From 87066eeca08ee853b47413da057de554dbba9137 Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sun, 7 Jun 2026 09:42:00 -0700
Subject: [PATCH 1/2] Track ChaCha20 32-bit counter and error on overflow

ChaCha20 now extracts the 32-bit little-endian block counter from the
first 4 bytes of the 128-bit nonce and tracks the number of bytes
processed. Encrypting or decrypting more than (2**32 - counter) * 64
bytes would overflow that counter, at which point the underlying
implementation silently diverges from RFC 7539. We now raise ValueError
instead.

Setting the counter portion of the nonce to zero allows encrypting up to
256 GiB with a given nonce. The docs are updated accordingly and no
longer suggest randomizing the full value.

The counter-overflow.txt vectors (and their generator/verifier docs)
captured the old carry behavior, which can no longer be reproduced, so
they are removed in favor of explicit overflow tests.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 CHANGELOG.rst                                 |  7 ++
 docs/development/custom-vectors/chacha20.rst  | 29 ------
 .../chacha20/generate_chacha20_overflow.py    | 47 ---------
 .../chacha20/verify_chacha20_overflow.py      | 67 -------------
 docs/development/test-vectors.rst             |  4 +-
 .../primitives/symmetric-encryption.rst       | 38 ++++----
 src/rust/src/backend/ciphers.rs               | 97 +++++++++++++++++--
 tests/hazmat/primitives/test_chacha20.py      | 64 +++++++++++-
 .../ciphers/ChaCha20/counter-overflow.txt     | 70 -------------
 .../ciphers/ChaCha20/rfc7539.txt              |  6 +-
 10 files changed, 179 insertions(+), 250 deletions(-)
 delete mode 100644 docs/development/custom-vectors/chacha20.rst
 delete mode 100644 docs/development/custom-vectors/chacha20/generate_chacha20_overflow.py
 delete mode 100644 docs/development/custom-vectors/chacha20/verify_chacha20_overflow.py
 delete mode 100644 vectors/cryptography_vectors/ciphers/ChaCha20/counter-overflow.txt

diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index 4e87d9b1b2f6..d8e228431d90 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -12,6 +12,13 @@ Changelog
   We now only publish ``arm64`` wheels for macOS.
 * **BACKWARDS INCOMPATIBLE:** Support for 32-bit Windows has been removed.
   Users should move to a 64-bit Python installation.
+* **BACKWARDS INCOMPATIBLE:** :class:`~cryptography.hazmat.primitives.ciphers.algorithms.ChaCha20`
+  now treats the first 4 bytes of the ``nonce`` as a 32-bit little-endian block
+  counter (as defined in :rfc:`7539`) and tracks the number of bytes processed.
+  Attempting to encrypt or decrypt more data than the counter allows before it
+  would overflow now raises a :class:`ValueError` rather than silently diverging
+  from RFC 7539. Setting the counter portion of the ``nonce`` to zero allows
+  encrypting up to 256 GiB with a given nonce.
 * Fixed cross-compilation of the CFFI bindings when ``PYO3_CROSS_LIB_DIR``
   is set. The build now derives the Python include directory from
   ``PYO3_CROSS_LIB_DIR`` instead of querying the host interpreter, which
diff --git a/docs/development/custom-vectors/chacha20.rst b/docs/development/custom-vectors/chacha20.rst
deleted file mode 100644
index 5fee0c360e35..000000000000
--- a/docs/development/custom-vectors/chacha20.rst
+++ /dev/null
@@ -1,29 +0,0 @@
-ChaCha20 vector creation
-========================
-
-This page documents the code that was used to generate the vectors
-to test the counter overflow behavior in ChaCha20 as well as code
-used to verify them against another implementation.
-
-Creation
---------
-
-The following Python script was run to generate the vector files.
-
-.. literalinclude:: /development/custom-vectors/chacha20/generate_chacha20_overflow.py
-
-Download link: :download:`generate_chacha20_overflow.py
-</development/custom-vectors/chacha20/generate_chacha20_overflow.py>`
-
-
-Verification
-------------
-
-The following Python script was used to verify the vectors. The
-counter overflow is handled manually to avoid relying on the same
-code that generated the vectors.
-
-.. literalinclude:: /development/custom-vectors/chacha20/verify_chacha20_overflow.py
-
-Download link: :download:`verify_chacha20_overflow.py
-</development/custom-vectors/chacha20/verify_chacha20_overflow.py>`
diff --git a/docs/development/custom-vectors/chacha20/generate_chacha20_overflow.py b/docs/development/custom-vectors/chacha20/generate_chacha20_overflow.py
deleted file mode 100644
index c8ed339f4074..000000000000
--- a/docs/development/custom-vectors/chacha20/generate_chacha20_overflow.py
+++ /dev/null
@@ -1,47 +0,0 @@
-# This file is dual licensed under the terms of the Apache License, Version
-# 2.0, and the BSD License. See the LICENSE file in the root of this repository
-# for complete details.
-
-import binascii
-import struct
-
-from cryptography.hazmat.primitives import ciphers
-from cryptography.hazmat.primitives.ciphers import algorithms
-
-_N_BLOCKS = [1, 1.5, 2, 2.5, 3]
-_INITIAL_COUNTERS = [2**32 - 1, 2**64 - 1]
-
-
-def _build_vectors():
-    count = 0
-    output = []
-    key = "0" * 64
-    nonce = "0" * 16
-    for blocks in _N_BLOCKS:
-        plaintext = binascii.unhexlify("0" * int(128 * blocks))
-        for counter in _INITIAL_COUNTERS:
-            full_nonce = struct.pack("<Q", counter) + binascii.unhexlify(nonce)
-            cipher = ciphers.Cipher(
-                algorithms.ChaCha20(binascii.unhexlify(key), full_nonce),
-                None,
-            )
-            encryptor = cipher.encryptor()
-            output.append(f"\nCOUNT = {count}")
-            count += 1
-            output.append(f"KEY = {key}")
-            output.append(f"NONCE = {nonce}")
-            output.append(f"INITIAL_BLOCK_COUNTER = {counter}")
-            output.append(f"PLAINTEXT = {binascii.hexlify(plaintext)}")
-            output.append(
-                f"CIPHERTEXT = {binascii.hexlify(encryptor.update(plaintext))}"
-            )
-    return "\n".join(output)
-
-
-def _write_file(data, filename):
-    with open(filename, "w") as f:
-        f.write(data)
-
-
-if __name__ == "__main__":
-    _write_file(_build_vectors(), "counter-overflow.txt")
diff --git a/docs/development/custom-vectors/chacha20/verify_chacha20_overflow.py b/docs/development/custom-vectors/chacha20/verify_chacha20_overflow.py
deleted file mode 100644
index c57fdb753970..000000000000
--- a/docs/development/custom-vectors/chacha20/verify_chacha20_overflow.py
+++ /dev/null
@@ -1,67 +0,0 @@
-# This file is dual licensed under the terms of the Apache License, Version
-# 2.0, and the BSD License. See the LICENSE file in the root of this repository
-# for complete details.
-
-import binascii
-import math
-import struct
-from pathlib import Path
-
-from cryptography.hazmat.primitives.ciphers import Cipher, algorithms
-from tests.utils import load_nist_vectors
-
-BLOCK_SIZE = 64
-MAX_COUNTER = 2**64 - 1
-
-
-def encrypt(
-    key: bytes, nonce: bytes, initial_block_counter: int, plaintext: bytes
-) -> bytes:
-    full_nonce = struct.pack("<Q", initial_block_counter) + nonce
-    encryptor = Cipher(
-        algorithms.ChaCha20(key, full_nonce), mode=None
-    ).encryptor()
-
-    plaintext_len_blocks = math.ceil(len(plaintext) / BLOCK_SIZE)
-    blocks_until_overflow = MAX_COUNTER - initial_block_counter + 1
-
-    if plaintext_len_blocks <= blocks_until_overflow:
-        return binascii.hexlify(encryptor.update(plaintext))
-    else:
-        bytes_until_overflow = min(blocks_until_overflow * 64, len(plaintext))
-        first_batch = binascii.hexlify(
-            encryptor.update(plaintext[:bytes_until_overflow])
-        )
-        # We manually handle the overflow by resetting the counter to zero once
-        # we surpass MAX_COUNTER blocks. This way we can check the vectors are
-        # correct without relying on the same logic that generated them.
-        full_nonce = struct.pack("<Q", 0) + nonce
-        encryptor = Cipher(
-            algorithms.ChaCha20(key, full_nonce), mode=None
-        ).encryptor()
-        second_batch = binascii.hexlify(
-            encryptor.update(plaintext[bytes_until_overflow:])
-        )
-        return first_batch + second_batch
-
-
-def verify_vectors(filename: Path):
-    with open(filename) as f:
-        vector_file = f.read().splitlines()
-
-    vectors = load_nist_vectors(vector_file)
-    for vector in vectors:
-        key = binascii.unhexlify(vector["key"])
-        nonce = binascii.unhexlify(vector["nonce"])
-        ibc = int(vector["initial_block_counter"])
-        pt = binascii.unhexlify(vector["plaintext"])
-
-        computed_ct = encrypt(key, nonce, ibc, pt)
-
-        assert computed_ct == vector["ciphertext"]
-
-
-overflow_path = Path(
-    "vectors/cryptography_vectors/ciphers/ChaCha20/counter-overflow.txt"
-)
-verify_vectors(overflow_path)
diff --git a/docs/development/test-vectors.rst b/docs/development/test-vectors.rst
index c36564e34b62..b9cff0c14f0f 100644
--- a/docs/development/test-vectors.rst
+++ b/docs/development/test-vectors.rst
@@ -1173,8 +1173,7 @@ Symmetric ciphers
 * CAST5 (ECB) from :rfc:`2144`.
 * CAST5 (CBC, CFB, OFB) generated by this project.
   See: :doc:`/development/custom-vectors/cast5`
-* ChaCha20 from :rfc:`7539` and generated by this project.
-  See: :doc:`/development/custom-vectors/chacha20`
+* ChaCha20 from :rfc:`7539`.
 * ChaCha20Poly1305 from :rfc:`7539`, `OpenSSL's evpciph.txt`_, and the
   `BoringSSL ChaCha20Poly1305 tests`_.
 * IDEA (ECB) from the `NESSIE IDEA vectors`_ created by `NESSIE`_.
@@ -1220,7 +1219,6 @@ Created Vectors
     custom-vectors/aes-192-gcm-siv
     custom-vectors/arc4
     custom-vectors/cast5
-    custom-vectors/chacha20
     custom-vectors/idea
     custom-vectors/seed
     custom-vectors/hkdf
diff --git a/docs/hazmat/primitives/symmetric-encryption.rst b/docs/hazmat/primitives/symmetric-encryption.rst
index 550b0c5e9a19..8348c8428281 100644
--- a/docs/hazmat/primitives/symmetric-encryption.rst
+++ b/docs/hazmat/primitives/symmetric-encryption.rst
@@ -146,11 +146,8 @@ Algorithms
         :class:`~cryptography.hazmat.primitives.ciphers.aead.ChaCha20Poly1305`
         does this for you.
 
