2023-02-16 18:11:45 +00:00
|
|
|
//! Symmetric cypher stuff
|
|
|
|
|
|
2023-02-21 21:06:17 +00:00
|
|
|
use super::Error;
|
2023-06-01 10:56:52 +00:00
|
|
|
use crate::{
|
|
|
|
|
config::Config,
|
|
|
|
|
enc::{Random, Secret},
|
|
|
|
|
};
|
2023-02-17 13:59:02 +00:00
|
|
|
|
|
|
|
|
/// List of possible Ciphers
|
2023-06-06 20:37:34 +00:00
|
|
|
#[derive(
|
|
|
|
|
Debug,
|
|
|
|
|
Copy,
|
|
|
|
|
Clone,
|
|
|
|
|
PartialEq,
|
|
|
|
|
::num_derive::FromPrimitive,
|
|
|
|
|
::strum_macros::EnumString,
|
|
|
|
|
::strum_macros::IntoStaticStr,
|
|
|
|
|
)]
|
2023-02-17 13:59:02 +00:00
|
|
|
#[repr(u8)]
|
2023-06-19 17:26:21 +00:00
|
|
|
pub enum Kind {
|
2023-02-17 22:09:49 +00:00
|
|
|
/// XChaCha20_Poly1305
|
2023-06-06 20:37:34 +00:00
|
|
|
#[strum(serialize = "xchacha20poly1305")]
|
2023-02-17 22:09:49 +00:00
|
|
|
XChaCha20Poly1305 = 0,
|
2023-02-17 13:59:02 +00:00
|
|
|
}
|
|
|
|
|
|
2023-06-19 17:26:21 +00:00
|
|
|
impl Kind {
|
2023-02-25 14:36:14 +00:00
|
|
|
/// length of the serialized id for the cipher kind field
|
2023-06-17 09:33:47 +00:00
|
|
|
pub const fn len() -> usize {
|
2023-02-25 14:36:14 +00:00
|
|
|
1
|
|
|
|
|
}
|
2023-02-17 13:59:02 +00:00
|
|
|
/// required length of the nonce
|
2023-06-19 17:26:21 +00:00
|
|
|
pub fn nonce_len(&self) -> NonceLen {
|
|
|
|
|
Nonce::len()
|
2023-02-17 13:59:02 +00:00
|
|
|
}
|
|
|
|
|
/// required length of the key
|
|
|
|
|
pub fn key_len(&self) -> usize {
|
2023-02-22 20:10:00 +00:00
|
|
|
use ::chacha20poly1305::{KeySizeUser, XChaCha20Poly1305};
|
|
|
|
|
XChaCha20Poly1305::key_size()
|
2023-02-17 13:59:02 +00:00
|
|
|
}
|
|
|
|
|
/// Length of the authentication tag
|
2023-05-17 08:26:39 +00:00
|
|
|
pub fn tag_len(&self) -> TagLen {
|
2023-02-17 22:09:49 +00:00
|
|
|
// TODO: how the hell do I take this from ::chacha20poly1305?
