If a chacha operation does not consume all of the generated key stream,

ensure that we save it and consume it on subsequent writes. Otherwise we
end up discarding part of the key stream and instead generate a new block
at the start of the next write.

This was only an issue for callers that did multiple writes that are not
multiples of 64 bytes - in particular, the ChaCha20Poly1305 usage does not
hit this problem since it performs encryption in a single-shot. For the
same reason, this is also a non-issue when openssl(1) is used to encrypt
with ChaCha.

Issue identified by insane coder; reported to bugs@ by Joseph M. Schwartz.

ok beck@

6 files changed, 92 insertions, 14 deletions

diff --git a/src/lib/libcrypto/chacha/chacha-merged.c b/src/lib/libcrypto/chacha/chacha-merged.c
index 25092b16da..a665fb316f 100644
--- a/src/lib/libcrypto/chacha/chacha-merged.c
+++ b/src/lib/libcrypto/chacha/chacha-merged.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: chacha-merged.c,v 1.5 2014/06/24 17:48:30 jsing Exp $ */
+/* $OpenBSD: chacha-merged.c,v 1.6 2014/06/24 18:12:09 jsing Exp $ */
 /*
 chacha-merged.c version 20080118
 D. J. Bernstein
@@ -7,16 +7,18 @@ Public domain.
 
 #include <sys/types.h>
 
-struct chacha_ctx {
-        u_int input[16];
-};
-
 #define CHACHA_MINKEYLEN        16
 #define CHACHA_NONCELEN         8
 #define CHACHA_CTRLEN           8
 #define CHACHA_STATELEN         (CHACHA_NONCELEN+CHACHA_CTRLEN)
 #define CHACHA_BLOCKLEN         64
 
+struct chacha_ctx {
+        u_int input[16];
+        u_int8_t ks[CHACHA_BLOCKLEN];
+        u_int8_t unused;
+};
+
 static inline void chacha_keysetup(struct chacha_ctx *x, const u_char *k,
     u_int kbits)
     __attribute__((__bounded__(__minbytes__, 2, CHACHA_MINKEYLEN)));
@@ -187,6 +189,25 @@ chacha_encrypt_bytes(chacha_ctx *x, const u8 *m, u8 *c, u32 bytes)
                 x14 = PLUS(x14, j14);
                 x15 = PLUS(x15, j15);
 
+                if (bytes < 64) {
+                        U32TO8_LITTLE(x->ks + 0, x0);
+                        U32TO8_LITTLE(x->ks + 4, x1);
+                        U32TO8_LITTLE(x->ks + 8, x2);
+                        U32TO8_LITTLE(x->ks + 12, x3);
+                        U32TO8_LITTLE(x->ks + 16, x4);
+                        U32TO8_LITTLE(x->ks + 20, x5);
+                        U32TO8_LITTLE(x->ks + 24, x6);
+                        U32TO8_LITTLE(x->ks + 28, x7);
+                        U32TO8_LITTLE(x->ks + 32, x8);
+                        U32TO8_LITTLE(x->ks + 36, x9);
+                        U32TO8_LITTLE(x->ks + 40, x10);
+                        U32TO8_LITTLE(x->ks + 44, x11);
+                        U32TO8_LITTLE(x->ks + 48, x12);
+                        U32TO8_LITTLE(x->ks + 52, x13);
+                        U32TO8_LITTLE(x->ks + 56, x14);
+                        U32TO8_LITTLE(x->ks + 60, x15);
+                }
+
                 x0 = XOR(x0, U8TO32_LITTLE(m + 0));
                 x1 = XOR(x1, U8TO32_LITTLE(m + 4));
                 x2 = XOR(x2, U8TO32_LITTLE(m + 8));
@@ -237,6 +258,7 @@ chacha_encrypt_bytes(chacha_ctx *x, const u8 *m, u8 *c, u32 bytes)
                         }
                         x->input[12] = j12;
                         x->input[13] = j13;
+                        x->unused = 64 - bytes;
                         return;
                 }
                 bytes -= 64;
diff --git a/src/lib/libcrypto/chacha/chacha.c b/src/lib/libcrypto/chacha/chacha.c
index a12c824fe6..141b3e99f6 100644
--- a/src/lib/libcrypto/chacha/chacha.c
+++ b/src/lib/libcrypto/chacha/chacha.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: chacha.c,v 1.4 2014/06/12 15:49:28 deraadt Exp $ */
+/* $OpenBSD: chacha.c,v 1.5 2014/06/24 18:12:09 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -22,6 +22,7 @@ void
 ChaCha_set_key(ChaCha_ctx *ctx, const unsigned char *key, uint32_t keybits)
 {
         chacha_keysetup((chacha_ctx *)ctx, key, keybits);
+        ctx->unused = 0;
 }
 
