Ctr128 switch counter u64 to u128 #75
Conversation
|
Whoops, the initial PR uses |
|
This might be acceptable, but we'd need to increase MSRV. Thanks for the PR! Will wait to hear from @newpavlov on increasing MSRV. |
- Fixes all existing clippy warnings - Applies same refactoring from #75 to the `salsa20` crate
- Fixes all existing clippy warnings - Applies same refactoring from #75 to the `salsa20` crate
|
Well, might as well make this non-draft until MSRV decision has been made. |
|
I understand that the MSRV has been raised already, am I wrong? |
koivunej
force-pushed
the
ctr128-64to128
branch
from
3c5a767 to
51f9398
Compare
|
Force pushed a rebase on top of the latest master, zero conflicts, changed the first commit as conventional as the second. |
|
I'd say bump it to 1.34. |
|
Sorry, I haven't made much progress with the test cases. I've been thinking about this more though, and my conclusion is that this is a nasty silent/sometimes breaking change for anyone trying to integrate a pre-PR and post-PR code together. From that I deduce that the previous counter behaviour must be chooseable (previous or "openssl compat" behaviour). I don't have a proposal for such yet, but probably this it's ok to keep this open and to catch discussion on the topic. |
|
@koivunej well, the good news is I've bumped MSRV all the way to 1.41. The bad news is I've done a 2018 edition upgrade and you'll need to rebase your PR. Regarding this:
It seems like the I think we need to split |
Thanks for the ping, I think the rebasing is the easier part :)
I don't know the specifics of those different flavors but something like this was my thinking as well. I think you mentioned this in a another issue already.
My first idea for this was a generic "counter" parameter which would be a newtype (over Of course if someone else wants to take a crack at this and/or has the code already done, please don't take this PR as a lock of me insisting to be the one to complete this. |
tarcieri
left a comment
tarcieri
left a comment
There was a problem hiding this comment.
I think this will break crates like AES-SIV which (as an algorithm) rely on the existing implementation.
I think we need to factor apart some different Ctr types. We need the current one, but we can add additional ones.
|
@koivunej I tried rebasing this but unfortunately it seems the implementation has diverged quite a bit. I think these changes ultimately make sense and our failure to match OpenSSL behavior represents a defect. If you're interested in rebasing this, that'd be great. |
|
Thanks for pinging me :) Yeah, this got lost on my radar as I couldn't find the test vectors. With libp2p getting first class noise support this isn't anymore a factor in rust-ipfs. However I can try the rebase this week-ish and see for myself, having anything working will make the generic counter refactor easier as the next step. I have been trying to think about the tests. Originally I used quickcheck'd tests comparing output from openssl to aes-ctr, but didn't include them here because of license concerns. Have you considered including such "interoperability" tests in the codebase, would that create an issue with licensing? |
|
@koivunej awesome, thanks!
There are various places we've used |
koivunej
force-pushed
the
ctr128-64to128
branch
from
32000ad to
733e350
Compare
|
@tarcieri earlier:
Can confirm, a lot of time can be wasted this route :) The u64 -> u128 replacement was quite easy to just do, I've reset the PR branch to this work now.. I'll see next about getting that random test case going, and why does that build step fail. EDIT: Wanted to add, intentionally leaving the question open on what to do with the dependent crates like AES-SIV. I'd kind of want to see the counter working as an another generic type but didn't again do anything related to this yet, at least. |
@koivunej I'll need to evaluate it on a case-by-case basis. AES-SIV is in a weird position where it always clears some counter bits to make it possible to use with 32-bit, 64-bit, or 128-bit counters internally, so I don't think it will be a problem.
That seems somewhat tricky. It was already somewhat tricky dealing with endianness in the |
Yeah I can kinda see how that'd happen.. I had to write it since it's my only idea so far :) RE: openssl in the dev-dependencies, that cannot work as we cannot have optional dev dependencies, also I got some ugly linker errors which went away with a compiling without lld-9 and never came back. Now that the test case is back up to date (in an Also, I think you reran the tests. I wonder why am I not seeing that failure over here, perhaps I'll look into it next. |
Yeah, AES-GCM-SIV has some "counter wrap" tests like this (albeit for its 32-bit little endian counter), for example: https://tools.ietf.org/html/rfc8452#appendix-C.3
Nope! |
I must have seen this wrong, or there was some github ui loading issue. Nevermind :) It seems that the test failure is with Lets see if I can make anything out of this... Not much, I dont know the construction at all. I'll push what I have at the moment next. |
I was just pointing it out as an example of a test for counter wrapping behavior. It sounds like you get the basic idea. |
koivunej
force-pushed
the
ctr128-64to128
branch
from
733e350 to
22912cc
Compare
|
Pushed the latest. In 4641aa8 I've used the The openssl could not had been added in aes-ctr because of the previously linked "optional dev-dependencies are not allowed", which would mean stdification of the crate by default and only being no_std without dev-dependencies. I'd like to keep it out of this repository because as a workspace member it'll add unnecessary items to Cargo.lock. The CI running the tests, the last step with I did try extracting the So what would be the next steps? File a bug against block-ciphers for the |
|
@koivunej if you rebase, the I think we should change the AES-CTR implementation in the |
before the counter used to be an u64 which would produce different output whenever nonce plus counter should had affected the upper 64-bits as well. this fixes most of the code to use u128 as both nonce and counter and wrapping operations to match openssl aes-ctr-128.
koivunej
force-pushed
the
ctr128-64to128
branch
from
22912cc to
29c68cd
Compare
|
@tarcieri rebased, dropped other than the actual changes. The previous version changes can be found at: https://github.com/koivunej/stream-ciphers/tree/ctr128-64to128_nth_revision Updating the PR desc next. |
|
@newpavlov what do you think about these changes? We'd need to make similar ones in the |
newpavlov
left a comment
newpavlov
left a comment
There was a problem hiding this comment.
Looks good, but I think we should postpone release with this change until cipher v0.3 release and ideally have all 32, 64 and 128 bit variants, including BE and LE flavors.
|
Yeah I agree, we can rename the current |
3 participants
Start fixing issue #12. Used the static data from issue to create a test case. Have done some randomized testing with original poc without any issues. At one point included wrap around tests to make sure aes-ctr matched output of openssl, see comment.