|
2023-05-17 08:26:39 +00:00
|
|
|
TagLen(::ring::aead::CHACHA20_POLY1305.tag_len())
|
2023-02-17 13:59:02 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-17 22:09:49 +00:00
|
|
|
/// Additional Authenticated Data
|
2023-02-17 13:59:02 +00:00
|
|
|
#[derive(Debug)]
|
2023-06-05 07:18:32 +00:00
|
|
|
pub struct AAD<'a>(pub &'a [u8]);
|
2023-02-17 22:09:49 +00:00
|
|
|
|
2023-05-17 08:26:39 +00:00
|
|
|
/// strong typedef for header length
|
|
|
|
|
/// aka: nonce length in the encrypted data)
|
|
|
|
|
#[derive(Debug, Copy, Clone)]
|
2023-06-19 17:26:21 +00:00
|
|
|
pub struct NonceLen(pub usize);
|
2023-05-17 08:26:39 +00:00
|
|
|
/// strong typedef for the Tag length
|
|
|
|
|
/// aka: cryptographic authentication tag length at the end
|
|
|
|
|
/// of the encrypted data
|
|
|
|
|
#[derive(Debug, Copy, Clone)]
|
|
|
|
|
pub struct TagLen(pub usize);
|
|
|
|
|
|
2023-02-17 22:09:49 +00:00
|
|
|
/// actual ciphers
|
|
|
|
|
enum Cipher {
|
|
|
|
|
/// Cipher XChaha20_Poly1305
|
|
|
|
|
XChaCha20Poly1305(XChaCha20Poly1305),
|
2023-02-17 13:59:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl Cipher {
|
|
|
|
|
/// Build a new Cipher
|
2023-06-19 17:26:21 +00:00
|
|
|
fn new(kind: Kind, secret: Secret) -> Self {
|
2023-02-17 13:59:02 +00:00
|
|
|
match kind {
|
2023-06-19 17:26:21 +00:00
|
|
|
Kind::XChaCha20Poly1305 => {
|
2023-02-17 22:09:49 +00:00
|
|
|
Self::XChaCha20Poly1305(XChaCha20Poly1305::new(secret))
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-06-19 17:26:21 +00:00
|
|
|
pub fn kind(&self) -> Kind {
|
2023-05-26 13:02:21 +00:00
|
|
|
match self {
|
2023-06-19 17:26:21 +00:00
|
|
|
Cipher::XChaCha20Poly1305(_) => Kind::XChaCha20Poly1305,
|
2023-05-26 13:02:21 +00:00
|
|
|
}
|
|
|
|
|
}
|
2023-06-19 17:26:21 +00:00
|
|
|
fn nonce_len(&self) -> NonceLen {
|
2023-02-17 22:09:49 +00:00
|
|
|
match self {
|
2023-06-19 17:26:21 +00:00
|
|
|
Cipher::XChaCha20Poly1305(_) => Nonce::len(),
|
2023-02-17 22:09:49 +00:00
|
|
|
}
|
|
|
|
|
}
|
2023-05-17 08:26:39 +00:00
|
|
|
fn tag_len(&self) -> TagLen {
|
2023-02-17 22:09:49 +00:00
|
|
|
match self {
|
|
|
|
|
Cipher::XChaCha20Poly1305(_) => {
|
|
|
|
|
// TODO: how the hell do I take this from ::chacha20poly1305?
|
2023-05-17 08:26:39 +00:00
|
|
|
TagLen(::ring::aead::CHACHA20_POLY1305.tag_len())
|
2023-02-17 22:09:49 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-05-17 08:26:39 +00:00
|
|
|
fn decrypt<'a>(
|
|
|
|
|
&self,
|
|
|
|
|
aad: AAD,
|
|
|
|
|
raw_data: &'a mut [u8],
|
|
|
|
|
) -> Result<&'a [u8], Error> {
|
2023-02-17 22:09:49 +00:00
|
|
|
match self {
|
|
|
|
|
Cipher::XChaCha20Poly1305(cipher) => {
|
|
|
|
|
use ::chacha20poly1305::{
|
|
|
|
|
aead::generic_array::GenericArray, AeadInPlace,
|
|
|
|
|
};
|
2023-05-17 08:26:39 +00:00
|
|
|
let final_len: usize = {
|
2023-06-17 09:33:47 +00:00
|
|
|
if raw_data.len() <= self.overhead() {
|
|
|
|
|
return Err(Error::NotEnoughData(raw_data.len()));
|
|
|
|
|
}
|
|
|
|
|
let (nonce_bytes, data_and_tag) =
