deoxys: rewrite the internals to use inout#666
Merged
newpavlov merged 6 commits intoRustCrypto:masterfrom Mar 24, 2025
Merged
Conversation
baloo
commented
Mar 16, 2025
| [dependencies] | ||
| aead = { version = "0.6.0-rc.0", default-features = false } | ||
| aes = { version = "=0.9.0-pre.3", features = ["hazmat"], default-features = false } | ||
| inout = { version = "0.2.0-rc.4", default-features = false } |
Member
Author
There was a problem hiding this comment.
Eventually this should drop and use aead::inout
baloo
force-pushed
the
baloo/deoxys/inout-internals
branch
2 times, most recently
from
70de0a6 to
787a1d3
Compare
Member
|
@baloo can you add one or more tests that actually exercise |
baloo
force-pushed
the
baloo/deoxys/inout-internals
branch
from
c517aa5 to
3396c54
Compare
Member
Author
|
Yeah, found a misuse of |
tarcieri
reviewed
Mar 16, 2025
tarcieri
approved these changes
Mar 16, 2025
Merged
baloo
force-pushed
the
baloo/deoxys/inout-internals
branch
from
3396c54 to
3549927
Compare
newpavlov
approved these changes
Mar 17, 2025
Member
newpavlov
left a comment
newpavlov
left a comment
There was a problem hiding this comment.
This PR includes a fair amount of changes which are not directly relevant to the inout support. Ideally, I would prefer to have them in a separate PR, but it's fine to merge it as-is, if you don't wan to bother with the split.
baloo
force-pushed
the
baloo/deoxys/inout-internals
branch
from
3549927 to
29fbddb
Compare
baloo
force-pushed
the
baloo/deoxys/inout-internals
branch
3 times, most recently
from
d6a9bd2 to
c7bc9a5
Compare
baloo
force-pushed
the
baloo/deoxys/inout-internals
branch
2 times, most recently
from
a79861d to
c9c5606
Compare
baloo
force-pushed
the
baloo/deoxys/inout-internals
branch
from
c9c5606 to
9be4164
Compare
Member
Author
|
I think this one is ready to merge, unless you have anything other to say. |
newpavlov
reviewed
Mar 24, 2025
| block[0..data.len()].copy_from_slice(data); | ||
| let mut data = tail; | ||
| let index = data_blocks_len; | ||
| if !data.is_empty() { |
Member
There was a problem hiding this comment.
buffer_len % 16 == 0 is always true when !data.is_empty() is false. I think it would be better to write this part like this:
if tail.is_empty() {
// Without incomplete last block
...
} else {
// With incomplete last block
...
}Same for decrypt_inout.
Member
Author
There was a problem hiding this comment.
the best I can do will look this:
diff --git a/deoxys/src/modes.rs b/deoxys/src/modes.rs
index 0f91ec36e0..e6ed2cd000 100644
--- a/deoxys/src/modes.rs
+++ b/deoxys/src/modes.rs
@@ -111,12 +111,11 @@
tweak[8] = nonce[7] << 4;
// Message authentication and encryption
- if !buffer.is_empty() {
+ let (data_blocks, mut tail) = buffer.into_chunks();
+ let data_blocks_len = data_blocks.len();
+ if !data_blocks.is_empty() || !tail.is_empty() {
tweak[0] = (tweak[0] & 0xf) | TWEAK_M;
- let (data_blocks, tail) = buffer.into_chunks();
- let data_blocks_len = data_blocks.len();
-
for (index, data) in data_blocks.into_iter().enumerate() {
// Copy block number
let tmp = tweak[8] & 0xf0;
@@ -130,9 +129,8 @@
B::encrypt_inout(data, &tweak, subkeys);
}
- let mut data = tail;
let index = data_blocks_len;
- if !data.is_empty() {
+ if !tail.is_empty() {
// Last block, incomplete
// Copy block number
@@ -144,9 +142,9 @@
tweak[0] = (tweak[0] & 0xf) | TWEAK_M_LAST;
let mut block = Block::default();
- block[0..data.len()].copy_from_slice(data.get_in());
+ block[0..tail.len()].copy_from_slice(tail.get_in());
- block[data.len()] = 0x80;
+ block[tail.len()] = 0x80;
for (c, d) in checksum.iter_mut().zip(block.iter()) {
*c ^= d;
@@ -157,24 +155,23 @@
// Last block encryption
B::encrypt_inout((&mut block).into(), &tweak, subkeys);
- data.xor_in2out((block[..data.len()]).into());
-
- // Tag computing.
- tweak[0] = (tweak[0] & 0xf) | TWEAK_CHKSUM;
-
- let tmp = tweak[8] & 0xf0;
- tweak[8..].copy_from_slice(&((index + 1) as u64).to_be_bytes());
- tweak[8] = (tweak[8] & 0xf) | tmp;
-
- B::encrypt_inout((&mut checksum).into(), tweak.as_ref(), subkeys);
-
- for (t, c) in tag.iter_mut().zip(checksum.iter()) {
- *t ^= c;
- }
+ tail.xor_in2out((block[..tail.len()]).into());
}
}
- if buffer_len % 16 == 0 {
+ if !tail.is_empty() {
+ tweak[0] = (tweak[0] & 0xf) | TWEAK_CHKSUM;
+
+ let tmp = tweak[8] & 0xf0;
+ tweak[8..].copy_from_slice(&((data_blocks_len + 1) as u64).to_be_bytes());
+ tweak[8] = (tweak[8] & 0xf) | tmp;
+
+ B::encrypt_inout((&mut checksum).into(), tweak.as_ref(), subkeys);
+
+ for (t, c) in tag.iter_mut().zip(checksum.iter()) {
+ *t ^= c;
+ }
+ } else {
// Tag computing without last block
tweak[0] = (tweak[0] & 0xf) | TWEAK_TAG;
That makes the whole patch series a lot less readable in my opinion (even when ignoring whitespace).
Member
There was a problem hiding this comment.
Ok, we can do it in a different PR then.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is to prepare the migration to
AeadInOut, following RustCrypto/traits#1793Note: there is a strong chance this could actually use the StreamCipherCore api, but I couldn't not make it fit.