Mirror of BoringSSL (grpc依赖) https://boringssl.googlesource.com/boringssl

You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

Tag: Branch: Tree: d4553e0538

2214

2272

2311

2357

2490

2564

2623

2661

2704

2785

2883

2924

2987

3029

3071

3112

3202

3239

3282

3359

3538

3945

chromium-2214

chromium-2272

chromium-2311

chromium-2357

chromium-2490

chromium-2564

chromium-2623

chromium-2661

chromium-2704

chromium-2883

chromium-2924

chromium-2987

chromium-3029

chromium-3071

chromium-3112

chromium-3202

chromium-3239

chromium-3282

chromium-3359

chromium-3538

chromium-3945

chromium-5359

chromium-5414

chromium-stable

chromium-stable-with-bazel

dependabot/go_modules/golang.org/x/net-0.23.0

esni

fips-20180730

fips-20220613

fips-20230428

fips-20240407

fips-android-20191008

grpc-202302

infra/config

main-with-bazel

master

master-with-bazel

fips-20170615

fips-20180730

fips-20190808

fips-20210429

fips-20220613

fips-android-20191020

version_for_cocoapods_1.0

version_for_cocoapods_10.0

version_for_cocoapods_2.0

version_for_cocoapods_3.0

version_for_cocoapods_4.0

version_for_cocoapods_5.0

version_for_cocoapods_6.0

version_for_cocoapods_7.0

version_for_cocoapods_8.0

version_for_cocoapods_9.0

Branches Tags

${ item.name }

Create tag ${ searchTerm }

Create branch ${ searchTerm }

from 'd4553e0538'

${ noResults }

boringssl/crypto/chacha

History

David Benjamin df9955b62d Handle ChaCha20 counter overflow consistently ... The assembly functions from OpenSSL vary in how the counter overflow works. The aarch64 implementation uses a mix of 32-bit and 64-bit counters. This is because, when packing a block into 64-bit general-purpose registers, it is easier to implement a 64-bit counter than a 32-bit one. Whereas, on 32-bit general-purpose registers, or when using vector registers with 32-bit lanes, it is easier to implement a 32-bit counter. Counters will never overflow with the AEAD, which sets the length limit so it never happens. (Failing to do so will reuse a key/nonce/counter triple.) RFC 8439 is silent on what happens on overflow, so at best one can say it is implicitly undefined behavior. This came about because pyca/cryptography reportedly exposed a ChaCha20 API which encouraged callers to randomize the starting counter. Wrapping with a randomized starting counter isn't inherently wrong, though it is pointless and goes against how the spec recommends using the initial counter value. Nonetheless, we would prefer our functions behave consistently across platforms, rather than silently give ill-defined output given some inputs. So, normalize the behavior to the wrapping version in CRYPTO_chacha_20 by dividing up into multiple ChaCha20_ctr32 calls as needed. Fixed: 614 Change-Id: I191461f25753b9f6b59064c6c08cd4299085e172 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60387 Commit-Queue: Adam Langley <agl@google.com> Auto-Submit: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>		1 year ago
..
asm	Move data from .text to .rodata on x86_64	2 years ago
chacha.c	Handle ChaCha20 counter overflow consistently	1 year ago
chacha_test.cc	Handle ChaCha20 counter overflow consistently	1 year ago
internal.h	Handle ChaCha20 counter overflow consistently	1 year ago