Switch to shared memory instead of HSM allocations #156
Conversation
Allocate shared memory on the client side and pass addresses of output parameters to HSM.
| (key, nonce, aad, plaintext) | ||
| let tag = pool | ||
| .alloc(crate::crypto::chacha20poly1305::TAG_SIZE) | ||
| .unwrap(); |
| ciphertext.as_mut_slice(), | ||
| ) { | ||
| Ok(computed_tag) => { | ||
| if computed_tag.len() != tag.as_slice().len() { |
There was a problem hiding this comment.
This should never happen in practice, right?
| @@ -210,3 +221,38 @@ fn encrypt_chachapoly_external_key() { | |||
| }; | |||
| assert_eq!(plaintext.as_slice(), org_plaintext.as_slice()) | |||
| } | |||
|
|
|||
| #[test] | |||
| fn encrypt_chachapoly_invalid_tag_size() { | |||
There was a problem hiding this comment.
Good to see this is tested now too.
| Self::new(data.as_ptr(), data.len()) | ||
| } | ||
|
|
||
| pub fn as_slice(&self) -> &[u8] { |
There was a problem hiding this comment.
If we find ourselves getting tired of calling as_slice explicitly we can think about implementing the Deref trait for ExternalMemory.
There was a problem hiding this comment.
I am still unconvinced about why,
a) Heimlig needs to know about "External" memory, or any other type of memory.
b) Why do we want to use raw pointer + size instead of a slice.
From the point of view of Heimlig, it gets a request with a slice of data associated with that request, no special meaning about where this data is. For In, InOut or Out parameters, we can use the semantics of &[T], and &mut [T]. The lifetimes will "transit" our program from request to response, where we finally drop the slices.
The guarantee of no aliasing of the memory pointed to by the slice is upheld not by Heimlig but by the Host anyway, and in Rust we rely on the borrow checker once we have the slices.
Not using slices for the sake of not having lifetimes seems to me like a misstep, after all, it is the idiomatic way of doing things in Rust! Not using slices because this is somehow special memory, also does not sound to me quite compelling, after all, this current implementation is not doing anything special with the memory anyway.
Allocate shared memory on the client side and pass addresses of output parameters to HSM.