-    ChaCha20 is a stream cipher used in several IETF protocols. While it is
-    standardized in :rfc:`7539`, **this implementation is not RFC-compliant**.
-    This implementation uses a ``64`` :term:`bits` counter and a ``64``
-    :term:`bits` nonce as defined in the `original version`_ of the algorithm,
-    rather than the ``32/96`` counter/nonce split defined in :rfc:`7539`.
+    ChaCha20 is a stream cipher used in several IETF protocols. It is
+    standardized in :rfc:`7539`.
 
     :param key: The secret key. This must be kept secret. ``256``
         :term:`bits` (32 bytes) in length.
@@ -161,30 +158,30 @@ Algorithms
         nonce with the same key compromises the security of every message
         encrypted with that key. The nonce does not need to be kept secret
         and may be included with the ciphertext. This must be ``128``
-        :term:`bits` in length. The 128-bit value is a concatenation of the
-        8-byte little-endian counter and the 8-byte nonce.
+        :term:`bits` in length. The 128-bit value is a concatenation of a
+        4-byte little-endian block counter followed by a 12-byte nonce, as
+        described in :rfc:`7539`.
     :type nonce: :term:`bytes-like`
 
     .. note::
 
-        In the `original version`_ of the algorithm the nonce is defined as a
-        64-bit value that is later concatenated with a block counter (encoded
-        as a 64-bit little-endian). If you have a separate nonce and block
-        counter you will need to concatenate it yourself before passing it.
-        For example, if you have an initial block counter of 2 and a 64-bit
-        nonce the concatenated nonce would be
-        ``struct.pack("<Q", 2) + nonce``.
-
+        The block counter occupies the first 4 bytes of the 128-bit value and
+        is a 32-bit little-endian integer. Each ChaCha20 block encrypts 64
+        bytes, so an initial counter value of ``n`` allows up to
+        ``(2 ** 32 - n) * 64`` bytes to be encrypted before the counter would
+        overflow. We recommend setting the counter portion to zero, which
+        allows encrypting up to 256 GiB with a given nonce. Attempting to
+        encrypt or decrypt more data than the counter allows raises a
+        :class:`ValueError`.
 
