)]}'
{
  "commit": "df9955b62d71d896198364465b5f5871c69ba93e",
  "tree": "b6a84b5742e333b08c14cd723825af09370f580f",
  "parents": [
    "d605df5b6f8462c1f3005da82d718ec067f46b70"
  ],
  "author": {
    "name": "David Benjamin",
    "email": "davidben@google.com",
    "time": "Thu Jun 01 12:11:44 2023 -0400"
  },
  "committer": {
    "name": "Boringssl LUCI CQ",
    "email": "boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com",
    "time": "Tue Jun 06 17:59:44 2023 +0000"
  },
  "message": "Handle ChaCha20 counter overflow consistently\n\nThe assembly functions from OpenSSL vary in how the counter overflow\nworks. The aarch64 implementation uses a mix of 32-bit and 64-bit\ncounters. This is because, when packing a block into 64-bit\ngeneral-purpose registers, it is easier to implement a 64-bit counter\nthan a 32-bit one. Whereas, on 32-bit general-purpose registers, or when\nusing vector registers with 32-bit lanes, it is easier to implement a\n32-bit counter.\n\nCounters will never overflow with the AEAD, which sets the length limit\nso it never happens. (Failing to do so will reuse a key/nonce/counter\ntriple.) RFC 8439 is silent on what happens on overflow, so at best one\ncan say it is implicitly undefined behavior.\n\nThis came about because pyca/cryptography reportedly exposed a ChaCha20\nAPI which encouraged callers to randomize the starting counter. Wrapping\nwith a randomized starting counter isn\u0027t inherently wrong, though it is\npointless and goes against how the spec recommends using the initial\ncounter value.\n\nNonetheless, we would prefer our functions behave consistently across\nplatforms, rather than silently give ill-defined output given some\ninputs. So, normalize the behavior to the wrapping version in\nCRYPTO_chacha_20 by dividing up into multiple ChaCha20_ctr32 calls as\nneeded.\n\nFixed: 614\nChange-Id: I191461f25753b9f6b59064c6c08cd4299085e172\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/60387\nCommit-Queue: Adam Langley \u003cagl@google.com\u003e\nAuto-Submit: David Benjamin \u003cdavidben@google.com\u003e\nReviewed-by: Adam Langley \u003cagl@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "1092b7aa28462e3bba4e1c6de1e6608a2118fb86",
      "old_mode": 33188,
      "old_path": "crypto/chacha/chacha.c",
      "new_id": "a4d88c0a40923e23a74ecc5fc995f62e3dfaa9dc",
      "new_mode": 33188,
      "new_path": "crypto/chacha/chacha.c"
    },
    {
      "type": "modify",
      "old_id": "25313cad6d43538b05c1a5913d81b5cc92ca8c2e",
      "old_mode": 33188,
      "old_path": "crypto/chacha/chacha_test.cc",
      "new_id": "00683ce51e186117ddaea6c250562cc67916eea1",
      "new_mode": 33188,
      "new_path": "crypto/chacha/chacha_test.cc"
    },
    {
      "type": "modify",
      "old_id": "1435e3b01e6aec361c240896d7bdf556fbbdab50",
      "old_mode": 33188,
      "old_path": "crypto/chacha/internal.h",
      "new_id": "5f442ec461603fff06388ae5fdfd41be9fb0c5a0",
      "new_mode": 33188,
      "new_path": "crypto/chacha/internal.h"
    },
    {
      "type": "modify",
      "old_id": "cfbaa75680e65a69b3ceac86073142108fdceaa3",
      "old_mode": 33188,
      "old_path": "include/openssl/chacha.h",
      "new_id": "2868c290626fa23b2d0d5761d1943333fb00c631",
      "new_mode": 33188,
      "new_path": "include/openssl/chacha.h"
    }
  ]
}