Skip to content

xenia-wire 0.2.0-alpha.3 — round-3 reviewer feedback

Latest
Latest

Choose a tag to compare

View all tags
@Tristan-Stoltz-ERC Tristan-Stoltz-ERC released this 18 Apr 12:28
· 3 commits to main since this release
v0.2.0-alpha.3
0702afa

Pre-alpha. Still SPEC draft-03. No wire-format change, no API break. Peers on 0.2.0-alpha.2 and alpha.3 interoperate at the wire level.

What changed

Round-3 reviewer feedback applied. The single material code change is a constant-time hardening of the fingerprint verification path; the rest is documentation tightening.

Security fix — constant-time verify_fingerprint_either_epoch

The 0.2.0-alpha.2 implementation derived the fingerprint against the current session key first, compared, and — only on mismatch — derived against the previous session key. That's one HKDF call on match, two on mismatch, which leaks which key-epoch the sender signed the consent under via verify-path latency.

alpha.3 removes the distinguisher: when prev_session_key is present (i.e. we are in the rekey grace window), the verifier derives fingerprints against BOTH keys unconditionally and combines the constant-time compares with a non-short-circuiting bitwise OR (bool | bool, not ||). The extra HKDF-SHA-256 call is only incurred during the grace window.

SPEC §12.3.1 rekey interaction is updated to mandate this behavior normatively.

Documentation tightening

  • §12.3.1 design-evolution note. Surfaces the shift from an earlier "bind to initial session key" plan to the shipped "bind to current key, both-key probe on verify" design. Rationale: no wire-level representation of "initial"; preserving an initial key fights zeroize; the grace window bounds the probe cost the same way it bounds AEAD-verify.
  • §12.6 LegacyBypass is now bluntly labeled intentional compatibility mode. A LegacyBypass session silently discards valid cryptographically-authenticated consent ceremonies by design; security-sensitive deployments MUST NOT use it.
  • Appendix A vectors 07/08 relabeled draft-03 (stale "draft-02" caption — they were regenerated at draft-03 canonical bytes in 0.2.0-alpha.1 already).
  • plans/REVIEW_DELTA_DRAFT_03.md updated per reviewer feedback:
    • "No other wire changes" reassurance near the top.
    • 2.2 BE-request_id defense rewritten as "domain-separated deterministic encoding, not a semantic property of big-endian."
    • 2.3 marked RESOLVED (this release) and narrowed to a reviewer-confirmation question.
    • 2.6 narrowed to "are there missing timing-channel sinks?"

Tests

106 tests green. Clippy clean on both feature sets.

Links

Assets 2
Loading