|
2023-06-19 17:26:21 +00:00
|
|
|
raw_data.split_at_mut(Nonce::len().0);
|
2023-02-21 21:06:17 +00:00
|
|
|
let (data_notag, tag_bytes) = data_and_tag.split_at_mut(
|
2023-06-17 09:33:47 +00:00
|
|
|
data_and_tag.len()
|
2023-02-21 21:06:17 +00:00
|
|
|
- ::ring::aead::CHACHA20_POLY1305.tag_len(),
|
|
|
|
|
);
|
|
|
|
|
let nonce = GenericArray::from_slice(nonce_bytes);
|
|
|
|
|
let tag = GenericArray::from_slice(tag_bytes);
|
|
|
|
|
let maybe = cipher.cipher.decrypt_in_place_detached(
|
|
|
|
|
nonce.into(),
|
|
|
|
|
aad.0,
|
|
|
|
|
data_notag,
|
|
|
|
|
tag,
|
|
|
|
|
);
|
|
|
|
|
if maybe.is_err() {
|
|
|
|
|
return Err(Error::Decrypt);
|
|
|
|
|
}
|
2023-05-17 08:26:39 +00:00
|
|
|
data_notag.len()
|
|
|
|
|
};
|
|
|
|
|
//data.drain(..Nonce::len());
|
|
|
|
|
//data.truncate(final_len);
|
2023-06-19 17:26:21 +00:00
|
|
|
Ok(&raw_data[Nonce::len().0..Nonce::len().0 + final_len])
|
2023-02-17 13:59:02 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-02-23 20:57:21 +00:00
|
|
|
fn overhead(&self) -> usize {
|
|
|
|
|
match self {
|
2023-05-27 08:57:15 +00:00
|
|
|
Cipher::XChaCha20Poly1305(_) => {
|
2023-06-19 17:26:21 +00:00
|
|
|
let cipher = Kind::XChaCha20Poly1305;
|
2023-05-17 08:26:39 +00:00
|
|
|
cipher.nonce_len().0 + cipher.tag_len().0
|
2023-02-23 20:57:21 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-02-22 20:10:00 +00:00
|
|
|
fn encrypt(
|
2023-06-19 17:26:21 +00:00
|
|
|
&mut self,
|
2023-02-23 20:57:21 +00:00
|
|
|
nonce: &Nonce,
|
2023-02-22 20:10:00 +00:00
|
|
|
aad: AAD,
|
2023-05-17 08:26:39 +00:00
|
|
|
data: &mut [u8],
|
2023-02-22 20:10:00 +00:00
|
|
|
) -> Result<(), Error> {
|
2023-05-26 13:02:21 +00:00
|
|
|
// FIXME: check minimum buffer size
|
2023-02-22 20:10:00 +00:00
|
|
|
match self {
|
|
|
|
|
Cipher::XChaCha20Poly1305(cipher) => {
|
2023-05-27 08:57:15 +00:00
|
|
|
use ::chacha20poly1305::AeadInPlace;
|
2023-05-17 08:26:39 +00:00
|
|
|
let tag_len: usize = ::ring::aead::CHACHA20_POLY1305.tag_len();
|
|
|
|
|
let data_len_notag = data.len() - tag_len;
|
2023-02-23 20:57:21 +00:00
|
|
|
// write nonce
|
2023-06-19 17:26:21 +00:00
|
|
|
data[..Nonce::len().0].copy_from_slice(nonce.as_bytes());
|
2023-02-22 20:10:00 +00:00
|
|
|
|
|
|
|
|
// encrypt data
|
2023-02-23 20:57:21 +00:00
|
|
|
match cipher.cipher.encrypt_in_place_detached(
|
|
|
|
|
nonce.as_bytes().into(),
|
|
|
|
|
aad.0,
|
2023-06-19 17:26:21 +00:00
|
|
|
&mut data[Nonce::len().0..data_len_notag],
|
2023-02-23 20:57:21 +00:00
|
|
|
) {
|
|
|
|
|
Ok(tag) => {
|
2023-06-17 09:33:47 +00:00
|
|
|
data[data_len_notag..].copy_from_slice(tag.as_slice());
|
2023-02-23 20:57:21 +00:00
|
|
|
Ok(())
|
|
|
|
|
}
|
|
|
|
|
Err(_) => Err(Error::Encrypt),
|
2023-05-27 08:57:15 +00:00
|
|
|
}
|
2023-02-22 20:10:00 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-02-17 13:59:02 +00:00
|
|
|
}
|
|
|
|
|
|
2023-02-17 22:09:49 +00:00
|
|
|
/// Receive only cipher
|
|
|
|
|
pub struct CipherRecv(Cipher);
|
2023-02-26 09:44:21 +00:00
