chacha20-poly1305: fails to detect tampering, where IV > 12 and IV <= 16 (CHACHA_CTR_SIZE) #8345
Description
I have been fuzzing OpenSSL's implementation of several AEAD ciphers in OpenSSL 1.1.1a.
For chacha20-poly1305, OpenSSL supports an IV, where IV >= 1 byte and IV <= 16 bytes (CHACHA_CTR_SIZE), with the default IV being 12 bytes or 96-bits.
However, fuzzing revealed test vectors where 4 bytes of the IV range can be modified by an attacker, without EVP_CipherFinal_ex() detecting the corruption.
This means that where authenticated messages use chacha20-poly1305 as AEAD cipher, and where a 128-bit nonce is included in the authenticated message (instead of the default 96-bit nonce), an attacker can modify 4 bytes of the authenticated message without detection.
Here are test vectors showing IVs for which these collisions are possible:
algorithm=chacha20-poly1305
enc=0 (decrypting...)
key=5afd42de4b3da741009ce0f6e8fdf9d3e05142d4dd4998b19c192379523a7c62 (32 bytes)
iv=bab79b546a22cb759a2a7dbcf033 (14 bytes) [corrupt at offset 0, original=b9b79b546a22cb759a2a7dbcf033]
ciphertext=1bc91bf03ef31fa4df81341172b24241697d1313 (20 bytes)
aad=130afce35153a185dd55a5315fa03fdb67ce4a053f58 (22 bytes)
tag=5e202b695689a6d0bbe57aed922bac61 (16 bytes)
TAMPERING NOT DETECTED
algorithm=chacha20-poly1305
enc=0 (decrypting...)
key=c4a70a7cd67c6e0499a323fe85288b946d6d1b5103c6f9b50f5b0dfb92f9edb9 (32 bytes)
iv=765935269f6e019f8ae5aae8353df7 (15 bytes) [corrupt at offset 1, original=765835269f6e019f8ae5aae8353df7]
ciphertext=a59d24 (3 bytes)
aad=a89b005817a4103bc034b004c3afc5c534e85d3650513640df36 (26 bytes)
tag=ced3b91249e3a0ecb3f39b83f6fcd9 (15 bytes)
TAMPERING NOT DETECTED
algorithm=chacha20-poly1305
enc=0 (decrypting...)
key=4e090c4887311123b914fabebd4ed066ce5ee6bc4695d20e34f19b4b99ae1bf7 (32 bytes)
iv=fe97b3cd475439553a585d5982fb0aed (16 bytes) [corrupt at offset 2, original=fe97b2cd475439553a585d5982fb0aed]
ciphertext=95a448b9f3499e1d9f1cee55cede31ecf09d1e07a67b98d9ba92afea1e (29 bytes)
aad=3cdc133a0e16d2df9e0469 (11 bytes)
tag=c2650e0f8db4cd484defa126d108d4 (15 bytes)
TAMPERING NOT DETECTED
algorithm=chacha20-poly1305
enc=0 (decrypting...)
key=e3c30b4556809968baf0277bfdd716a2059cc8d1652310130e49f845318ccf58 (32 bytes)
iv=2309bdf81e51fd18661466a4ccaf29ee (16 bytes) [corrupt at offset 3, original=2309bdf71e51fd18661466a4ccaf29ee]
ciphertext=81bf678661c6d8635aef310f41fed675e27efd54a60cf070710d9f8c43 (29 bytes)
aad=(0 bytes)
tag=52d7f5c6a131b7f5d236805afa8d (14 bytes)
TAMPERING NOT DETECTED
I understand that 96-bit nonces are the default, but accepting 128-bits is dangerous if it allows the possibility of tampering with the cipher's context.