EVP_chacha20 does not match RFC 7539 or documentation in nonce/counter split #21095
Labels
branch: master
Merge to master branch
branch: 3.0
Merge to openssl-3.0 branch
branch: 3.1
Merge to openssl-3.1
help wanted
triaged: bug
The issue/pr is/fixes a bug
triaged: documentation
The issue/pr deals with documentation (errors)
RFC 7539 specified ChaCha20 with a 96-bit nonce and a 32-bit counter. Only 32 bits of the input is incremented across each block.
https://www.rfc-editor.org/rfc/rfc7539.html#section-2.4
The original paper didn't specify a split but, prior to the RFC, 64-bit nonce with 64-bit counter was also common. A 96/32 and 64/64 split are very similar primitives, but not quite the same. OpenSSL's documentation says it implements the RFC formulation:
https://www.openssl.org/docs/manmaster/man3/EVP_chacha20.html
However, the implementation doesn't match this and uses a 64-bit counter.
openssl/crypto/evp/e_chacha20_poly1305.c
Lines 112 to 113 in b134300
See also C2SP/wycheproof#90
The text was updated successfully, but these errors were encountered: