On Mon, 23 Jun 2014, Joseph M. Schwartz wrote: > Hello, > > After reading the blog post here: > http://insanecoding.blogspot.com/2014/06/avoid-incorrect-chacha20-implement >ations.html I went to test the implementation found here: > http://www.openbsd.org/cgi-bin/cvsweb/src/lib/libssl/src/crypto/chacha/ > > It seems that the implementation fails just like described in the blog > post, as soon as ChaCha() is called with a length which is not a multiple > of 64, all further uses of the method produce incorrect results.
Thanks for pointing this out - I've just fixed this in -current. The underlying ChaCha implementation (from djb) is written for single-shot use (as exposed via CRYPTO_chacha_20(), which is also used for ChaCha20Poly1305). I obviously overlooked this when I added the ChaCha() and EVP interfaces. Regress tests already existed, however they did not trigger this specific issue. They've now been extended to cover the ChaCha interface (which was already tested via the EVP regress) with partial/single-byte writes. > The blog's author provided an implementation which does not suffer from > this problem, along with test vectors: http://chacha20.insanecoding.org/ > The license on that code appears to be friendly, although I don't know if > the code itself is any good. Performance-wise the implementation would be rather ordinary (as noted in the code) - the existing implementation does 64-byte blocks in 4-byte pieces, whereas this implementation does a byte a time. Additionally, the code is pretty horrific from a style perspective. Strangely enough it also does not include the test vectors from one of the more obvious sources (draft-strombergson-chacha-test-vectors-01). -- "Action without study is fatal. Study without action is futile." -- Mary Ritter Beard
