Add a chunked encryption recipe implementing c2sp.org/chunked-encryption#15144
Open
alex wants to merge 5 commits into
Open
Add a chunked encryption recipe implementing c2sp.org/chunked-encryption#15144alex wants to merge 5 commits into
alex wants to merge 5 commits into
Conversation
reaperhulk
pushed a commit
that referenced
this pull request
Jul 3, 2026
These are the test vectors from the chunked reference implementation (https://github.com/FiloSottile/chunked), for use by the chunked encryption recipe being added in #15144. Claude-Session: https://claude.ai/code/session_01Uyk58oD6F8BJwKHE4qCMA8 Co-authored-by: Claude <noreply@anthropic.com>
This adds cryptography.chunked_encryption, a top-level recipe (like Fernet) for streaming authenticated encryption of large messages, implementing the C2SP chunked-encryption specification (https://c2sp.org/chunked-encryption) instantiated with SHA-256 and AES-128-GCM. The core is implemented in Rust: for each message a fresh key, base nonce, and key commitment are derived with HKDF-Expand-SHA-256 from the input key, a random 24-byte salt, and a caller-provided context; the message is encrypted in 16 KiB chunks with AES-128-GCM, with the chunk counter XOR'd into the base nonce. Full chunks are encrypted/decrypted directly from the caller's input, so only sub-chunk remainders are buffered internally, and update_into variants allow callers to supply output buffers. The internals are parameterized over the AEAD so that additional AEADs could be supported later, but the public API is AES-128-GCM only. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Uyk58oD6F8BJwKHE4qCMA8
- Use the existing AesGcm AEAD implementation for chunk encryption/decryption instead of using OpenSSL's EVP interface directly (AESGCM.decrypt_into is now pub(crate) for this). - Use the existing HkdfExpand implementation for key derivation. - Fold the error state into the finalized state: a context that hit an error raises AlreadyFinalized on further use. - Replace the let-else in Decrypter::update_impl with a match that yields the cipher and buffer fields. - Replace the in-test reference implementation with the test vectors from the chunked reference implementation (https://github.com/FiloSottile/chunked), vendored into cryptography_vectors. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Uyk58oD6F8BJwKHE4qCMA8
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Uyk58oD6F8BJwKHE4qCMA8
- Extract the chunk counter/nonce logic into a ChunkNonces struct with Rust unit tests covering the 2**38-chunk limit, which can't be reached from Python tests. - Track the Decrypter state as Option<DecrypterState> and process both active states in a single exhaustive match, removing the unreachable!() arms; finalize() now consumes the state on all paths. - Drop the Encrypter's error poisoning: the only errors it guarded against are the capacity check (which fails before any state is modified) and internal OpenSSL errors. - Test that a Decrypter is unusable after update_into() raises InvalidTag. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Uyk58oD6F8BJwKHE4qCMA8
d94f3cf to
896f9cc
Compare
alex
commented
Jul 3, 2026
…ariant Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Uyk58oD6F8BJwKHE4qCMA8
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Resolves #2358
This adds
cryptography.chunked_encryption, a top-level recipe (à la Fernet) for streaming authenticated encryption of large messages, implementing the C2SP chunked-encryption specification instantiated with SHA-256 and AES-128-GCM:Design notes:
AesGcmAEAD andHkdfExpandimplementations. For each message a fresh AEAD key, base nonce, and 32-byte key commitment are derived with HKDF-Expand-SHA-256 from the input key, a random 24-byte salt, and a caller-provided context; the message is encrypted in 16 KiB chunks with AES-128-GCM, with the chunk counter XOR'd into the base nonce. The ciphertext issalt || commitment || chunks.update_into()variants let callers supply their own output buffers.finalize().cryptography.exceptions.InvalidTag; any further use of a finalized or failed context raisesAlreadyFinalized.Tests cover the test vectors from the chunked reference implementation (vendored into
cryptography_vectors), plus round-trip, streaming-granularity, tampering, reordering, truncation, extension, and API misuse cases.🤖 Generated with Claude Code
https://claude.ai/code/session_01Uyk58oD6F8BJwKHE4qCMA8