git.openssl.org Git - openssl.git/commit

author	slontis <shane.lontis@oracle.com>
	Fri, 27 Jan 2023 03:18:17 +0000 (13:18 +1000)
committer	Tomas Mraz <tomas@openssl.org>
	Mon, 30 Jan 2023 08:49:48 +0000 (09:49 +0100)
commit	b4120a155bad48fcac0ea5abe65a08eddfe9a4eb
tree	a6ac1c2c825d14ef95ce552409afb21a67bb2331	tree \| snapshot
parent	00e8275a8e4d6908310aa0cebbaa450782bfbb70	commit \| diff

ChaCha20-Poly1305 no longer supports truncated IV's.

Fixes #20084

In the 3.0 provider implementation the generic code that handles IV's
only allows a 12 byte IV. Older code intentionally added the ability for
the IV to be truncated.
As this truncation is unsafe, the documentation has been updated to
state that this in no longer allowed. The code has been updated to
produce an error when the iv length is set to any value other than 12.

NOTE: It appears that this additional padding may have originated from the code
which uses a 12 byte IV, that is then passed to CHACHA which zero pads it to 16 bytes.

Note that legacy behaviour in e_chacha20_poly1305.c has not been
updated.

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20151)

(cherry picked from commit a01152370676e7e11fb461cff8628eb50fa41b81)

doc/man3/EVP_EncryptInit.pod		diff \| blob \| history
doc/man7/migration_guide.pod		diff \| blob \| history
providers/implementations/ciphers/cipher_chacha20_poly1305.c		diff \| blob \| history
providers/implementations/ciphers/cipher_chacha20_poly1305.h		diff \| blob \| history
providers/implementations/ciphers/cipher_chacha20_poly1305_hw.c		diff \| blob \| history
test/recipes/30-test_evp_data/evpciph_chacha.txt		diff \| blob \| history