[noise] Query about the definition of CipherState.encryptWithAd
Trevor Perrin
trevp at trevp.net
Sat May 2 03:01:55 PDT 2020
On Fri, May 1, 2020 at 8:35 AM Mike Hearn <mike at plan99.net> wrote:
> During a code review a colleague flagged an issue that I don't have a
> great answer for.
>
> The Noise spec requires that the EncryptWithAd operation might not
> actually encrypt, if it's called before the key is set. This seems
> surprising and potentially a source of subtle bugs. I'd have expected an
> error to be signalled if you attempt an encryption or decryption operation
> without a key.
>
> It appears it's defined this way to make WriteMessage simpler when
> processing an initial key in the first part of a handshake, before any DH
> operation has run. Everything being written out can be passed through
> EncryptAndHash without a special case for the position where no key is
> available. But translated directly to code this results in a rather odd
> exception inside the core encryption codepath which just looks all wrong.
>
Hi Mike,
Yeah, we did it this way to look simpler in ReadMessage / WriteMessage but
I agree it looks weird to have a function named "EncryptWithAd" that might
not encrypt. I think this is unlikely to be a source of bugs because
handshake processing is so simple and rigid it should be easy to test
exhaustively with our test vectors.
But still, we could probably improve this. If you (or your colleague) want
to try rewriting it I'm sure we'd be happy to take a look.
Trevor
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://moderncrypto.org/mail-archive/noise/attachments/20200502/5e39ad9b/attachment.html>
More information about the Noise
mailing list