|
|
|
impl ::core::fmt::Debug for CipherRecv {
|
|
|
|
|
fn fmt(
|
|
|
|
|
&self,
|
|
|
|
|
f: &mut core::fmt::Formatter<'_>,
|
|
|
|
|
) -> Result<(), ::std::fmt::Error> {
|
|
|
|
|
::core::fmt::Debug::fmt("[hidden cipher recv]", f)
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-02-17 22:09:49 +00:00
|
|
|
|
|
|
|
|
impl CipherRecv {
|
|
|
|
|
/// Build a new Cipher
|
2023-06-19 17:26:21 +00:00
|
|
|
pub fn new(kind: Kind, secret: Secret) -> Self {
|
2023-02-17 22:09:49 +00:00
|
|
|
Self(Cipher::new(kind, secret))
|
|
|
|
|
}
|
|
|
|
|
/// Get the length of the nonce for this cipher
|
2023-06-19 17:26:21 +00:00
|
|
|
pub fn nonce_len(&self) -> NonceLen {
|
2023-02-17 22:09:49 +00:00
|
|
|
self.0.nonce_len()
|
|
|
|
|
}
|
2023-06-17 09:33:47 +00:00
|
|
|
/// Get the length of the nonce for this cipher
|
|
|
|
|
pub fn tag_len(&self) -> TagLen {
|
|
|
|
|
self.0.tag_len()
|
|
|
|
|
}
|
2023-02-17 22:30:19 +00:00
|
|
|
/// Decrypt a paket. Nonce and Tag are taken from the packet,
|
|
|
|
|
/// while you need to provide AAD (Additional Authenticated Data)
|
2023-02-21 21:06:17 +00:00
|
|
|
pub fn decrypt<'a>(
|
|
|
|
|
&self,
|
|
|
|
|
aad: AAD,
|
2023-05-17 08:26:39 +00:00
|
|
|
data: &'a mut [u8],
|
|
|
|
|
) -> Result<&'a [u8], Error> {
|
2023-02-17 22:30:19 +00:00
|
|
|
self.0.decrypt(aad, data)
|
|
|
|
|
}
|
2023-05-26 13:02:21 +00:00
|
|
|
/// return the underlying cipher id
|
2023-06-19 17:26:21 +00:00
|
|
|
pub fn kind(&self) -> Kind {
|
2023-05-26 13:02:21 +00:00
|
|
|
self.0.kind()
|
|
|
|
|
}
|
2023-02-17 22:09:49 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// Send only cipher
|
|
|
|
|
pub struct CipherSend {
|
2023-06-19 17:26:21 +00:00
|
|
|
nonce: Nonce,
|
2023-02-17 22:09:49 +00:00
|
|
|
cipher: Cipher,
|
|
|
|
|
}
|
2023-02-26 09:44:21 +00:00
|
|
|
impl ::core::fmt::Debug for CipherSend {
|
|
|
|
|
fn fmt(
|
|
|
|
|
&self,
|
|
|
|
|
f: &mut core::fmt::Formatter<'_>,
|
|
|
|
|
) -> Result<(), ::std::fmt::Error> {
|
|
|
|
|
::core::fmt::Debug::fmt("[hidden cipher send]", f)
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-02-17 22:09:49 +00:00
|
|
|
|
|
|
|
|
impl CipherSend {
|
|
|
|
|
/// Build a new Cipher
|
2023-06-19 17:26:21 +00:00
|
|
|
pub fn new(kind: Kind, secret: Secret, rand: &Random) -> Self {
|
2023-02-17 13:59:02 +00:00
|
|
|
Self {
|
2023-06-19 17:26:21 +00:00
|
|
|
nonce: Nonce::new(rand),
|
2023-02-17 22:09:49 +00:00
|
|
|
cipher: Cipher::new(kind, secret),
|
2023-02-17 13:59:02 +00:00
|
|
|
}
|
|
|
|
|
}
|
2023-02-23 20:57:21 +00:00
|
|
|
/// Encrypt the given data
|
2023-06-19 17:26:21 +00:00
|
|
|
pub fn encrypt(&mut self, aad: AAD, data: &mut [u8]) -> Result<(), Error> {
|
2023-02-26 09:44:21 +00:00
|
|
|
let old_nonce = self.nonce.advance();
|
|
|
|
|
self.cipher.encrypt(&old_nonce, aad, data)?;
|
2023-02-23 20:57:21 +00:00
|
|
|
Ok(())
|
2023-02-17 22:09:49 +00:00
|
|
|
}
|
2023-05-26 13:02:21 +00:00
|
|
|
/// return the underlying cipher id
|
2023-06-19 17:26:21 +00:00
