current_pos wrong value on +aes,+ssse3

[commial]

Hello,

I got an issue with current_pos on Aes256Ctr while compiling with the recommended flags from the README.

To reproduce:

use aes_ctr;
use aes_ctr::stream_cipher::{NewStreamCipher, SyncStreamCipherSeek};

fn main() {
    let key = [0u8; 32];
    let counter_block = [0u8; 16];
    // Prepare the cipher for further operations
    let mut cipher = aes_ctr::Aes256Ctr::new_var(&key, &counter_block).unwrap();
    cipher.seek(16);
    println!("{}", cipher.current_pos());
}

[dependencies]
aes-ctr = "0"

$ cargo version
cargo 1.42.0 (86334295e 2020-01-31)

Here's what I obtain:

$ cargo run
    Finished dev [unoptimized + debuginfo] target(s) in 0.01s
     Running `target/debug/test_aes`
16
$ cargo run --release
    Finished release [optimized] target(s) in 0.01s
     Running `target/release/test_aes`
16
$ RUSTFLAGS="-C target-feature=+aes,+ssse3" cargo run
    Finished dev [unoptimized + debuginfo] target(s) in 0.01s
     Running `target/debug/test_aes`
0
$ RUSTFLAGS="-C target-feature=+aes,+ssse3" cargo run --release
    Finished release [optimized] target(s) in 0.01s
     Running `target/release/test_aes`
0

Am I doing something wrong?

Instead of .seek, I've also tried with:

    let mut temp = [0u8; 0x1000];
    cipher.encrypt(&mut temp);
    println!("{}", cipher.current_pos());

Leading to the same incoherent result.

Regarding rustc flags:

• +aes,+sse2, +aes, +ssse3 lead to correct results
• +aes,+ssse3 leads to the result above

[tarcieri]

That definitely looks like a bug.

It appears that when those target features are enabled, an AES-CTR implementation located directly in the aesni crate is used, as opposed to using the implementation ctr crate.

My guess is the CTR implementation in the aesni crate is buggy.

As a temporary workaround, you can compose AES-CTR using the aes and ctr crates:

type Aes128Ctr = ctr::Ctr128<aes::Aes128>;

[commial]

Thanks for your acknowledgment and the workaround.
Should I re-post the issue on https://github.com/RustCrypto/block-ciphers?

As a side note, the encryption is still keeping its internal state correctly, ie:

fn main() {
    let key = [0u8; 32];
    let counter_block = [0u8; 16];
    // Prepare the cipher for further operations
    let mut cipher = aes_ctr::Aes256Ctr::new_var(&key, &counter_block).unwrap();
    let mut temp = [0u8; 0x1000];
    cipher.encrypt(&mut temp);
    println!("{:?}", &temp[..32]);
    let mut temp2 = [0u8; 0x1000];
    cipher.encrypt(&mut temp2);
    println!("{:?}", &temp2[..32]);
    println!("{}", cipher.current_pos());
}

Returns, with flags:

[220, 149, 192, 120, 162, 64, 137, 137, 173, 72, 162, 20, 146, 132, 32, 135, 83, 15, 138, 251, 199, 69, 54, 185, 169, 99, 180, 241, 196, 203, 115, 139]
[199, 233, 210, 80, 153, 134, 50, 212, 68, 53, 98, 66, 239, 4, 5, 141, 76, 175, 60, 142, 190, 185, 242, 72, 214, 114, 3, 215, 138, 67, 126, 238]
0

[tarcieri]

Should I re-post the issue on https://github.com/RustCrypto/block-ciphers?

Yes please, thank you!

[commial]

Closing, as re-posted on RustCrypto/block-ciphers#71