
RustCrypto AES/GCM and ChaCha20+Poly1305 Implementation Review - ciprian_craciun
https://research.nccgroup.com/2020/02/26/public-report-rustcrypto-aes-gcm-and-chacha20poly1305-implementation-review/
======
ciprian_craciun
It's nice to know there are a few "safe" Rust crypto primitives (especially
the `ChaCha20+Poly1305` which is also found in `libsodium`):

* AES/GCM: [https://github.com/RustCrypto/AEADs/tree/master/aes-gcm](https://github.com/RustCrypto/AEADs/tree/master/aes-gcm)

* ChaCha20+Poly1305: [https://github.com/RustCrypto/AEADs/tree/master/chacha20poly...](https://github.com/RustCrypto/AEADs/tree/master/chacha20poly1305)

Quoting from the "key findings" of that report:

> NCC Group did not find any vulnerability in the audited crates. > > The
> RustCrypto implementations use all the recommended techniques to achieve
> constant-time implementations; in particular, the fallback AES
> implementation (to be used when there are no usable hardware AES opcodes)
> uses bitslicing to avoid any table lookups at secret-dependent addresses.
> Similarly, received authentication tags are compared with constant-time
> comparison functions. > > A few cosmetic remarks, mostly related to
> potential performance improvements, have been assembled into RustCrypto.

\----

It seems that the audited code includes also:

* `aes-gcm` and `chacha20poly1305`: [https://github.com/RustCrypto/AEADs/tree/a15698fdba23ffb17b8...](https://github.com/RustCrypto/AEADs/tree/a15698fdba23ffb17b84d9ecaa2c9c80706ecf03)

* `aes` from RustCrypto/block-ciphers: [https://github.com/RustCrypto/block-ciphers/tree/e385f1ebb2e...](https://github.com/RustCrypto/block-ciphers/tree/e385f1ebb2ec48547194e51c5193309ee328d93b)

* `chacha20` and `salsa20-core`: [https://github.com/RustCrypto/stream-ciphers/tree/1235638004...](https://github.com/RustCrypto/stream-ciphers/tree/1235638004c21dee4e76af4cc932cf1cd815e8f9)

* `aead`, `stream-cipher` and `universal-hash`: [https://github.com/RustCrypto/traits/tree/4569d256f02ac0ecef...](https://github.com/RustCrypto/traits/tree/4569d256f02ac0ecefa393baf225fb4a6df35875)

* `ghash`, `poly1305` and `polyval`: [https://github.com/RustCrypto/universal-hashes/tree/1ab06bd7...](https://github.com/RustCrypto/universal-hashes/tree/1ab06bd79542e75490468b227dd3c2cbe42d3d92)

