[security] Vulnerability in golang.org/x/crypto/salsa20

[Filippo Valsorda]

Hello gophers, Commit b7391e95 fixes a vulnerability in the amd64 implementation of the golang.org/x/crypto/salsa20 and golang.org/x/crypto/salsa20/salsa packages that affects large message sizes or high counter values. If more than 256 GiB of keystream is generated, or if the counter otherwise grows greater than 32 bits, the amd64 implementation will first generate incorrect output, and then cycle back to previously generated keystream. Repeated keystream bytes can lead to loss of confidentiality in encryption applications, or to predictability in CSPRNG applications. The issue might affect uses of golang.org/x/crypto/nacl with extremely large messages. Architectures other than amd64 and uses that generate less than 256 GiB of keystream for a single salsa20.XORKeyStream invocation are unaffected. The vulnerable code is derived from the amd64-xmm5 and amd64-xmm6 implementations that are distributed with SUPERCOP, NaCl and at https://cr.yp.to/snuffle.html. The issue is present in those upstreams, but is not considered a problem by their author because of the policy at https://nacl.cr.yp.to/valid.html, and because support for counters larger than 32 bits is an incomplete experiment. We attach a patch that applies to the amd64-xmm5 and amd64-xmm6 salsa20.s files for any downstream that might want to fix this issue. This issue was discovered and reported by Michael McLoughlin. Cheers, Filippo for the Go team