Decouple "aesgcm" and "aes128gcm" schemes, disable record chunking.

[rfk]

This is a significant refactor of the guts of the crypto code, but I think overall it
makes things easier to understand and to audit.

First, I've removed the EceWebPush trait that was previously used to share parts
of the encrypt/decrypt logic between the two schemes. The schemes are not that similar
in practice and on balance, I think the attempt to share code between them was
actually making both schemes harder to understand.

Second, I've cut all the record-chunking code out of "aesgcm". It now supports only
a single record on both encryption and decryption, in line with what the spec says
that a webpush client should support. We were already throwing errors when encountering
multiple records in "aesgcm"; this cleanup takes advantage of that fact to actually
remove the code without breaking the public API.

Finally, I've removed the record-chunking during encryption for "aes128gcm", instead
opting to support larger payloads by increasing the record size. I've also added
several layers of abstraction in the hope of making the code easier to understand -
for example there is a separate Header struct for reading/writing the header,
and a separate PlaintextRecord struct for reading/writing an individual record.

Of course "easier to understand" is subjective, but I think it's an improvement
(and I certainly understand things better as a result of having worked through it!).
Feedback and/or pushback on this is most welcome.

I'd like to try adding record chunking in back here, but as a separate PR building
atop these abstractions.

Connects to #55.

[rfk]

@jrconlin I'd love to get your review on this, although I understand it's a lot. I don't have much useful advice for reviewing except that it's probably easier to view the new files in isolation rather than staring at the diff, because much code has moved around or changed indentation levels.

[jrconlin]

Couple of comments, but looks good!

[jrconlin]

I kinda wonder if it might be nice to include something like dbg!(format!("Message content too long by {:?} bytes.", params.rs - (plaintext.len() + padding + ECE_TAG_LENGTH))); to provide some insight about what went wrong.

[rfk]

In theory we should never hit this branch, because the calling code set rs appropriate; but in practice, future-you or future-me will probably need such a debugging message at some point 😅 - thanks, I'll add one.

[jrconlin]

oh, one other thing...
One thing we've adopted in services-engineering is to do a "squash and merge" at commit rather than a series of force pushes. This lets reviewers focus on just the changes for a given commit rather than dig around looking for what might be new.

[rfk]

One thing we've adopted in services-engineering is to do a "squash and merge" at commit rather than a series of force pushes.
This lets reviewers focus on just the changes for a given commit rather than dig around looking for what might be new.

I will keep this in mind, thanks!

[rfk]

FYI, I've pushed what I have so for for record chunking in #60. AFAICT it works, but I want to add some more tests.

[martinthomson]

did you consider just deleting aesgcm ?

[martinthomson]

How does this look on rustdoc without ``` ?

[rfk]

Ah, good reminder, thanks! (a high chance it'll look like crap without that)

[martinthomson]

Suggested change

	) -> Result<PlaintextRecord<'a>> {
	) -> Result<Self> {

I don't know if you use clippy, but this is what it always tells me to do for these.

[rfk]

Huh, we usually have clippy running in CI to complain about these things, but looks like it's not enabled for this repo.

[martinthomson]

clippy also prefers if let Some(pos) = here and I've learned to prefer it. But it recently started going with this instead:

let last_nonzero_idx = padded_plaintext.iter().rposition(|&b| b != 0u8).ok_or(Error::DecryptPadding)?

(note that this is an index and not a byte)

[martinthomson]

Do you really need to allow the caller to provide a buffer when you need to copy from a new vector anyway?

[rfk]

Not really no, but it worked out better for re-use of the PlaintextRecord struct between encryption and decryption.

[martinthomson]

Is the goal to always touch every byte, so that you don't leak too much timing info? Because this isn't very good timing defense and this copy call could go after you check whether the record is final or not.

[rfk]

I have not considered that as a goal here, and the ordering of this copy is entirely accidental. Should I by trying to do that?

(I'm interpreting your "this isn't very good timing defense" as meaning "you should not bother with trying to touch every byte, it wont provide meaningful defense" but want to check if that's correct. Naively, I would expect the fact that we've already decrypted and checked the AEAD tag to mean that we can safely do an early-return on invalid data here).

[martinthomson]

Yes, touching every byte means nothing when the next consumer down the chain won't maintain that discipline.

You can just reorder here to after the padding delimiter check.

[martinthomson]

This won't be optimal; if there is an hkdf-extract function separate from hkdf-expand, you can save a few iterations of the compression function.

[rfk]

Agreed, but this is at least not any worse than it used to be, so we should follow up on that in a separate PR.

[rfk]

(I filed #61 to follow up)

[rfk]

did you consider just deleting aesgcm ?

Unfortunately we still see a lot of aesgcm traffic in the wild, ref this graph that JR took from a recent server snapshot.

[jrconlin]

Unfortunately, we see a LOT of aesgcm traffic still. I've reached out to various library authors to switch the default to aes128gcm, and most have. Much of the traffic, however, is probably coming from "legacy-built" systems that are fire and forget, and are now forgotten.

I'm not sure how to resolve this without a lot of complexity or user dissatisfaction.