On 5 August 2015 at 11:13, Wan-Teh Chang <w...@google.com> wrote: > Then, define the ChaChaNonce struct as described in the draft-TLS 1.3. > > struct { > opaque nonce[12]; > } ChaChaNonce; > > 1. The 64-bit record sequence number is padded to the left with > zeroes to 96 bits (12 octets). > 2. The padded sequence number is XORed with either the > client_write_IV (when the client is sending) or the > server_write_IV (when the server is sending) > 3. Store the XOR result in ChaChaNonce.nonce.
This looks fine. Note that the general construction in TLS 1.3 should be, more formally: assert(N_MAX > 64bits) nonce = {client|server|_{read|write}_IV[0..N_MAX] XOR lpad0(seq_num) Of course, ChaChaX sets N_MAX to 96 bits, so what you described was correct. --Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls