| # OpenSSL Advisory: March 6th, 2019 (BoringSSL Not Affected) |
| |
| OpenSSL have published a [security advisory](https://www.openssl.org/news/secadv/20190306.txt). Here's how it affects BoringSSL: |
| |
| CVE | Summary | [Severity] in OpenSSL | Impact to BoringSSL |
| ----|---------|-----------------------|--------------------- |
| CVE-2019-1543 | ChaCha20-Poly1305 with long nonces | Low | Not affected, issue was introduced after fork |
| |
| [Severity]: https://openssl-library.org/policies/general/security-policy/index.html#issue-severity |
| |
| ## CVE-2019-1543 |
| |
| [ChaCha20-Poly1305](https://www.rfc-editor.org/rfc/rfc7539.html) takes a 96-bit (12 byte) nonce input. OpenSSL's implementation included a non-standard extension where it took a variable-length input and zero-padded it as necessary. However, it incorrectly allowed inputs up to 16 bytes and truncated long ones down to 12 bytes. This truncation means that an application using 16-byte nonces may still internally reuse nonce values, breaking the integrity of the cipher. |
| |
| BoringSSL does not implement this non-standard extension and thus is unaffected. It only accepts 12-byte nonces, matching the specification. |
| |
| Note: zero-padding short nonces still results in internal collisions when a single key is used with nonces of different lengths. ChaCha20-Poly1305 should only be used with the standard 12-byte nonce length. |
