doc: note that out ChaCha20 isn't standard compliant.

Fixes #21095 Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/21098)
author: Pauli <pauli@openssl.org> 2023-06-01 09:51:46 +1000
committer: Pauli <pauli@openssl.org> 2023-06-06 11:02:57 +1000
commit: c69756e7a0133b67df50525e89206c9cc4a7d2b8 (patch)
tree: 3d0b3b6938fef91bf0d52a45152481275c749640
parent: 80935bf5ad309bf6c03591acf1d48fe1db57b78f (diff)
1 files changed, 5 insertions, 2 deletions
diff --git a/doc/man3/EVP_chacha20.pod b/doc/man3/EVP_chacha20.pod
index 6027a705b8..47b6f9c16f 100644
--- a/doc/man3/EVP_chacha20.pod
+++ b/doc/man3/EVP_chacha20.pod
@@ -22,10 +22,10 @@ The ChaCha20 stream cipher for EVP.
 =item EVP_chacha20()
 
 The ChaCha20 stream cipher. The key length is 256 bits, the IV is 128 bits long.
-The first 32 bits consists of a counter in little-endian order followed by a 96
+The first 64 bits consists of a counter in little-endian order followed by a 64
 bit nonce. For example a nonce of:
 
-000000000000000000000002
+0000000000000002
 
 With an initial counter of 42 (2a in hex) would be expressed as:
 
@@ -47,6 +47,9 @@ calling these functions multiple times and should consider using
 L<EVP_CIPHER_fetch(3)> instead.
 See L<crypto(7)/Performance> for further information.
 
+L<RFC 7539|https://www.rfc-editor.org/rfc/rfc7539.html#section-2.4>
+uses a 32 bit counter and a 96 bit nonce for the IV.
+
 =head1 RETURN VALUES
 
 These functions return an B<EVP_CIPHER> structure that contains the
author	Pauli <pauli@openssl.org>	2023-06-01 09:51:46 +1000
committer	Pauli <pauli@openssl.org>	2023-06-06 11:02:57 +1000
commit	c69756e7a0133b67df50525e89206c9cc4a7d2b8 (patch)
tree	3d0b3b6938fef91bf0d52a45152481275c749640
parent	80935bf5ad309bf6c03591acf1d48fe1db57b78f (diff)