Re: [TLS] chacha/poly interop?

David Benjamin <davidben@chromium.org> Tue, 13 September 2016 00:10 UTC

Return-Path: <davidben@google.com>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7B90412B15A for <tls@ietfa.amsl.com>; Mon, 12 Sep 2016 17:10:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.207
X-Spam-Level:
X-Spam-Status: No, score=-4.207 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-1.508, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=chromium.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EvchXgMRTTct for <tls@ietfa.amsl.com>; Mon, 12 Sep 2016 17:10:19 -0700 (PDT)
Received: from mail-oi0-x22b.google.com (mail-oi0-x22b.google.com [IPv6:2607:f8b0:4003:c06::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 263BC12B04E for <tls@ietf.org>; Mon, 12 Sep 2016 17:10:19 -0700 (PDT)
Received: by mail-oi0-x22b.google.com with SMTP id m11so345872755oif.1 for <tls@ietf.org>; Mon, 12 Sep 2016 17:10:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=chromium.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=RX03A6gjO412hYEoUdgjhbNGXsp0syTG4R1Edwt+JlM=; b=GdzLVI0wCQCYXOwblG3h/H0M91x7URoARsl42CiSCuQXoJVhPNBBSx/LM4GXuifKbV dPRRzfL0LPzHm+JGMbRAawlwvSNfEUViX1KBHR/g73+0VTbQXp8OTC7R0NzJf0/mYxgg VtFEAFy9hN8pz5D4caHiwsuiRHxHTZhNt079k=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=RX03A6gjO412hYEoUdgjhbNGXsp0syTG4R1Edwt+JlM=; b=ZntYGc5TvmizA0JYCNngLuGbgWtUuF/7Puj6FdzCyXYKmwhMVTbcuLizM/a0OWg9CL RGNjYUd+vHkajHKfH66FV8rF2+YQ2hHD8qa4I5asBB+cIJGiHtn83orM0qP2Ifa/lDEi gHqsVMdIGkUSOFkHM4EgKdsZHTdzvljFEIZoVCiFbRgN7lYF58ZJUfItLMMfphTIrReN 2QA0oq1dRQTpOevZ23LgHCggF08Tc4oJ5DxkznEZHzl8EHHt3N7YIKTkUb1iDfrsLjBs 4bN6mo/wn3Fuxu0RiRaFyv9Mpj0TZFsXEClkWr6+nMXC3+Lyh4rmsrIeD9D74jomkEwE Tebw==
X-Gm-Message-State: AE9vXwNbM3whdd8QHq/MCyRMG+vNZT9o2qbGtza2lSr7fm2CAF0/XjPhS9S7PamA2lRC41DdfMpmcziM23XO3RQL
X-Received: by 10.157.39.8 with SMTP id r8mr24384101ota.103.1473725418372; Mon, 12 Sep 2016 17:10:18 -0700 (PDT)
MIME-Version: 1.0
References: <ffd74054d64047cd9dfebc6e9fd6bc19@usma1ex-dag1mb1.msg.corp.akamai.com> <CAH8yC8nqiV-YKr7URdRozhtoWpDgCPhDgoPjE99iZw5Ct1Om+g@mail.gmail.com>
In-Reply-To: <CAH8yC8nqiV-YKr7URdRozhtoWpDgCPhDgoPjE99iZw5Ct1Om+g@mail.gmail.com>
From: David Benjamin <davidben@chromium.org>
Date: Tue, 13 Sep 2016 00:10:08 +0000
Message-ID: <CAF8qwaCcVxRh_9UFUgbs5KJfyGEC5vtoCpV6i-6oH3qAVfqP=A@mail.gmail.com>
To: noloader@gmail.com, "Salz, Rich" <rsalz@akamai.com>
Content-Type: multipart/alternative; boundary=001a113ac4580f3ff6053c587025
Archived-At: <https://mailarchive.ietf.org/arch/msg/tls/rLlMAXtkZvjM4T8BCx1bxSdKSVc>
Cc: "tls@ietf.org" <tls@ietf.org>
Subject: Re: [TLS] chacha/poly interop?
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tls/>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Sep 2016 00:10:21 -0000

On Mon, Sep 12, 2016 at 7:35 PM Jeffrey Walton <noloader@gmail.com> wrote:

> On Wed, Dec 9, 2015 at 8:02 PM, Salz, Rich <rsalz@akamai.com> wrote:
> > OpenSSL just landed our chacha/poly implementation into master.  We pass
> the
> > RFC test vectors, looking for other implementations to test against.
>
> Sorry to dig up an old thread....
>
> I tested against Bernstein/ECRYPT ChaCha and test vectors from
> http://tools.ietf.org/html/draft-strombergson-chacha-test-vectors.
> TLS-ChaCha
> <http://tools.ietf.org/html/draft-strombergson-chacha-test-vectors.TLS-ChaCha>
> does not inter-operate with ChaCha.
>
> The name should probably be disambiguated somehow.
>

TLS-ChaCha is actually RFC 7539 which comes with its own test vectors and
isn't TLS-specific.

Our implementation matches RFC 7539 and seems to match the one test vector
I tried too. Note that that draft includes a number of things like 128-bit
keys and 8 or 12 rounds which are not applicable. The test vector whose
answer begins "0x76 0xb8 0xe0 0xad 0xa0" is the one you want.

Were you perhaps using the 128-bit key test vector? RFC 7539 doesn't use
that mode. It doesn't seem even be described in the paper, though it is in
the reference implementation. (Looks like the constants change and you put
two copies of the key in.)

David