From 6a9c4d13fc97c0ad186e4d15839ef568659ebf6f Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Tue, 24 Jun 2014 18:12:09 +0000
Subject: If a chacha operation does not consume all of the generated key
 stream, ensure that we save it and consume it on subsequent writes. Otherwise
 we end up discarding part of the key stream and instead generate a new block
 at the start of the next write.

This was only an issue for callers that did multiple writes that are not
multiples of 64 bytes - in particular, the ChaCha20Poly1305 usage does not
hit this problem since it performs encryption in a single-shot. For the
same reason, this is also a non-issue when openssl(1) is used to encrypt
with ChaCha.

Issue identified by insane coder; reported to bugs@ by Joseph M. Schwartz.

ok beck@
---
 src/lib/libcrypto/chacha/chacha-merged.c | 32 +++++++++++++++++++++++++++-----
 1 file changed, 27 insertions(+), 5 deletions(-)

(limited to 'src/lib/libcrypto/chacha/chacha-merged.c')

diff --git a/src/lib/libcrypto/chacha/chacha-merged.c b/src/lib/libcrypto/chacha/chacha-merged.c
index 25092b16da..a665fb316f 100644
--- a/src/lib/libcrypto/chacha/chacha-merged.c
+++ b/src/lib/libcrypto/chacha/chacha-merged.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: chacha-merged.c,v 1.5 2014/06/24 17:48:30 jsing Exp $ */
+/* $OpenBSD: chacha-merged.c,v 1.6 2014/06/24 18:12:09 jsing Exp $ */
 /*
 chacha-merged.c version 20080118
 D. J. Bernstein
@@ -7,16 +7,18 @@ Public domain.
 
 #include <sys/types.h>
 
-struct chacha_ctx {
-	u_int input[16];
-};
-
 #define CHACHA_MINKEYLEN 	16
 #define CHACHA_NONCELEN		8
 #define CHACHA_CTRLEN		8
 #define CHACHA_STATELEN		(CHACHA_NONCELEN+CHACHA_CTRLEN)
 #define CHACHA_BLOCKLEN		64
 
+struct chacha_ctx {
+	u_int input[16];
+	u_int8_t ks[CHACHA_BLOCKLEN];
+	u_int8_t unused;
+};
+
 static inline void chacha_keysetup(struct chacha_ctx *x, const u_char *k,
     u_int kbits)
     __attribute__((__bounded__(__minbytes__, 2, CHACHA_MINKEYLEN)));
@@ -187,6 +189,25 @@ chacha_encrypt_bytes(chacha_ctx *x, const u8 *m, u8 *c, u32 bytes)
 		x14 = PLUS(x14, j14);
 		x15 = PLUS(x15, j15);
 
+		if (bytes < 64) {
+			U32TO8_LITTLE(x->ks + 0, x0);
+			U32TO8_LITTLE(x->ks + 4, x1);
+			U32TO8_LITTLE(x->ks + 8, x2);
+			U32TO8_LITTLE(x->ks + 12, x3);
+			U32TO8_LITTLE(x->ks + 16, x4);
+			U32TO8_LITTLE(x->ks + 20, x5);
+			U32TO8_LITTLE(x->ks + 24, x6);
+			U32TO8_LITTLE(x->ks + 28, x7);
+			U32TO8_LITTLE(x->ks + 32, x8);
+			U32TO8_LITTLE(x->ks + 36, x9);
+			U32TO8_LITTLE(x->ks + 40, x10);
+			U32TO8_LITTLE(x->ks + 44, x11);
+			U32TO8_LITTLE(x->ks + 48, x12);
+			U32TO8_LITTLE(x->ks + 52, x13);
+			U32TO8_LITTLE(x->ks + 56, x14);
+			U32TO8_LITTLE(x->ks + 60, x15);
+		}
+
 		x0 = XOR(x0, U8TO32_LITTLE(m + 0));
 		x1 = XOR(x1, U8TO32_LITTLE(m + 4));
 		x2 = XOR(x2, U8TO32_LITTLE(m + 8));
@@ -237,6 +258,7 @@ chacha_encrypt_bytes(chacha_ctx *x, const u8 *m, u8 *c, u32 bytes)
 			}
 			x->input[12] = j12;
 			x->input[13] = j13;
+			x->unused = 64 - bytes;
 			return;
 		}
 		bytes -= 64;
-- 
cgit v1.2.3-55-g6feb