chacha20poly1305: panic on dst and additionalData overlap

The cipher.AEAD interface specifies that these should not overlap.
This mirrors the check that the GCM implementation does.

Fixes golang/go#75968
Updates golang/go#21624

Change-Id: If5fbb8611ff6c0aae44d50079bad29f56ce00f5b
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/712860
Reviewed-by: Roland Shoemaker <roland@golang.org>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

Author: seankhliao

chacha20poly1305/chacha20poly1305_amd64.go

@@ -56,7 +56,10 @@ func (c *chacha20poly1305) seal(dst, nonce, plaintext, additionalData []byte) []
 
 	ret, out := sliceForAppend(dst, len(plaintext)+16)
 	if alias.InexactOverlap(out, plaintext) {
-		panic("chacha20poly1305: invalid buffer overlap")
+		panic("chacha20poly1305: invalid buffer overlap of output and input")
+	}
+	if alias.AnyOverlap(out, additionalData) {
+		panic("chacha20poly1305: invalid buffer overlap of output and additional data")
 	}
 	chacha20Poly1305Seal(out[:], state[:], plaintext, additionalData)
 	return ret
@@ -73,7 +76,10 @@ func (c *chacha20poly1305) open(dst, nonce, ciphertext, additionalData []byte) (
 	ciphertext = ciphertext[:len(ciphertext)-16]
 	ret, out := sliceForAppend(dst, len(ciphertext))
 	if alias.InexactOverlap(out, ciphertext) {
-		panic("chacha20poly1305: invalid buffer overlap")
+		panic("chacha20poly1305: invalid buffer overlap of output and input")
+	}
+	if alias.AnyOverlap(out, additionalData) {
+		panic("chacha20poly1305: invalid buffer overlap of output and additional data")
 	}
 	if !chacha20Poly1305Open(out, state[:], ciphertext, additionalData) {
 		for i := range out {

chacha20poly1305/chacha20poly1305_generic.go

@@ -31,7 +31,10 @@ func (c *chacha20poly1305) sealGeneric(dst, nonce, plaintext, additionalData []b
 	ret, out := sliceForAppend(dst, len(plaintext)+poly1305.TagSize)
 	ciphertext, tag := out[:len(plaintext)], out[len(plaintext):]
 	if alias.InexactOverlap(out, plaintext) {
-		panic("chacha20poly1305: invalid buffer overlap")
+		panic("chacha20poly1305: invalid buffer overlap of output and input")
+	}
+	if alias.AnyOverlap(out, additionalData) {
+		panic("chacha20poly1305: invalid buffer overlap of output and additional data")
 	}
 
 	var polyKey [32]byte
@@ -67,7 +70,10 @@ func (c *chacha20poly1305) openGeneric(dst, nonce, ciphertext, additionalData []
 
 	ret, out := sliceForAppend(dst, len(ciphertext))
 	if alias.InexactOverlap(out, ciphertext) {
-		panic("chacha20poly1305: invalid buffer overlap")
+		panic("chacha20poly1305: invalid buffer overlap of output and input")
+	}
+	if alias.AnyOverlap(out, additionalData) {
+		panic("chacha20poly1305: invalid buffer overlap of output and additional data")
 	}
 	if !p.Verify(tag) {
 		for i := range out {