51:23 UTC 2023
Branch: refs/heads/master
Home: https://github.com/openssl/openssl
Commit: a01152370676e7e11fb461cff8628eb50fa41b81
https://github.com/openssl/openssl/commit/a01152370676e7e11fb461cff8628eb50fa41b81
Author: slontis <shane.lontis at oracle.com>
Date: 2023-01-30 (Mon, 30 Jan 2023)
Changed paths:
M doc/man3/EVP_EncryptInit.pod
M doc/man7/migration_guide.pod
M providers/implementations/ciphers/cipher_chacha20_poly1305.c
M providers/implementations/ciphers/cipher_chacha20_poly1305.h
M providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c
M test/recipes/30-test_evp_data/evpciph_chacha.txt
Log Message:
-----------
ChaCha20-Poly1305 no longer supports truncated IV's.
Fixes #20084
In the 3.0 provider implementation the generic code that handles IV's
only allows a 12 byte IV. Older code intentionally added the ability for
the IV to be truncated.
As this truncation is unsafe, the documentation has been updated to
state that this in no longer allowed. The code has been updated to
produce an error when the iv length is set to any value other than 12.
NOTE: It appears that this additional padding may have originated from the code
which uses a 12 byte IV, that is then passed to CHACHA which zero pads it to 16 bytes.
Note that legacy behaviour in e_chacha20_poly1305.c has not been
updated.
Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20151)
More information about the openssl-commits
mailing list