 void
@@ -29,11 +30,25 @@ ChaCha_set_iv(ChaCha_ctx *ctx, const unsigned char *iv,
     const unsigned char *counter)
 {
         chacha_ivsetup((chacha_ctx *)ctx, iv, counter);
+        ctx->unused = 0;
 }
 
 void
 ChaCha(ChaCha_ctx *ctx, unsigned char *out, const unsigned char *in, size_t len)
 {
+        unsigned char *k;
+        int i, l;
+
+        /* Consume remaining keystream, if any exists. */
+        if (ctx->unused > 0) {
+                k = ctx->ks + 64 - ctx->unused;
+                l = (len > ctx->unused) ? ctx->unused : len;
+                for (i = 0; i < l; i++)
+                        *(out++) = *(in++) ^ *(k++);
+                ctx->unused -= l;
+                len -= l;
+        }
+
         chacha_encrypt_bytes((chacha_ctx *)ctx, in, out, (uint32_t)len);
 }
 
diff --git a/src/lib/libcrypto/chacha/chacha.h b/src/lib/libcrypto/chacha/chacha.h
index 636770ad99..a221825d9e 100644
--- a/src/lib/libcrypto/chacha/chacha.h
+++ b/src/lib/libcrypto/chacha/chacha.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: chacha.h,v 1.4 2014/06/12 15:49:28 deraadt Exp $ */
+/* $OpenBSD: chacha.h,v 1.5 2014/06/24 18:12:09 jsing Exp $ */
 /*
  * Copyright (c) Joel Sing <jsing@openbsd.org>
  *
@@ -32,6 +32,8 @@ extern "C" {
 
 typedef struct {
         unsigned int input[16];
+        unsigned char ks[64];
+        unsigned char unused;
 } ChaCha_ctx;
 
 void ChaCha_set_key(ChaCha_ctx *ctx, const unsigned char *key,
diff --git a/src/lib/libssl/src/crypto/chacha/chacha-merged.c b/src/lib/libssl/src/crypto/chacha/chacha-merged.c
index 25092b16da..a665fb316f 100644
--- a/src/lib/libssl/src/crypto/chacha/chacha-merged.c
+++ b/src/lib/libssl/src/crypto/chacha/chacha-merged.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: chacha-merged.c,v 1.5 2014/06/24 17:48:30 jsing Exp $ */
+/* $OpenBSD: chacha-merged.c,v 1.6 2014/06/24 18:12:09 jsing Exp $ */
 /*
 chacha-merged.c version 20080118
 D. J. Bernstein
@@ -7,16 +7,18 @@ Public domain.
 
 #include <sys/types.h>
 
-struct chacha_ctx {
-        u_int input[16];
-};
-
 #define CHACHA_MINKEYLEN        16
 #define CHACHA_NONCELEN         8
 #define CHACHA_CTRLEN           8
 #define CHACHA_STATELEN         (CHACHA_NONCELEN+CHACHA_CTRLEN)
 #define CHACHA_BLOCKLEN         64
 
+struct chacha_ctx {
+        u_int input[16];
+        u_int8_t ks[CHACHA_BLOCKLEN];
+        u_int8_t unused;
+};
+
 static inline void chacha_keysetup(struct chacha_ctx *x, const u_char *k,
     u_int kbits)
     __attribute__((__bounded__(__minbytes__, 2, CHACHA_MINKEYLEN)));
@@ -187,6 +189,25 @@ chacha_encrypt_bytes(chacha_ctx *x, const u8 *m, u8 *c, u32 bytes)
                 x14 = PLUS(x14, j14);
                 x15 = PLUS(x15, j15);
 
