Merge pull request #199 from RustSec/chacha20/counter-overflow

chacha20: Add counter overflow advisory

crates/chacha20/RUSTSEC-2019-0029.toml

@@ -0,0 +1,23 @@
+[advisory]
+id = "RUSTSEC-2019-0029"
+package = "chacha20"
+date = "2019-10-22"
+title = "ChaCha20 counter overflow can expose repetitions in the keystream"
+description = """
+The ChaCha20 stream cipher can produce a maximum of 2^32 blocks (~256GB)
+before the 32-bit counter overflows. Releases of the `chacha20` crate prior
+to v0.2.3 allow generating keystreams larger than this, including seeking
+past the limit. When this occurs, the keystream is duplicated, with failure
+modes similar to nonce reuse (i.e. exposure of the XOR of two plaintexts).
+
+The v0.2.3 release now panics in this event, rather than exposing the
+duplicated keystream. Note this is a "hot fix" solution to the problem
+and future releases will pursue returning an error in this case.
+
+Users of the `chacha20poly1305` crate are unaffected by this as this crate
+properly asserts the length of the plaintext is less than the maximum allowed
+(`P_MAX` as described in RFC 8439 Section 2.8).
+"""
+patched_versions = [">= 0.2.3"]
+url = "https://github.com/RustCrypto/stream-ciphers/pull/64"
+categories = ["crypto-failure"]