RFC Errata
Found 4 records.
Status: Verified (4)
RFC 7539, "ChaCha20 and Poly1305 for IETF Protocols", May 2015
Note: This RFC has been obsoleted by RFC 8439
Source of RFC: IRTF
Errata ID: 4371
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Adam Eijdenberg
Date Reported: 2015-05-21
Verifier Name: Lars Eggert
Date Verified: 2015-06-03
Section 2.8.1 says:
mac_data |= num_to_4_le_bytes(aad.length) mac_data |= num_to_4_le_bytes(ciphertext.length)
It should say:
mac_data |= num_to_8_le_bytes(aad.length) mac_data |= num_to_8_le_bytes(ciphertext.length)
Notes:
Per section 2.8 the lengths should be 64-bit (8 bytes), not 4.
After this change the pseudo-code output matches the test vectors shown in 2.8.2.
Errata ID: 4700
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Martin Thomson
Date Reported: 2016-05-24
Verifier Name: Lars Eggert
Date Verified: 2016-06-08
Section 2.8 says:
The output from the AEAD is twofold: o A ciphertext of the same length as the plaintext. o A 128-bit tag, which is the output of the Poly1305 function.
It should say:
The output from the AEAD is the concatenation of: o A ciphertext of the same length as the plaintext. o A 128-bit tag, which is the output of the Poly1305 function.
Notes:
Section 2.1 of RFC 5116 defines the AEAD interface, and that interface produces a single output, C (or an error).
Errata ID: 4858
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Timm Korte
Date Reported: 2016-11-10
Verifier Name: Lars Eggert
Date Verified: 2016-11-13
Section 2.8. says:
1. The amount of encrypted data possible in a single invocation is 2^32-1 blocks of 64 bytes each, because of the size of the block counter field in the ChaCha20 block function. This gives a total of 247,877,906,880 bytes, or nearly 256 GB.
It should say:
1. The amount of encrypted data possible in a single invocation is 2^32-1 blocks of 64 bytes each, because of the size of the block counter field in the ChaCha20 block function. This gives a total of 274,877,906,880 bytes, or nearly 256 GB.
Notes:
There is an error in the result of the P_MAX = ((2^32) - 1) * 64 calculation.
The correct value is 2_74_,877,906,880 while the document states 2_47_,877,906,880.
This error has already been adopted by multiple implementations as P_MAX value.
Errata ID: 4861
Status: Verified
Type: Technical
Publication Format(s) : TEXT
Reported By: Timm Korte
Date Reported: 2016-11-10
Verifier Name: Lars Eggert
Date Verified: 2016-11-13
Section 2.8. says:
o C_MAX = P_MAX + tag length = 247,877,906,896 octets.
It should say:
o C_MAX = P_MAX + tag length = 274,877,906,896 octets.
Notes:
When reviewing errata 4858, Adam Langely and Yoav Nir identified that this text should also be changed.
(This errata was created by duplicating 4858 in the system by Lars Eggert.)