Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unmaintained dependency github.com/jacobsa/crypto #147

Open
piggynl opened this issue May 16, 2022 · 6 comments · May be fixed by #178
Open

Unmaintained dependency github.com/jacobsa/crypto #147

piggynl opened this issue May 16, 2022 · 6 comments · May be fixed by #178
Assignees
@toby @aymanbagabas
Labels
question Further information is requested

Comments

@piggynl
Copy link

piggynl commented May 16, 2022

Hi developers,

Dependency github.com/jacobsa/crypto is no longer maintained. The latest commit was 3 years ago, and the author isn't responding to new issues and PRs. It fails to build in riscv64 environment now. Do you have any plan to replace this dependency with a well-maintained alternative? Also, I can maintain a fork of it to make it build in riscv64 and accept new changes, so that Charm can use it.
@bashbunni bashbunni added the question Further information is requested label May 24, 2022
@aymanbagabas
Copy link
Member

aymanbagabas commented May 24, 2022
edited
Loading

Hi @piggynl

Why does it fail to build for riscv64? Do you know any well-maintained alternatives?

EDIT: I think this is a good alternative subtle

@piggynl
Copy link
Author

piggynl commented May 25, 2022
edited
Loading

Why does it fail to build for riscv64?

Because it misses an implementation of function xorBlock for RISC-V, as jacobsa/crypto#13 mentioned. (Although the code is not used by charm EDIT: it is actually used) jacobsa/crypto#14 adds the implementation.

I think this is a good alternative subtle

I'll take a closer look. 😸

@piggynl
Copy link
Author

piggynl commented May 27, 2022

Hi @aymanbagabas,

Currently, charm uses a 32-byte key (cr.keys[0].Key[:32]) and no additional associated data (AD, the last argument nil)...

charm/crypt/crypt.go

Line 106 in dab882a

ct, err := siv.Encrypt(nil, []byte(cr.keys[0].Key[:32]), []byte(field), nil)

...while github.com/google/tink/go/daead/subtle you mentioned only supports 64-byte keys ...

https://github.com/google/tink/blob/9f30c97cb84b10bbba6978bc9c12c86478024050/go/daead/subtle/aes_siv.go#L63-L64

...and only implemented deterministic authenticated encryption with SIV (the number of components in AD vector is 1).

https://github.com/google/tink/blob/9f30c97cb84b10bbba6978bc9c12c86478024050/go/daead/subtle/aes_siv.go#L114

https://github.com/google/tink/blob/9f30c97cb84b10bbba6978bc9c12c86478024050/go/daead/subtle/aes_siv.go#L131

It appears Google thinks a 32-byte key cannot provide enough security...

...A consequence of this attack is that 128-bit MAC keys give unsufficient security.

https://pkg.go.dev/github.com/google/tink/go/daead/subtle#AESSIV

...so they probably won't consider add support to meet our use. As a result, this package is not we're looking for.

What we're looking for is package implemented AEAD_AES_SIV_CMAC_256 in RFC 5297. There are a few in this GitHub search result, but most of them haven't been updated in years. The last update on github.com/ChandraNarreddy/siv was 5 months ago, but I have no idea how reliable it is too. Do you have any idea?

@piggynl
Copy link
Author

piggynl commented Jun 2, 2022
edited
Loading

I'll use

go mod edit -replace github.com/jacobsa/crypto=github.com/piggynl/jacobsa-crypto@xorblock-generic

(replace github.com/jacobsa/crypto with jacobsa/crypto#14) to make charm build on linux/riscv64 on my side 😸

@piggynl piggynl mentioned this issue Jun 2, 2022
Closed
@paralin
Copy link

paralin commented Jun 25, 2022

Ran into this earlier trying to get gocryptfs to build on risc, thanks for looking into it and saving me the hassle @piggynl

@paralin
Copy link

paralin commented Jun 25, 2022

@piggynl I'm wondering if it might be good to fork this & maintain it as a different import path if the author doesn't merge.

@piggynl piggynl linked a pull request Sep 9, 2022 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@toby toby

@aymanbagabas aymanbagabas

Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

chore(deps): use github.com/aperturerobotics/jacobsa-crypto piggynl/charm
5 participants
@toby @paralin @aymanbagabas @bashbunni @piggynl