EVP_chacha20 does not match RFC 7539 or documentation in nonce/counter split #21095
Labels
branch: master
Merge to master branch
branch: 3.0
Merge to openssl-3.0 branch
branch: 3.1
Merge to openssl-3.1
help wanted
triaged: bug
The issue/pr is/fixes a bug
triaged: documentation
The issue/pr deals with documentation (errors)
Comments
|
I assume we should just document the current implementation. A new feature would be to add a parameter to change to the 32/96 bit split implementation. |
t8m
added
triaged: documentation
paulidale
added a commit
to paulidale/openssl
that referenced
this issue
May 31, 2023
This was referenced May 31, 2023
|
But this does not really affect ChaCha20_Poly1305, since the counter[0] starts always at 0, |
|
That's my understanding. From what's discussed in C2SP/wycheproof#90, it seems like any overflow is extremely unlikely unless someone is trying to shoot themselves. I don't think that precludes us from implementing it in a standards compliant manner. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
RFC 7539 specified ChaCha20 with a 96-bit nonce and a 32-bit counter. Only 32 bits of the input is incremented across each block.
https://www.rfc-editor.org/rfc/rfc7539.html#section-2.4
The original paper didn't specify a split but, prior to the RFC, 64-bit nonce with 64-bit counter was also common. A 96/32 and 64/64 split are very similar primitives, but not quite the same. OpenSSL's documentation says it implements the RFC formulation:
https://www.openssl.org/docs/manmaster/man3/EVP_chacha20.html
However, the implementation doesn't match this and uses a 64-bit counter.
openssl/crypto/evp/e_chacha20_poly1305.c
Lines 112 to 113 in b134300
See also C2SP/wycheproof#90
The text was updated successfully, but these errors were encountered: