From aaab6f38122261f7527e9a04b24972d09b775689 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Mon, 25 Apr 2022 15:39:26 -0400
Subject: [PATCH] Upgrade to AES 0.8

Now that we require Rust 1.56, we can upgrade to AES 0.8.  This
forces us to have some slight API changes.

We require cipher 0.4.1, not cipher 0.4.0, since 0.4.0 has
compatibility issues with Rust 1.56.
---
 Cargo.lock                                    | 27 ++++++++++++-------
 crates/tor-llcrypto/Cargo.toml                |  5 ++--
 crates/tor-llcrypto/src/cipher.rs             |  6 ++++-
 crates/tor-llcrypto/tests/testvec.rs          |  2 +-
 crates/tor-proto/Cargo.toml                   |  2 +-
 crates/tor-proto/src/crypto/cell.rs           |  4 +--
 .../tor-proto/src/crypto/handshake/hs_ntor.rs |  2 +-
 .../tor-proto/src/crypto/handshake/ntor_v3.rs |  2 +-
 doc/semver_status.md                          |  4 +++
 9 files changed, 36 insertions(+), 18 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 08cc56a50..a91ce8143 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -19,15 +19,13 @@ checksum = "f26201604c87b1e01bd3d98f8d5d9a8fcbb815e8cedb41ffccbeb4bf593a35fe"
 
 [[package]]
 name = "aes"
-version = "0.7.5"
+version = "0.8.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9e8b47f52ea9bae42228d07ec09eb676433d7c4ed1ebdf0f1d1c29ed446f1ab8"
+checksum = "bfe0133578c0986e1fe3dfcd4af1cc5b2dd6c3dbf534d69916ce16a2701d40ba"
 dependencies = [
  "cfg-if 1.0.0",
  "cipher",
  "cpufeatures",
- "ctr",
- "opaque-debug",
 ]
 
 [[package]]
@@ -630,11 +628,12 @@ checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
 
 [[package]]
 name = "cipher"
-version = "0.3.0"
+version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7ee52072ec15386f770805afd189a01c8841be8696bed250fa2f13c4c0d6dfb7"
+checksum = "d1873270f8f7942c191139cb8a40fd228da6c3fd2fc376d7e92d47aa14aeb59e"
 dependencies = [
- "generic-array",
+ "crypto-common",
+ "inout",
 ]
 
 [[package]]
@@ -796,9 +795,9 @@ dependencies = [
 
 [[package]]
 name = "ctr"
-version = "0.8.0"
+version = "0.9.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "049bb91fb4aaf0e3c7efa6cd5ef877dbbbd15b39dad06d9948de4ec8a75761ea"
+checksum = "0d14f329cfbaf5d0e06b5e87fff7e265d2673c5ea7d2c27691a2c107db1442a0"
 dependencies = [
  "cipher",
 ]
@@ -1600,6 +1599,15 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "inout"
+version = "0.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a0c10553d664a4d0bcff9f4215d0aac67a639cc68ef660840afe309b807bc9f5"
+dependencies = [
+ "generic-array",
+]
+
 [[package]]
 name = "instant"
 version = "0.1.12"
@@ -3507,6 +3515,7 @@ dependencies = [
  "base64",
  "cargo-husky",
  "cipher",
+ "ctr",
  "curve25519-dalek",
  "digest 0.10.3",
  "ed25519-dalek",
diff --git a/crates/tor-llcrypto/Cargo.toml b/crates/tor-llcrypto/Cargo.toml
index 009f143eb..e5ae6194f 100644
--- a/crates/tor-llcrypto/Cargo.toml
+++ b/crates/tor-llcrypto/Cargo.toml
@@ -21,10 +21,11 @@ relay = []
 hsv3-client = []
 
 [dependencies]
-aes = { version = "0.7.0", features = ["ctr"] }
+aes = { version = "0.8" }
 arrayref = "0.3"
 base64 = "0.13.0"
 curve25519-dalek = "3.2"
+ctr = "0.9"
 digest = "0.10.0"
 ed25519-dalek = { version = "1", features = ["batch"] }
 hex = "0.4"
@@ -45,7 +46,7 @@ thiserror = "1"
 [dev-dependencies]
 hex-literal = "0.3"
 rand = "0.8"
-cipher = "0.3.0"
+cipher = "0.4.1"
 serde_test = "1.0.124"
 
