nisse@lysator.liu.se (Niels Möller) writes:
I would guess that means that we got 209 bytes, including the 16-byte poly1305 authentication tag. Message size is then 209 - 16 = 193 bytes. If the first byte is a TLS packet type, the "length: 192" in the next to last line makes sense if the packet type byte is excluded. Right?
I've found one problem, although I don't see that it would cause precisely the reported problem. It would result in incorrect encrypt/decrypt of the data immediately after a call to chacha_crypt or chacha_crypt32 with 129 <= (length % 256) <= 192. In code used only on ppc64 with the new altivec chacha code enabled.
Tentative patch below, but I need to extend the tests to get proper test coverage of this case.
Regards, /Niels
diff --git a/chacha-crypt.c b/chacha-crypt.c index 081ebcf4..9db13183 100644 --- a/chacha-crypt.c +++ b/chacha-crypt.c @@ -80,13 +80,16 @@ _nettle_chacha_crypt_4core(struct chacha_ctx *ctx, while (length > 2*CHACHA_BLOCK_SIZE) { _nettle_chacha_4core (x, ctx->state, CHACHA_ROUNDS); - ctx->state[12] += 4; - ctx->state[13] += (ctx->state[12] < 4); if (length <= 4*CHACHA_BLOCK_SIZE) { + uint32_t blocks = 3 + (length > 3*CHACHA_BLOCK_SIZE); + ctx->state[12] += blocks; + ctx->state[13] += (ctx->state[12] < blocks); memxor3 (dst, src, x, length); return; } + ctx->state[12] += 4; + ctx->state[13] += (ctx->state[12] < 4); memxor3 (dst, src, x, 4*CHACHA_BLOCK_SIZE);
length -= 4*CHACHA_BLOCK_SIZE; @@ -200,12 +203,13 @@ _nettle_chacha_crypt32_4core(struct chacha_ctx *ctx, while (length > 2*CHACHA_BLOCK_SIZE) { _nettle_chacha_4core32 (x, ctx->state, CHACHA_ROUNDS); - ctx->state[12] += 4; if (length <= 4*CHACHA_BLOCK_SIZE) { + ctx->state[12] += 3 + (length > 3*CHACHA_BLOCK_SIZE); memxor3 (dst, src, x, length); return; } + ctx->state[12] += 4; memxor3 (dst, src, x, 4*CHACHA_BLOCK_SIZE);
length -= 4*CHACHA_BLOCK_SIZE;