Snap for 11203489 from e905be252a53d20c52bd9e59df3ff8fdd46b9eab to common-android14-6.1-2023-05-exp-releasecommon-android14-6.1-2023-05-exp-release

Change-Id: I4301094dd1f97f9f1411662e55edf3e8120a476d
Signed-off-by: Coastguard Worker <android-build-coastguard-worker@google.com>

1 files changed, 6 insertions, 0 deletions

diff --git a/linux-x86/include/openssl/chacha.h b/linux-x86/include/openssl/chacha.h
index cfbaa75..2868c29 100644
--- a/linux-x86/include/openssl/chacha.h
+++ b/linux-x86/include/openssl/chacha.h
@@ -29,6 +29,12 @@ extern "C" {
 // CRYPTO_chacha_20 encrypts |in_len| bytes from |in| with the given key and
 // nonce and writes the result to |out|. If |in| and |out| alias, they must be
 // equal. The initial block counter is specified by |counter|.
+//
+// This function implements a 32-bit block counter as in RFC 8439. On overflow,
+// the counter wraps. Reusing a key, nonce, and block counter combination is not
+// secure, so wrapping is usually a bug in the caller. While it is possible to
+// wrap without reuse with a large initial block counter, this is not
+// recommended and may not be portable to other ChaCha20 implementations.
 OPENSSL_EXPORT void CRYPTO_chacha_20(uint8_t *out, const uint8_t *in,
                                      size_t in_len, const uint8_t key[32],
                                      const uint8_t nonce[12], uint32_t counter);