From 3299449a0b90a9eadf7a1bc8ab6dc01a0f3b5a42 Mon Sep 17 00:00:00 2001 From: tb Date: Thu, 24 Aug 2023 04:20:57 +0000 Subject: [PATCH] Clarify how the EVP IV is used with ChaCha EVP_chacha20() was aligned to follow OpenSSL's nonconformant implementation during a2k20 by djm and myself in an effort to allow OpenSSH to use the OpenSSL 1.1 API. Some corresponding OpenSSL 1.1 documentation was imported at the same time. A comment attempted to translate between implementation and the incorrect documentation, which was necessarily gibberish. Improve the situation by rephrasing and dropping nonsensical bits. Prompted by a question of schwarze --- lib/libcrypto/evp/e_chacha.c | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/lib/libcrypto/evp/e_chacha.c b/lib/libcrypto/evp/e_chacha.c index add04884776..5cd03c7c8df 100644 --- a/lib/libcrypto/evp/e_chacha.c +++ b/lib/libcrypto/evp/e_chacha.c @@ -1,4 +1,4 @@ -/* $OpenBSD: e_chacha.c,v 1.12 2023/07/07 19:37:53 beck Exp $ */ +/* $OpenBSD: e_chacha.c,v 1.13 2023/08/24 04:20:57 tb Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -53,13 +53,11 @@ static const EVP_CIPHER chacha20_cipher = { .nid = NID_chacha20, .block_size = 1, .key_len = 32, - /* - * The 128 bit EVP IV is split for ChaCha into four 32 bit pieces: - * counter[0] counter[1] iv[0] iv[1] - * OpenSSL exposes these as: - * openssl_iv = counter[0] iv[0] iv[1] iv[2] - * Due to the cipher internal state's symmetry, these are functionally - * equivalent. + /* + * The 16-byte EVP IV is split into 4 little-endian 4-byte words + * evpiv[15:12] evpiv[11:8] evpiv[7:4] evpiv[3:0] + * iv[1] iv[0] counter[1] counter[0] + * and passed as iv[] and counter[] to ChaCha_set_iv(). */ .iv_len = 16, .flags = EVP_CIPH_STREAM_CIPHER | EVP_CIPH_ALWAYS_CALL_INIT | -- 2.20.1