Hi, I know you said you’d like to concentrate on supporting modern ciphers only, but are you open to accepting an AES256-GCM implementation into the repo?

I have one ready to go (via thrussh-libsodium).

If you’re up to it - GCM needs an internal counter, and it can’t use the sequence number directly since the first two packets are not encrypted. Is making SealingKey and OpeningKey trait methods take a mutable self an acceptable solution, or is it ok to just hardcode the GCM counter as sequence_number - 3 like I did?

Yes, it would be cool, especially if it’s feature-gated. I’m not sure what you’re talking about in the second one, this sounds sensitive enough to not be able to give an opinion without seeing the code first. I don’t remember what SealingKey and OpeningKey are, tbh.

I’m ashamed to say I couldn’t get pijul to work on my macOS, so here’s a diff: https://github.com/Eugeny/thrussh/compare/aes256gcm?expand=1

Here are the main points:

• libsodium wrappers: https://github.com/Eugeny/thrussh/compare/aes256gcm?expand=1#diff-abb897caddf0868a9f316f752e1bb2b2e85d7fd9529f26813c8b4a296a4d2ffbR169
• the hardcoded GCM counter: https://github.com/Eugeny/thrussh/compare/aes256gcm?expand=1#diff-63a47b4d9b87c0ae2fc37cdea9ff6ff93a3ec2e3b7250d52465687e3e34411d1R68 (alternatively if the trait methods had a &mut self, this method could instead be an inc_nonce())
• new Cipher field to indicate the nonce size: https://github.com/Eugeny/thrussh/compare/aes256gcm?expand=1#diff-d1aa420cf887c9827473fe6bf0a4701dec0288a2191cd9dcc7b1641039d1c6d3R27 (make_*_cipher methods now take a nonce argument)
• added nonce generation per SSH spec: https://github.com/Eugeny/thrussh/compare/aes256gcm?expand=1#diff-66c878d4fab81a14e33b99f928993deab0b89bcef832f29174e25cddfbcf8aacL168-R239
• a new error type (AES can fail for a bad ciphertext): https://github.com/Eugeny/thrussh/compare/aes256gcm?expand=1#diff-31f38341db7c08a7d627e17f16f95703a46bb303a36999007180c1aea3ff904dR412

Let me know if you see anything that needs changing!