RFC 7539, "ChaCha20 and Poly1305 for IETF Protocols", May 2015

Note: This RFC has been obsoleted by RFC 8439

Errata ID: 4371
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Adam Eijdenberg
Date Reported: 2015-05-21
Verifier Name: Lars Eggert
Date Verified: 2015-06-03

Section 2.8.1 says:

         mac_data |= num_to_4_le_bytes(aad.length)
         mac_data |= num_to_4_le_bytes(ciphertext.length)

It should say:

         mac_data |= num_to_8_le_bytes(aad.length)
         mac_data |= num_to_8_le_bytes(ciphertext.length)

Notes:

Per section 2.8 the lengths should be 64-bit (8 bytes), not 4.

After this change the pseudo-code output matches the test vectors shown in 2.8.2.

Report New Errata