Use a 64-bits counter for ChaCha

We already store the data in the matrix as 64 bits integers, so there's
no point in restricting the block counter to 32 bits values. Allowing
the full 64 bits makes the likelihood of running into an overflow
practically impossible.

Changelog: changed

Author: yorickpeterse

std/src/std/crypto/chacha.inko

@@ -8,6 +8,7 @@
 import std.crypto.cipher (Cipher)
 import std.crypto.math (rotate_left_u32, to_u32)
 import std.endian.little
+import std.int (MAX as INT_MAX)
 
 # The ChaCha key size in bytes.
 let KEY_SIZE = 256 / 8
@@ -24,9 +25,6 @@ let XCHACHA_NONCE_SIZE = 192 / 8
 # The size in bytes of a ChaCha block.
 let BLOCK_SIZE = 64
 
-# The maximum value of the block counter.
-let MAX_COUNTER = 2 ** 32 - 1
-
 # The number of values in a matrix.
 let MATRIX_SIZE = 16
 
@@ -45,11 +43,7 @@ fn nonce_size_error(expected: Int, size: Int) -> Never {
 }
 
 fn counter_size_error(value: Int) -> Never {
-  panic('the block counter (${value}) must be between 0 and ${MAX_COUNTER}')
-}
-
-fn counter_overflow_error(value: Int) -> Never {
-  panic('the block counter (${value}) overflowed after ${MAX_COUNTER} blocks')
+  panic('the block counter (${value}) must be between 0 and ${INT_MAX}')
 }
 
 # Derives a sub-key from a secret key and nonce, using the HChaCha20 algorithm.
@@ -334,11 +328,7 @@ type pub inline ChaCha {
   # This method panics if the value doesn't fit in the range valid for an
   # unsigned 32-bits integer.
   fn pub mut counter=(value: Int) {
-    if value < 0 or value > MAX_COUNTER {
-      counter_size_error(value)
-    } else {
-      @matrix.set(12, value)
-    }
+    if value < 0 { counter_size_error(value) } else { @matrix.set(12, value) }
   }
 
   fn mut apply(bytes: mut ByteArray) {
@@ -362,15 +352,6 @@ type pub inline ChaCha {
       # unsigned integer.
       let new_size = @matrix.get(12) + 1
 
-      # The original implementation makes no attempt at protecting the user from
-      # overflowing the counter, as it's unlikely to happen in the first place.
-      # Since we use a 32-bits counter it's still highly unlikely, but more
-      # likely compared to using a 64-bits counter. Because it's so unlikely for
-      # this to happen in practise we simply panic, instead of complicating the
-      # API by forcing the user to handle errors that won't occur in 99.99999%
-      # of all use cases.
-      if new_size > MAX_COUNTER { counter_overflow_error(new_size) }
-
       @matrix.set(12, new_size)
 
       if len <= BLOCK_SIZE {

std/test/std/crypto/test_chacha.inko

@@ -1,4 +1,5 @@
 import std.crypto.chacha (ChaCha, XChaCha, hchacha20)
+import std.int (MAX as INT_MAX)
 import std.test (Tests)
 
 fn chacha_test_data -> Array[
@@ -361,6 +362,20 @@ fn pub tests(t: mut Tests) {
     t.equal(secret.into_string, 'hello')
   })
 
+  t.test('ChaCha.encrypt with a very large block counter', fn (t) {
+    let key = ByteArray.filled(with: 1, times: 32)
+    let nonce = ByteArray.filled(with: 1, times: 12)
+    let cipher = ChaCha.new(key, nonce)
+    let secret = 'hello'.to_byte_array
+
+    cipher.counter = INT_MAX - 10
+    cipher.encrypt(secret)
+    cipher.counter = INT_MAX - 10
+    cipher.decrypt(secret)
+
+    t.equal(secret.to_string, 'hello')
+  })
+
   t.test('chacha.hchacha20', fn (t) {
     let key = ByteArray.from_array(
       [