-
Notifications
You must be signed in to change notification settings - Fork 332
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
chacha20: Add counter overflow advisory
Upstream issue: RustCrypto/stream-ciphers#64
- Loading branch information
Showing
1 changed file
with
23 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
[advisory] | ||
id = "RUSTSEC-0000-0000" | ||
package = "chacha20" | ||
date = "2019-10-22" | ||
title = "ChaCha20 counter overflow can expose repetitions in the keystream" | ||
description = """ | ||
The ChaCha20 stream cipher can produce a maximum of 2^32 blocks (~256GB) | ||
before the 32-bit counter overflows. Releases of the `chacha20` crate prior | ||
to v0.2.3 allow generating keystreams larger than this, including seeking | ||
past the limit. When this occurs, the keystream is duplicated, with failure | ||
modes similar to nonce reuse (i.e. exposure of the XOR of two plaintexts). | ||
The v0.2.3 release now panics in this event, rather than exposing the | ||
duplicated keystream. Note this is a "hot fix" solution to the problem | ||
and future releases will pursue returning an error in this case. | ||
Users of the `chacha20poly1305` crate are unaffected by this as this crate | ||
properly asserts the length of the plaintext is less than the maximum allowed | ||
(`P_MAX` as described in RFC 8439 Section 2.8). | ||
""" | ||
patched_versions = [">= 0.2.3"] | ||
url = "https://github.com/RustCrypto/stream-ciphers/pull/64" | ||
categories = ["crypto-failure"] |