RFC Errata
RFC 8439, "ChaCha20 and Poly1305 for IETF Protocols", June 2018
Source of RFC: IRTF
Errata ID: 7880
Status: Reported
Type: Technical
Publication Format(s) : TEXT
Reported By: Volker Diels-Grabsch
Date Reported: 2024-04-03
Section 2.4.1 says:
encrypted_message |= (block^key_stream)[0..len(plaintext)%64]
It should say:
encrypted_message |= (block^key_stream)[0..(len(plaintext)%64)-1]
Notes:
If the plaintext size is not a multiple of 64 bytes, there is an off-by-one error in appending the final block of the encrypted message. In the original version, the encrypted message would always be one byte larger than the plaintext.
The corrected version ensures that the encrypted message size is always equal to the plaintext size.
For completeness: If the plaintext size is a multiple of 64 bytes, the second part of the code is skipped. Hence, this off-by-one error is not triggered in that specific case.
(Non-)relation to correction 5989: The "original text", as quoted here, assumes that correction 5989 has already been applied. Correction 5989 deals with a different issue of this line of code, namely, the replacement of "+=" by "|=". This is completely orthogonal to the off-by-one error described here.