 # This is a magic crate that runs the tests and checks the format
diff --git a/crates/tor-llcrypto/src/cipher.rs b/crates/tor-llcrypto/src/cipher.rs
index bbd102ed0..663d44ace 100644
--- a/crates/tor-llcrypto/src/cipher.rs
+++ b/crates/tor-llcrypto/src/cipher.rs
@@ -9,5 +9,9 @@
 /// the [`cipher`](https://docs.rs/cipher) crate to access them.
 pub mod aes {
     // These implement StreamCipher.
-    pub use ::aes::{Aes128Ctr, Aes256Ctr};
+    /// AES128 in counter mode as used by Tor.
+    pub type Aes128Ctr = ctr::Ctr128BE<aes::Aes128>;
+
+    /// AES256 in counter mode as used by Tor.  
+    pub type Aes256Ctr = ctr::Ctr128BE<aes::Aes256>;
 }
diff --git a/crates/tor-llcrypto/tests/testvec.rs b/crates/tor-llcrypto/tests/testvec.rs
index 7583790ab..98fba7723 100644
--- a/crates/tor-llcrypto/tests/testvec.rs
+++ b/crates/tor-llcrypto/tests/testvec.rs
@@ -1,4 +1,4 @@
-use cipher::{NewCipher, StreamCipher};
+use cipher::{KeyIvInit, StreamCipher};
 use digest::{self, Digest, ExtendableOutput};
 use hex_literal::hex;
 use tor_llcrypto as ll;
diff --git a/crates/tor-proto/Cargo.toml b/crates/tor-proto/Cargo.toml
index d906f0132..6c3ed9922 100644
--- a/crates/tor-proto/Cargo.toml
+++ b/crates/tor-proto/Cargo.toml
@@ -30,7 +30,7 @@ tor-cell = { path = "../tor-cell", version = "0.2.0" }
 
 arrayref = "0.3"
 bytes = "1"
-cipher = "0.3.0"
+cipher = "0.4.1"
 coarsetime = "0.1.20"
 digest = "0.10.0"
 educe = "0.4.6"
diff --git a/crates/tor-proto/src/crypto/cell.rs b/crates/tor-proto/src/crypto/cell.rs
index a52cae1a2..2ee6a2133 100644
--- a/crates/tor-proto/src/crypto/cell.rs
+++ b/crates/tor-proto/src/crypto/cell.rs
@@ -224,7 +224,7 @@ pub(crate) type Tor1RelayCrypto =
 /// Incomplete untested implementation of Tor's current cell crypto.
 pub(crate) mod tor1 {
     use super::*;
-    use cipher::{NewCipher, StreamCipher};
+    use cipher::{KeyIvInit, StreamCipher};
     use digest::Digest;
     use typenum::Unsigned;
 
@@ -251,7 +251,7 @@ pub(crate) mod tor1 {
         back: CryptState<SC, D>,
     }
 
-    impl<SC: StreamCipher + NewCipher, D: Digest + Clone> CryptInit for CryptStatePair<SC, D> {
+    impl<SC: StreamCipher + KeyIvInit, D: Digest + Clone> CryptInit for CryptStatePair<SC, D> {
         fn seed_len() -> usize {
             SC::KeySize::to_usize() * 2 + D::OutputSize::to_usize() * 2
         }
diff --git a/crates/tor-proto/src/crypto/handshake/hs_ntor.rs b/crates/tor-proto/src/crypto/handshake/hs_ntor.rs
index 16fb2c27a..40c348d02 100644
--- a/crates/tor-proto/src/crypto/handshake/hs_ntor.rs
+++ b/crates/tor-proto/src/crypto/handshake/hs_ntor.rs
@@ -32,7 +32,7 @@ use tor_llcrypto::d::Sha3_256;
 use tor_llcrypto::pk::{curve25519, ed25519};
 use tor_llcrypto::util::rand_compat::RngCompatExt;
 
-use cipher::{NewCipher, StreamCipher};
+use cipher::{KeyIvInit, StreamCipher};
 
 use digest::Digest;
 use generic_array::GenericArray;
diff --git a/crates/tor-proto/src/crypto/handshake/ntor_v3.rs b/crates/tor-proto/src/crypto/handshake/ntor_v3.rs
index 4ae82dff6..7353b841f 100644
--- a/crates/tor-proto/src/crypto/handshake/ntor_v3.rs
+++ b/crates/tor-proto/src/crypto/handshake/ntor_v3.rs
@@ -21,7 +21,7 @@ use tor_llcrypto::d::{Sha3_256, Shake256};
 use tor_llcrypto::pk::{curve25519, ed25519::Ed25519Identity};
 use tor_llcrypto::util::rand_compat::RngCompatExt;
 
-use cipher::{NewCipher, StreamCipher};
+use cipher::{KeyIvInit, StreamCipher};
 
 use generic_array::GenericArray;
 use rand_core::{CryptoRng, RngCore};
diff --git a/doc/semver_status.md b/doc/semver_status.md
index f824ffd5a..fe2a49d32 100644
--- a/doc/semver_status.md
+++ b/doc/semver_status.md
@@ -57,6 +57,10 @@ BREAKING: AuthorityBuilder::build now throws ConfigBuildError, not a custom erro
 MODIFIED: New functions to get estimated clock skew.
 MODIFIED: New functions to report observed clock skew.
 
+### tor-llcrypto
+
+BREAKING: AES implementations now implement cipher 0.4 traits.
+
 ### tor-proto
 
 MODIFIED: New accessors in tor_proto::Channel.