     .. doctest::
 
-        >>> import struct, os
+        >>> import os
         >>> from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
         >>> key = os.urandom(32)
-        >>> nonce = os.urandom(8)
-        >>> counter = 0
-        >>> full_nonce = struct.pack("<Q", counter) + nonce
-        >>> algorithm = algorithms.ChaCha20(key, full_nonce)
+        >>> counter = b"\x00\x00\x00\x00"
+        >>> nonce = counter + os.urandom(12)
+        >>> algorithm = algorithms.ChaCha20(key, nonce)
         >>> cipher = Cipher(algorithm, mode=None)
         >>> encryptor = cipher.encryptor()
         >>> ct = encryptor.update(b"a secret message")
@@ -862,7 +859,6 @@ Exceptions
 .. _`Communications Security Establishment`: https://www.cse-cst.gc.ca
 .. _`encrypt`: https://ssd.eff.org/en/module/what-should-i-know-about-encryption
 .. _`CRYPTREC`: https://www.cryptrec.go.jp/en/
-.. _`original version`: https://en.wikipedia.org/wiki/Salsa20#ChaCha_variant
 .. _`significant patterns in the output`: https://en.wikipedia.org/wiki/Block_cipher_mode_of_operation#Electronic_codebook_(ECB)
 .. _`International Data Encryption Algorithm`: https://en.wikipedia.org/wiki/International_Data_Encryption_Algorithm
 .. _`OpenPGP`: https://www.openpgp.org/
diff --git a/src/rust/src/backend/ciphers.rs b/src/rust/src/backend/ciphers.rs
index c22e12dec883..a67c94f8393d 100644
--- a/src/rust/src/backend/ciphers.rs
+++ b/src/rust/src/backend/ciphers.rs
@@ -228,12 +228,67 @@ impl CipherContext {
     }
 }
 
+// ChaCha20 generates 64 bytes of keystream per 32-bit block counter value.
+const CHACHA20_BLOCK_SIZE: u64 = 64;
+
+// The 16-byte ChaCha20 nonce begins with a 32-bit little-endian block counter.
+// Encrypting more than `(2**32 - counter) * 64` bytes would overflow that
+// counter, at which point the underlying implementation silently diverges from
+// RFC 7539 (the counter carries into the rest of the nonce), so we instead
+// refuse to encrypt past that point.
+fn chacha20_byte_limit(counter: u32) -> u64 {
+    ((1u64 << 32) - u64::from(counter)) * CHACHA20_BLOCK_SIZE
+}
+
+// Returns the maximum number of bytes that may be processed before the
+// ChaCha20 block counter would overflow, or `None` if `algorithm` is not
+// ChaCha20.
+fn chacha20_initial_byte_limit(
+    py: pyo3::Python<'_>,
+    algorithm: &pyo3::Bound<'_, pyo3::PyAny>,
+) -> CryptographyResult<Option<u64>> {
+    if algorithm.is_instance(&types::CHACHA20.get(py)?)? {
+        let nonce = algorithm
+            .getattr(pyo3::intern!(py, "nonce"))?
+            .extract::<CffiBuf<'_>>()?;
+        // The nonce is guaranteed to be 16 bytes by the ChaCha20 constructor.
+        let counter = u32::from_le_bytes(nonce.as_bytes()[..4].try_into().unwrap());
+        Ok(Some(chacha20_byte_limit(counter)))
+    } else {
+        Ok(None)
+    }
+}
+
 #[pyo3::pyclass(
     module = "cryptography.hazmat.bindings._rust.openssl.ciphers",
     name = "CipherContext"
 )]
 struct PyCipherContext {
     ctx: Option<CipherContext>,
+    // For ChaCha20 this tracks how many more bytes may be processed before the
+    // 32-bit block counter would overflow. `None` for all other ciphers.
+    bytes_remaining: Option<u64>,
+}
+
+impl PyCipherContext {
+    fn decrement_bytes_remaining(&mut self, n: usize) -> CryptographyResult<()> {
+        if let Some(remaining) = self.bytes_remaining {
+            self.bytes_remaining = Some(
+                remaining
+                    .checked_sub(u64::try_from(n).unwrap())
+                    .ok_or_else(|| {
+                        pyo3::exceptions::PyValueError::new_err(
+                            "Exceeded the maximum number of bytes that can be \
+                             encrypted with ChaCha20 for this nonce. The 32-bit \
+                             counter portion of the nonce would overflow; set the \
+                             counter portion of the nonce to zero to allow \
+                             encrypting up to 256 GiB.",
+                        )
+                    })?,
+            );
+        }
+        Ok(())
+    }
 }
 
 #[pyo3::pyclass(
@@ -270,11 +325,25 @@ impl PyCipherContext {
         py: pyo3::Python<'p>,
         data: CffiBuf<'_>,
     ) -> CryptographyResult<pyo3::Bound<'p, pyo3::types::PyBytes>> {
-        get_mut_ctx(self.ctx.as_mut())?.update(py, data.as_bytes())
+        let data = data.as_bytes();
+        self.decrement_bytes_remaining(data.len())?;
+        get_mut_ctx(self.ctx.as_mut())?.update(py, data)
     }
 
     fn reset_nonce(&mut self, py: pyo3::Python<'_>, nonce: CffiBuf<'_>) -> CryptographyResult<()> {
-        get_mut_ctx(self.ctx.as_mut())?.reset_nonce(py, nonce)
+        // Capture the counter before the buffer is moved into the inner reset,
+        // but only apply the new limit once that reset (which validates the
+        // nonce length) succeeds.
+        let counter_bytes: Option<[u8; 4]> = if self.bytes_remaining.is_some() {
+            nonce.as_bytes().get(..4).map(|b| b.try_into().unwrap())
+        } else {
+            None
+        };
+        get_mut_ctx(self.ctx.as_mut())?.reset_nonce(py, nonce)?;
+        if let Some(counter_bytes) = counter_bytes {
+            self.bytes_remaining = Some(chacha20_byte_limit(u32::from_le_bytes(counter_bytes)));
+        }
+        Ok(())
     }
 
     fn update_into(
@@ -283,7 +352,9 @@ impl PyCipherContext {
         data: CffiBuf<'_>,
         mut buf: CffiMutBuf<'_>,
     ) -> CryptographyResult<usize> {
-        get_mut_ctx(self.ctx.as_mut())?.update_into(py, data.as_bytes(), buf.as_mut_bytes())
+        let data = data.as_bytes();
+        self.decrement_bytes_remaining(data.len())?;
+        get_mut_ctx(self.ctx.as_mut())?.update_into(py, data, buf.as_mut_bytes())
     }
 
     fn finalize<'p>(
@@ -523,6 +594,7 @@ fn create_encryption_ctx<'p>(
     algorithm: pyo3::Bound<'_, pyo3::PyAny>,
     mode: pyo3::Bound<'_, pyo3::PyAny>,
 ) -> CryptographyResult<pyo3::Bound<'p, pyo3::PyAny>> {
+    let bytes_remaining = chacha20_initial_byte_limit(py, &algorithm)?;
     let ctx = CipherContext::new(py, algorithm, mode.clone(), openssl::symm::Mode::Encrypt)?;
 
     if mode.is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get(py)?)? {
@@ -540,9 +612,12 @@ fn create_encryption_ctx<'p>(
         .into_pyobject(py)?
         .into_any())
     } else {
-        Ok(PyCipherContext { ctx: Some(ctx) }
-            .into_pyobject(py)?
-            .into_any())
+        Ok(PyCipherContext {
+            ctx: Some(ctx),
+            bytes_remaining,
+        }
+        .into_pyobject(py)?
+        .into_any())
     }
 }
 
