OpenSSL have published a security advisory. Here's how it affects BoringSSL:
| CVE | Summary | Severity in OpenSSL | Impact to BoringSSL |
|---|---|---|---|
| CVE-2019-1543 | ChaCha20-Poly1305 with long nonces | Low | Not affected, issue was introduced after fork |
ChaCha20-Poly1305 takes a 96-bit (12 byte) nonce input. OpenSSL's implementation included a non-standard extension where it took a variable-length input and zero-padded it as necessary. However, it incorrectly allowed inputs up to 16 bytes and truncated long ones down to 12 bytes. This truncation means that an application using 16-byte nonces may still internally reuse nonce values, breaking the integrity of the cipher.
BoringSSL does not implement this non-standard extension and thus is unaffected. It only accepts 12-byte nonces, matching the specification.
Note: zero-padding short nonces still results in internal collisions when a single key is used with nonces of different lengths. ChaCha20-Poly1305 should only be used with the standard 12-byte nonce length.