On Tue, Mar 31, 2015 at 9:22 AM, Niels Möller nisse@lysator.liu.se wrote:
Something that I just noticed is that chacha_poly1305_encrypt() returns a void value. However this function is limited to 2^32 data which is not really an expected upper bound.
At least the limit ought to be documented, and maybe backed up by an assert. I hesitate to add a return value for this. Where do you see a 2^32 limit? If I remember this correctly, it uses chacha with 96 bit nonce and 32 bit counter, where counter 0 is used for key setup. So this limits the message size to (2^32-1)*64, appr. 250 GB. If there is any smaller limit, that's likely a bug.
Indeed I meant 2^32 operations. My current hard drives are larger than 250 GB so I guess that is not a terrible limit. For gnutls it doesn't matter much as we encrypt per packet which are small, but if any applications use nettle to encrypt large files will trigger that. An assert() while is better than nothing it means a crash in the application that will attempt to encrypt that data, and I'm not sure that applications should be responsible for counting the data they input to individual ciphers. The limits change per cipher, and nettle already has a counter.
regards, Nikos