commit e80a2ecd0dee40161777b52d647e0afe7340cced
author Brian Smith <brian@briansmith.org> Sat Oct 03 08:13:36 2015 -1000
committer Adam Langley <alangley@gmail.com> Mon Oct 26 23:58:46 2015 +0000
tree 40cca0083e595cea9f3acaf5a1f1bbbb46a09074
parent da084a3ebd3e60de86cc345ea3daeab3415e1e57

Change |CRYPTO_chacha_20| to use 96-bit nonces, 32-bit counters.

The new function |CRYPTO_chacha_96_bit_nonce_from_64_bit_nonce| can be
used to adapt code from that uses 64 bit nonces, in a way that is
compatible with the old semantics.

Change-Id: I83d5b2d482e006e82982f58c9f981e8078c3e1b0
Reviewed-on: https://boringssl-review.googlesource.com/6100
Reviewed-by: Adam Langley <alangley@gmail.com>

crypto/rand/rand.c

diff --git a/crypto/rand/rand.c b/crypto/rand/rand.c
index 8076b78..8b11728 100644
--- a/crypto/rand/rand.c
+++ b/crypto/rand/rand.c
@@ -159,17 +159,21 @@
       if (todo > kMaxBytesPerCall) {
         todo = kMaxBytesPerCall;
       }
-      CRYPTO_chacha_20(buf, buf, todo, state->key,
-                       (uint8_t *)&state->calls_used, 0);
+      uint8_t nonce[12];
+      memset(nonce, 0, 4);
+      memcpy(nonce + 4, &state->calls_used, sizeof(state->calls_used));
+      CRYPTO_chacha_20(buf, buf, todo, state->key, nonce, 0);
       buf += todo;
       remaining -= todo;
       state->calls_used++;
     }
   } else {
     if (sizeof(state->partial_block) - state->partial_block_used < len) {
+      uint8_t nonce[12];
+      memset(nonce, 0, 4);
+      memcpy(nonce + 4, &state->calls_used, sizeof(state->calls_used));
       CRYPTO_chacha_20(state->partial_block, state->partial_block,
-                       sizeof(state->partial_block), state->key,
-                       (uint8_t *)&state->calls_used, 0);
+                       sizeof(state->partial_block), state->key, nonce, 0);
       state->partial_block_used = 0;
     }