Nikos Mavrogiannopoulos nmav@gnutls.org writes:
I don't think I have anything. I remember I had an initial patch for the issues in https://www.mail-archive.com/nettle-bugs@lists.lysator.liu.se/msg01109.html but didn't pass the test vectors. I can't find it patch though.
I'm adding it to plan.html, so I don't forget it.
Is it final then that openssh will not use the updated draft?
No idea. There have been no recent discussions on the ietf ssh list, and I don't follow openssh development.
But the ssh protocol is a bit special, since it encrypts the packet length field. With cacha-poly1305, I think it's natural to use the left over bits of block 0 and xor them to the packet length, but iirc openssh used a separately keyed chacha instance instead.
Regards, /Niels