Daiki Ueno ueno@gnu.org writes:
Thank you so much! The patch fixes the issue (tested on gcc cfarm).
Thanks for testing. Pushed to master branch now. BTW, I could test ppc64el locally on my laptop fairly easily, I used:
# apt-get install -t testing gcc-powerpc64le-linux-gnu # dpkg --add-architecture ppc64el # apt-get update # apt-get install libc6:ppc64el
(I already had qemu-user and binfmt magic installed)
$ ~/hack/nettle/configure --host=powerpc64le-linux-gnu --enable-mini-gmp CXX=/bin/false $ make -j10 && make -j10 check
In the gdb trace, I see nettle_chacha_poly1305_encrypt() is called with the following length pattern: 128, 63, 128, 64, 192, 1, 192, 2. I can try to create a test case if necessary.
I see. And then it's the first call with length 192 that updates the counter value incorrectly (incrementing it by 4 instead of 3), with incorrect encryption on the next call. No calls with length 129, which would be the smallest one to trigger the bug.
You can have a look at the updated test and see if you think an additional test would be worthwhile. The loop testing various lengths start at https://git.lysator.liu.se/nettle/nettle/-/blob/master/testsuite/chacha-test..., and the code from line 219 and on is new.
Regards, /Niels