[botan-devel] XSalsa bug

Jack Lloyd jack at randombit.net
Tue Aug 14 19:50:07 EDT 2018

A warning about an XSalsa bug I found while implementing support for XChaCha:

All versions of Botan that support XSalsa have a bug where if you first call
set_key, then set_iv, then set_iv again without first resetting the key, the
resulting keystream is computed incorrectly, in a way that depends on both
nonces instead of just the second. This only affects specifically XSalsa, with
192 bit nonces. Salsa with 64 bit nonces is fine.

You can work around the problem by resetting the key before calling set_iv the
second time.

A fix is already included in master and will be released as part of 2.8.0
However this means that for any application which may be affected by this issue,
the cipher stream generated will change when the library is updated. This may eg
render stored ciphertexts unreadable or cause interop problems (if one peer has
upgraded to 2.8 but another has not.)

If you are using XSalsa20 and make use of multiple nonces in a way that is
affected by this, please contact me. If needed, I would consider adding a
special version of set_iv which duplicates the buggy behavior, to allow
applications to upgrade without breaking compat. However my hope is the set of
applications which use XSalsa20 with several different nonces for the same key
is empty, and we can just let this bug die with 2.8


More information about the botan-devel mailing list