+                if (bytes < 64) {
+                        U32TO8_LITTLE(x->ks + 0, x0);
+                        U32TO8_LITTLE(x->ks + 4, x1);
+                        U32TO8_LITTLE(x->ks + 8, x2);
+                        U32TO8_LITTLE(x->ks + 12, x3);
+                        U32TO8_LITTLE(x->ks + 16, x4);
+                        U32TO8_LITTLE(x->ks + 20, x5);
+                        U32TO8_LITTLE(x->ks + 24, x6);
+                        U32TO8_LITTLE(x->ks + 28, x7);
+                        U32TO8_LITTLE(x->ks + 32, x8);
+                        U32TO8_LITTLE(x->ks + 36, x9);
+                        U32TO8_LITTLE(x->ks + 40, x10);
+                        U32TO8_LITTLE(x->ks + 44, x11);
+                        U32TO8_LITTLE(x->ks + 48, x12);
+                        U32TO8_LITTLE(x->ks + 52, x13);
+                        U32TO8_LITTLE(x->ks + 56, x14);
+                        U32TO8_LITTLE(x->ks + 60, x15);
+                }
+
                 x0 = XOR(x0, U8TO32_LITTLE(m + 0));
                 x1 = XOR(x1, U8TO32_LITTLE(m + 4));
                 x2 = XOR(x2, U8TO32_LITTLE(m + 8));
@@ -237,6 +258,7 @@ chacha_encrypt_bytes(chacha_ctx *x, const u8 *m, u8 *c, u32 bytes)
                         }
                         x->input[12] = j12;
                         x->input[13] = j13;
+                        x->unused = 64 - bytes;
                         return;
                 }
                 bytes -= 64;
diff --git a/src/lib/libssl/src/crypto/chacha/chacha.c b/src/lib/libssl/src/crypto/chacha/chacha.c
index a12c824fe6..141b3e99f6 100644
--- a/src/lib/libssl/src/crypto/chacha/chacha.c
+++ b/src/lib/libssl/src/crypto/chacha/chacha.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: chacha.c,v 1.4 2014/06/12 15:49:28 deraadt Exp $ */
+/* $OpenBSD: chacha.c,v 1.5 2014/06/24 18:12:09 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -22,6 +22,7 @@ void
 ChaCha_set_key(ChaCha_ctx *ctx, const unsigned char *key, uint32_t keybits)
 {
         chacha_keysetup((chacha_ctx *)ctx, key, keybits);
+        ctx->unused = 0;
 }
 
 void
@@ -29,11 +30,25 @@ ChaCha_set_iv(ChaCha_ctx *ctx, const unsigned char *iv,
     const unsigned char *counter)
 {
         chacha_ivsetup((chacha_ctx *)ctx, iv, counter);
+        ctx->unused = 0;
 }
 
 void
 ChaCha(ChaCha_ctx *ctx, unsigned char *out, const unsigned char *in, size_t len)
 {
+        unsigned char *k;
+        int i, l;
+
+        /* Consume remaining keystream, if any exists. */
+        if (ctx->unused > 0) {
+                k = ctx->ks + 64 - ctx->unused;
+                l = (len > ctx->unused) ? ctx->unused : len;
+                for (i = 0; i < l; i++)
+                        *(out++) = *(in++) ^ *(k++);
+                ctx->unused -= l;
+                len -= l;
+        }
+
         chacha_encrypt_bytes((chacha_ctx *)ctx, in, out, (uint32_t)len);
 }
 
diff --git a/src/lib/libssl/src/crypto/chacha/chacha.h b/src/lib/libssl/src/crypto/chacha/chacha.h
index 636770ad99..a221825d9e 100644
--- a/src/lib/libssl/src/crypto/chacha/chacha.h
+++ b/src/lib/libssl/src/crypto/chacha/chacha.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: chacha.h,v 1.4 2014/06/12 15:49:28 deraadt Exp $ */
+/* $OpenBSD: chacha.h,v 1.5 2014/06/24 18:12:09 jsing Exp $ */
 /*
  * Copyright (c) Joel Sing <jsing@openbsd.org>
  *
@@ -32,6 +32,8 @@ extern "C" {
 
 typedef struct {
         unsigned int input[16];
+        unsigned char ks[64];
+        unsigned char unused;
 } ChaCha_ctx;
 
 void ChaCha_set_key(ChaCha_ctx *ctx, const unsigned char *key,