[openssl-dev] [openssl.org #4512] ChaCha20_ctr32 function increments 64 bit counter?
Andy Polyakov via RT
rt at openssl.org
Wed Apr 27 13:01:55 UTC 2016
Hi,
> The following code in the ChaCha20_ctr32 function in
> crypto/chacha/chacha_enc.c looks like you are actually using an IV=[64bit
> counter||64 bit nonce] as specified in the "original Bernstein ChaCha"
> instead of IV=[32bit counter||96bit nonce] as specified in RFC7539.
Correct. While it's indeed confusing, it doesn't affect RFC7539
compliant operation, because subroutine in question takes in full-length
128-bit counter value and is essentially is agnostic to where nonce
starts. So that caller has control over effective length of the nonce,
as well as indirectly width of the counter. Latter can be achieved by
limiting the amount of processed data. I mean if caller passes 0XYZ
counter value (every digit/letter representing 32-bit value and XYZ
being nonce) but never asks to process more than 2^38 bytes, that
counter would never overstep the boundary.
> u32 input[16];
> [...]
> /* advance counter */
> if (++input[12] == 0)
> input[13]++;
But even though it doesn't actually affect operation, it's appropriate
to remove the overflow handling at least to harmonize with subroutine
name, ChaCha20_ctr32, as well as with assembly implementations.
Thanks for report.
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4512
Please log in as guest with password guest if prompted
More information about the openssl-dev
mailing list