QUIC Crypto Primitives Support about swift-crypto HOT 6 OPEN

Thanks for this, this is a reasonable ask.

For the 4-byte Counter, this will need to be discussed with the CryptoKit team, I'll take that suggestion to them. For the AES-ECB use-case, I'll note that swift-crypto provides an AES block function primitive in _CryptoExtras (

from swift-crypto.

Hey @btoms20,

Thanks for this proposal. As @Lukasa said, we swift-crypto already provides the AES permutation function, from which you can do one-block ECB since you only need a single block for header protection.

Regarding the proposal to expose counters, the challenge is that counter is really an internal construct of ChaCha20 (which we don't officially support with POLY1305 authentication).

The swift-crypto API is really designed to be misuse resistant and exposing the counter through an API is clearly very risky, so we would likely make this some sort of an Insecure-prefixed extension function.

However, as it currently stands, we are not supporting stream ciphers without authentication. And therefore, it would be a bit of a stretch to have a way to set the counter on top of our existing AEAD API.

But we can keep this request to revisit this if we have any developments on unauthenticated stream ciphers.

from swift-crypto.

It may be worth double-checking whether BoringSSL supports setting this flag. I did a quick scan earlier today and couldn't see an interface for it, but I might have missed something. If they don't, we'd want to make sure that they added that support. If they do, then you're welcome to open a PR to _CryptoExtras to add the feature directly.

from swift-crypto.

Hey @Lukasa, I followed your advice, did some digging, and found the BoringSSL function required to support this change. I implemented a rough PR #169 that I'd appreciate your feedback on when you get the chance.

from swift-crypto.

@Lukasa, thanks for pointing that out!

@FredericJacobs, sounds good and understood. Hopefully it can make its way into the Insecure API in the future.

Thanks for the quick responses!

from swift-crypto.

I had completely overlooked _CryptoExtras. Maybe if / when the Insecure ChaCha20 Counter extension gets implemented, it could be tucked away in _CryptoExtras with a not-so-public API and all of the appropriate / necessary warnings. That might help deter your average user from unknowingly misusing it.

from swift-crypto.