@@ -552,6 +627,7 @@ fn create_decryption_ctx<'p>(
     algorithm: pyo3::Bound<'_, pyo3::PyAny>,
     mode: pyo3::Bound<'_, pyo3::PyAny>,
 ) -> CryptographyResult<pyo3::Bound<'p, pyo3::PyAny>> {
+    let bytes_remaining = chacha20_initial_byte_limit(py, &algorithm)?;
     let mut ctx = CipherContext::new(py, algorithm, mode.clone(), openssl::symm::Mode::Decrypt)?;
 
     if mode.is_instance(&types::MODE_WITH_AUTHENTICATION_TAG.get(py)?)? {
@@ -575,9 +651,12 @@ fn create_decryption_ctx<'p>(
         .into_pyobject(py)?
         .into_any())
     } else {
-        Ok(PyCipherContext { ctx: Some(ctx) }
-            .into_pyobject(py)?
-            .into_any())
+        Ok(PyCipherContext {
+            ctx: Some(ctx),
+            bytes_remaining,
+        }
+        .into_pyobject(py)?
+        .into_any())
     }
 }
 
diff --git a/tests/hazmat/primitives/test_chacha20.py b/tests/hazmat/primitives/test_chacha20.py
index 3ade8b9e2eb1..6596e65d93c7 100644
--- a/tests/hazmat/primitives/test_chacha20.py
+++ b/tests/hazmat/primitives/test_chacha20.py
@@ -27,7 +27,7 @@ class TestChaCha20:
         "vector",
         _load_all_params(
             os.path.join("ciphers", "ChaCha20"),
-            ["counter-overflow.txt", "rfc7539.txt"],
+            ["rfc7539.txt"],
             load_nist_vectors,
         ),
     )
@@ -42,6 +42,68 @@ def test_vectors(self, vector, backend):
         computed_ct = encryptor.update(pt) + encryptor.finalize()
         assert binascii.hexlify(computed_ct) == vector["ciphertext"]
 
