From: Daiki Ueno dueno@redhat.com
While the documentation said the nonce size is 16 octets, the implementation actually assumed 12 octets following RFC 7539.
Signed-off-by: Daiki Ueno dueno@redhat.com --- nettle.texinfo | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-)
diff --git a/nettle.texinfo b/nettle.texinfo index 0b339f51..7d5e1780 100644 --- a/nettle.texinfo +++ b/nettle.texinfo @@ -3292,17 +3292,10 @@ except that @var{cipher} and @var{f} are replaced with a context structure. ChaCha-Poly1305 is a combination of the ChaCha stream cipher and the poly1305 message authentication code (@pxref{Poly1305}). It originates from the NaCl cryptographic library by D. J. Bernstein et al, which -defines a similar construction but with Salsa20 instead of ChaCha. - -Nettle's implementation ChaCha-Poly1305 should be considered -@strong{experimental}. At the time of this writing, there is no -authoritative specification for ChaCha-Poly1305, and a couple of -different incompatible variants. Nettle implements it using the original -definition of ChaCha, with 64 bits (8 octets) each for the nonce and the -block counter. Some protocols prefer to use nonces of 12 bytes, and it's -a small change to ChaCha to use the upper 32 bits of the block counter -as a nonce, instead limiting message size to @math{2^32} blocks or 256 -GBytes, but that variant is currently not supported. +defines a similar construction but with Salsa20 instead of ChaCha. + +Nettle's implementation of ChaCha-Poly1305 follows @cite{RFC 7539}. +Unlike the original definition of ChaCha, the nonces are of 12 bytes.
For ChaCha-Poly1305, the ChaCha cipher is initialized with a key, of 256 bits, and a per-message nonce. The first block of the key stream @@ -3331,7 +3324,7 @@ ChaCha-Poly1305 key size, 32. @end defvr
@defvr Constant CHACHA_POLY1305_NONCE_SIZE -Same as the ChaCha nonce size, 16. +ChaCha-Poly1305 nonce size, 12. @end defvr
@defvr Constant CHACHA_POLY1305_DIGEST_SIZE