Off by one error allows invalid nonce usage

[kjvalencik]

Per the spec, the maximum usable nonce value is 2^64 - 2 and not 2^64 - 1.

The maximum n value (2^64 - 1) is reserved for other use. If incrementing n results in 2^64 - 1, then any further EncryptWithAd() or DecryptWithAd() calls will signal an error to the caller.

http://www.noiseprotocol.org/noise.html#the-cipherstate-object

These two usages should be slightly re-written:

+        if self.n == u64::MAX { return Err(StateProblem::Exhausted); }
         let len = self.cipher.encrypt(self.n, authtext, plaintext, out);
+        self.n += 1;
-        self.n = self.n.checked_add(1).ok_or(StateProblem::Exhausted)?;

snow/src/cipherstate.rs

Line 39 in 077bb35

self.n = self.n.checked_add(1).ok_or(StateProblem::Exhausted)?;

snow/src/cipherstate.rs

Line 59 in 077bb35

self.n = self.n.checked_add(1).ok_or(StateProblem::Exhausted)?;

[mcginty]

Oh great catch. Thank you, I'll fix this and push a patch release.

[complexspaces]

I had these changes worked out locally and I've now put them into a PR since I've finished the unit accompanying unit test that I wanted to add.