+    def _nonce_with_counter(self, counter: int) -> bytes:
+        # The 16-byte ChaCha20 nonce is a 4-byte little-endian block counter
+        # followed by a 12-byte nonce.
+        return struct.pack("<I", counter) + b"\x00" * 12
+
+    def test_counter_overflow_single_update(self, backend):
+        key = b"\x00" * 32
+        # A counter of 2**32 - 1 leaves room for exactly one 64-byte block
+        # before the 32-bit counter would overflow.
+        nonce = self._nonce_with_counter(2**32 - 1)
+        enc = Cipher(
+            algorithms.ChaCha20(key, nonce), None, backend
+        ).encryptor()
+        with pytest.raises(ValueError):
+            enc.update(b"\x00" * 65)
+
+    def test_counter_overflow_across_updates(self, backend):
+        key = b"\x00" * 32
+        nonce = self._nonce_with_counter(2**32 - 1)
+        enc = Cipher(
+            algorithms.ChaCha20(key, nonce), None, backend
+        ).encryptor()
+        # Exactly one block is allowed.
+        assert len(enc.update(b"\x00" * 64)) == 64
+        with pytest.raises(ValueError):
+            enc.update(b"\x00")
+
+    def test_counter_overflow_decrypt(self, backend):
+        key = b"\x00" * 32
+        nonce = self._nonce_with_counter(2**32 - 1)
+        dec = Cipher(
+            algorithms.ChaCha20(key, nonce), None, backend
+        ).decryptor()
+        with pytest.raises(ValueError):
+            dec.update(b"\x00" * 65)
+
+    def test_counter_overflow_update_into(self, backend):
+        key = b"\x00" * 32
+        nonce = self._nonce_with_counter(2**32 - 1)
+        enc = Cipher(
+            algorithms.ChaCha20(key, nonce), None, backend
+        ).encryptor()
+        buf = bytearray(65 + 64)
+        with pytest.raises(ValueError):
+            enc.update_into(b"\x00" * 65, buf)
+
+    def test_counter_overflow_after_reset_nonce(self, backend):
+        key = b"\x00" * 32
+        low = self._nonce_with_counter(0)
+        high = self._nonce_with_counter(2**32 - 1)
+        enc = Cipher(algorithms.ChaCha20(key, low), None, backend).encryptor()
+        # A zero counter allows plenty of data.
+        enc.update(b"\x00" * 128)
+        # Resetting to a near-overflow counter shrinks the available budget.
+        enc.reset_nonce(high)
+        enc.update(b"\x00" * 64)
+        with pytest.raises(ValueError):
+            enc.update(b"\x00")
+        # Resetting back to a zero counter restores the budget.
+        enc.reset_nonce(low)
+        enc.update(b"\x00" * 128)
+
     def test_buffer_protocol(self, backend):
         key = bytearray(os.urandom(32))
         nonce = bytearray(os.urandom(16))
diff --git a/vectors/cryptography_vectors/ciphers/ChaCha20/counter-overflow.txt b/vectors/cryptography_vectors/ciphers/ChaCha20/counter-overflow.txt
deleted file mode 100644
index 8201e30dfa88..000000000000
--- a/vectors/cryptography_vectors/ciphers/ChaCha20/counter-overflow.txt
+++ /dev/null
@@ -1,70 +0,0 @@
-
-COUNT = 0
-KEY = 0000000000000000000000000000000000000000000000000000000000000000
-NONCE = 0000000000000000
-INITIAL_BLOCK_COUNTER = 4294967295
-PLAINTEXT = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-CIPHERTEXT = ace4cd09e294d1912d4ad205d06f95d9c2f2bfcf453e8753f128765b62215f4d92c74f2f626c6a640c0b1284d839ec81f1696281dafc3e684593937023b58b1d
-
-COUNT = 1
-KEY = 0000000000000000000000000000000000000000000000000000000000000000
-NONCE = 0000000000000000
-INITIAL_BLOCK_COUNTER = 18446744073709551615
-PLAINTEXT = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-CIPHERTEXT = d7918cd8620cf832532652c04c01a553092cfb32e7b3f2f5467ae9674a2e9eec17368ec8027a357c0c51e6ea747121fec45284be0f099d2b3328845607b17689
-
-COUNT = 2
-KEY = 0000000000000000000000000000000000000000000000000000000000000000
-NONCE = 0000000000000000
-INITIAL_BLOCK_COUNTER = 4294967295
-PLAINTEXT = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-CIPHERTEXT = ace4cd09e294d1912d4ad205d06f95d9c2f2bfcf453e8753f128765b62215f4d92c74f2f626c6a640c0b1284d839ec81f1696281dafc3e684593937023b58b1d3db41d3aa0d329285de6f225e6e24bd59c9a17006943d5c9b680e3873bdc683a
-
-COUNT = 3
-KEY = 0000000000000000000000000000000000000000000000000000000000000000
-NONCE = 0000000000000000
-INITIAL_BLOCK_COUNTER = 18446744073709551615
-PLAINTEXT = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-CIPHERTEXT = d7918cd8620cf832532652c04c01a553092cfb32e7b3f2f5467ae9674a2e9eec17368ec8027a357c0c51e6ea747121fec45284be0f099d2b3328845607b1768976b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7
-
-COUNT = 4
-KEY = 0000000000000000000000000000000000000000000000000000000000000000
-NONCE = 0000000000000000
-INITIAL_BLOCK_COUNTER = 4294967295
-PLAINTEXT = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-CIPHERTEXT = ace4cd09e294d1912d4ad205d06f95d9c2f2bfcf453e8753f128765b62215f4d92c74f2f626c6a640c0b1284d839ec81f1696281dafc3e684593937023b58b1d3db41d3aa0d329285de6f225e6e24bd59c9a17006943d5c9b680e3873bdc683a5819469899989690c281cd17c96159af0682b5b903468a61f50228cf09622b5a
-
-COUNT = 5
-KEY = 0000000000000000000000000000000000000000000000000000000000000000
-NONCE = 0000000000000000
-INITIAL_BLOCK_COUNTER = 18446744073709551615
-PLAINTEXT = 0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-CIPHERTEXT = d7918cd8620cf832532652c04c01a553092cfb32e7b3f2f5467ae9674a2e9eec17368ec8027a357c0c51e6ea747121fec45284be0f099d2b3328845607b1768976b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee6586
-
-COUNT = 6
-KEY = 0000000000000000000000000000000000000000000000000000000000000000
-NONCE = 0000000000000000
-INITIAL_BLOCK_COUNTER = 4294967295
-PLAINTEXT = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-CIPHERTEXT = ace4cd09e294d1912d4ad205d06f95d9c2f2bfcf453e8753f128765b62215f4d92c74f2f626c6a640c0b1284d839ec81f1696281dafc3e684593937023b58b1d3db41d3aa0d329285de6f225e6e24bd59c9a17006943d5c9b680e3873bdc683a5819469899989690c281cd17c96159af0682b5b903468a61f50228cf09622b5a46f0f6efee15c8f1b198cb49d92b990867905159440cc723916dc00128269810
-
-COUNT = 7
-KEY = 0000000000000000000000000000000000000000000000000000000000000000
-NONCE = 0000000000000000
-INITIAL_BLOCK_COUNTER = 18446744073709551615
-PLAINTEXT = 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-CIPHERTEXT = d7918cd8620cf832532652c04c01a553092cfb32e7b3f2f5467ae9674a2e9eec17368ec8027a357c0c51e6ea747121fec45284be0f099d2b3328845607b1768976b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee65869f07e7be5551387a98ba977c732d080dcb0f29a048e3656912c6533e32ee7aed
-
-COUNT = 8
-KEY = 0000000000000000000000000000000000000000000000000000000000000000
-NONCE = 0000000000000000
-INITIAL_BLOCK_COUNTER = 4294967295
-PLAINTEXT = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-CIPHERTEXT = ace4cd09e294d1912d4ad205d06f95d9c2f2bfcf453e8753f128765b62215f4d92c74f2f626c6a640c0b1284d839ec81f1696281dafc3e684593937023b58b1d3db41d3aa0d329285de6f225e6e24bd59c9a17006943d5c9b680e3873bdc683a5819469899989690c281cd17c96159af0682b5b903468a61f50228cf09622b5a46f0f6efee15c8f1b198cb49d92b990867905159440cc723916dc0012826981039ce1766aa2542b05db3bd809ab142489d5dbfe1273e7399637b4b3213768aaa
-
-COUNT = 9
-KEY = 0000000000000000000000000000000000000000000000000000000000000000
-NONCE = 0000000000000000
-INITIAL_BLOCK_COUNTER = 18446744073709551615
-PLAINTEXT = 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
-CIPHERTEXT = d7918cd8620cf832532652c04c01a553092cfb32e7b3f2f5467ae9674a2e9eec17368ec8027a357c0c51e6ea747121fec45284be0f099d2b3328845607b1768976b8e0ada0f13d90405d6ae55386bd28bdd219b8a08ded1aa836efcc8b770dc7da41597c5157488d7724e03fb8d84a376a43b8f41518a11cc387b669b2ee65869f07e7be5551387a98ba977c732d080dcb0f29a048e3656912c6533e32ee7aed29b721769ce64e43d57133b074d839d531ed1f28510afb45ace10a1f4b794d6f
\ No newline at end of file
diff --git a/vectors/cryptography_vectors/ciphers/ChaCha20/rfc7539.txt b/vectors/cryptography_vectors/ciphers/ChaCha20/rfc7539.txt
index 2b344b73c127..c3c76bc8f0ab 100644
--- a/vectors/cryptography_vectors/ciphers/ChaCha20/rfc7539.txt
+++ b/vectors/cryptography_vectors/ciphers/ChaCha20/rfc7539.txt
@@ -1,7 +1,7 @@
 # The vectors are from RFC 7539 Appendix A.2. They are reformatted into NIST
-# form for our vector loaders, and adapted to use a 64/64 bit counter/nonce
-# split (matching our implementation), rather than the 32/96 split defined
-# in the RFC.
+# form for our vector loaders. The INITIAL_BLOCK_COUNTER and NONCE columns are
+# loaded as the 32-bit little-endian block counter and 96-bit nonce defined in
+# the RFC, concatenated to form the 128-bit value passed to ChaCha20.
 
 COUNT = 0
 KEY = 0000000000000000000000000000000000000000000000000000000000000000

From 9ac724f2e79054cffba27bfc8c00edeb3aa67c8d Mon Sep 17 00:00:00 2001
From: Paul Kehrer <paul.l.kehrer@gmail.com>
Date: Sun, 7 Jun 2026 10:28:35 -0700
Subject: [PATCH 2/2] look spellchecker, GiB is real even if we wish it wasn't

---
 docs/spelling_wordlist.txt | 1 +
 1 file changed, 1 insertion(+)

diff --git a/docs/spelling_wordlist.txt b/docs/spelling_wordlist.txt
index e7fcf529e5e0..d26db8150758 100644
--- a/docs/spelling_wordlist.txt
+++ b/docs/spelling_wordlist.txt
@@ -69,6 +69,7 @@ Fernet
 fernet
 FIPS
 Gaynor
+GiB
 Google
 Graviola
 hazmat