[openssl-dev] [openssl.org #4512] ChaCha20_ctr32 function increments 64 bit counter?
Patrick Steuer via RT
rt at openssl.org
Wed Apr 27 13:52:24 UTC 2016
Hi,
I'm aware it doesn't affect anything because the caller shouldn't process
more than 2^32 * 64 bytes per key/nonce setup anyway.
I was just wondering because it differs from the s390 asm implementation
(and whether there is a particular reason to do so).
Thanks for reply.
Mit freundlichen Grüßen / Kind regards
Patrick Steuer
Crypto for Linux on z Systems
Phone: +49-7031-16-1600
Email: patrick.steuer at de.ibm.com
IBM Deutschland Research & Development GmbH
Schönaicher Str. 220, 71032 Böblingen
From: Andy Polyakov via RT <rt at openssl.org>
To: Patrick Steuer/Germany/IBM at IBMDE
Cc: openssl-dev at openssl.org
Date: 27.04.2016 15:02
Subject: Re: [openssl-dev] [openssl.org #4512] ChaCha20_ctr32 function
increments 64 bit counter?
Hi,
> The following code in the ChaCha20_ctr32 function in
> crypto/chacha/chacha_enc.c looks like you are actually using an IV=[64bit
> counter||64 bit nonce] as specified in the "original Bernstein ChaCha"
> instead of IV=[32bit counter||96bit nonce] as specified in RFC7539.
Correct. While it's indeed confusing, it doesn't affect RFC7539
compliant operation, because subroutine in question takes in full-length
128-bit counter value and is essentially is agnostic to where nonce
starts. So that caller has control over effective length of the nonce,
as well as indirectly width of the counter. Latter can be achieved by
limiting the amount of processed data. I mean if caller passes 0XYZ
counter value (every digit/letter representing 32-bit value and XYZ
being nonce) but never asks to process more than 2^38 bytes, that
counter would never overstep the boundary.
> u32 input[16];
> [...]
> /* advance counter */
> if (++input[12] == 0)
> input[13]++;
But even though it doesn't actually affect operation, it's appropriate
to remove the overflow handling at least to harmonize with subroutine
name, ChaCha20_ctr32, as well as with assembly implementations.
Thanks for report.
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4512
Please log in as guest with password guest if prompted
--
Ticket here: http://rt.openssl.org/Ticket/Display.html?id=4512
Please log in as guest with password guest if prompted
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-dev/attachments/20160427/9dab6926/attachment-0001.gif>
More information about the openssl-dev
mailing list