FYI it seems there has been discovered security vulnerability in the golang-googlecode-go-crypto package. Hopefully we will have tracking BZ shortly.

JC

----- Forwarded Message ----- From: "Filippo Valsorda" filippo@golang.org To: golang-nuts@googlegroups.com Sent: Wednesday, March 20, 2019 11:53:53 PM Subject: [security] Vulnerability in golang.org/x/crypto/salsa20

Hello gophers, Commit b7391e95 https://go.googlesource.com/crypto/+/b7391e95e576cacdcdd422573063bc057239113d fixes a vulnerability in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages that affects large message sizes or high counter values. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications. The issue might affect uses of golang.org/x/crypto/nacl with extremely large messages. Architectures other than amd64 and uses that generate less than 256 GiB of keystream for a single salsa20.XORKeyStream http://godoc.org/golang.org/x/crypto/salsa20#XORKeyStream invocation are unaffected. The vulnerable code is derived from the amd64-xmm5 and amd64-xmm6 implementations that are distributed with SUPERCOP https://bench.cr.yp.to/supercop.html, NaCl https://nacl.cr.yp.to/ and at https://cr.yp.to/snuffle.html. The issue is present in those upstreams, but is not considered a problem by their author because of the policy at https://nacl.cr.yp.to/valid.html, and because support for counters larger than 32 bits is an incomplete experiment. We attach a patch that applies to the amd64-xmm5 and amd64-xmm6 salsa20.s files for any downstream that might want to fix this issue. This issue was discovered and reported by Michael McLoughlin. Cheers, Filippo for the Go team