|
|
|
pub fn kind(&self) -> Kind {
|
2023-05-26 13:02:21 +00:00
|
|
|
self.cipher.kind()
|
|
|
|
|
}
|
2023-02-17 22:09:49 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/// XChaCha20Poly1305 cipher
|
|
|
|
|
struct XChaCha20Poly1305 {
|
|
|
|
|
cipher: ::chacha20poly1305::XChaCha20Poly1305,
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl XChaCha20Poly1305 {
|
|
|
|
|
/// Initialize a new ChaChaPoly20 cipher with a random nonce
|
|
|
|
|
fn new(key: Secret) -> Self {
|
|
|
|
|
use ::chacha20poly1305::{KeyInit, XChaCha20Poly1305};
|
|
|
|
|
Self {
|
|
|
|
|
cipher: XChaCha20Poly1305::new(key.as_ref().into()),
|
|
|
|
|
}
|
2023-02-17 13:59:02 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-02-17 22:09:49 +00:00
|
|
|
//
|
2023-06-01 09:41:10 +00:00
|
|
|
// TODO: Merge crate::{enc::sym::Nonce, connection::handshake::dirsync::Nonce}
|
2023-02-17 22:09:49 +00:00
|
|
|
//
|
|
|
|
|
|
2023-02-16 18:11:45 +00:00
|
|
|
#[derive(Debug, Copy, Clone)]
|
|
|
|
|
#[repr(C)]
|
|
|
|
|
#[allow(missing_debug_implementations)]
|
|
|
|
|
struct NonceNum {
|
|
|
|
|
high: u32,
|
|
|
|
|
low: u64,
|
|
|
|
|
}
|
|
|
|
|
/// Nonce with sequence for chach20_apoly1305
|
2023-02-17 22:09:49 +00:00
|
|
|
#[derive(Copy, Clone)]
|
2023-02-16 18:11:45 +00:00
|
|
|
#[repr(C)]
|
|
|
|
|
pub union Nonce {
|
|
|
|
|
num: NonceNum,
|
2023-06-19 17:26:21 +00:00
|
|
|
raw: [u8; Self::len().0],
|
2023-02-16 18:11:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl ::core::fmt::Debug for Nonce {
|
|
|
|
|
fn fmt(
|
|
|
|
|
&self,
|
|
|
|
|
f: &mut core::fmt::Formatter<'_>,
|
|
|
|
|
) -> Result<(), ::std::fmt::Error> {
|
|
|
|
|
#[allow(unsafe_code)]
|
|
|
|
|
unsafe {
|
2023-02-22 11:30:00 +00:00
|
|
|
::core::fmt::Debug::fmt(&self.num, f)
|
2023-02-16 18:11:45 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
impl Nonce {
|
|
|
|
|
/// Generate a new random Nonce
|
2023-05-30 08:52:54 +00:00
|
|
|
pub fn new(rand: &Random) -> Self {
|
2023-06-19 17:26:21 +00:00
|
|
|
let mut raw = [0; Self::len().0];
|
2023-03-01 17:20:03 +00:00
|
|
|
rand.fill(&mut raw);
|
2023-05-27 08:57:15 +00:00
|
|
|
Self { raw }
|
2023-02-16 18:11:45 +00:00
|
|
|
}
|
2023-02-21 21:06:17 +00:00
|
|
|
/// Length of this nonce in bytes
|
2023-06-19 17:26:21 +00:00
|
|
|
pub const fn len() -> NonceLen {
|
2023-06-17 09:33:47 +00:00
|
|
|
// FIXME: was:12. xchacha20poly1305 requires 24.
|
|
|
|
|
// but we should change keys much earlier than that, and our
|
|
|
|
|
// nonces are not random, but sequential.
|
|
|
|
|
// we should change keys every 2^30 bytes to be sure (stream max window)
|
2023-06-19 17:26:21 +00:00
|
|
|
return NonceLen(24);
|
2023-02-21 21:06:17 +00:00
|
|
|
}
|
2023-02-17 22:09:49 +00:00
|
|
|
/// Get reference to the nonce bytes
|
|
|
|
|
pub fn as_bytes(&self) -> &[u8] {
|
2023-02-16 18:11:45 +00:00
|
|
|
#[allow(unsafe_code)]
|
|
|
|
|
unsafe {
|
2023-02-17 22:09:49 +00:00
|
|
|
&self.raw
|
2023-02-16 18:11:45 +00:00
|
|
|
}
|
|
|
|
|
}
|
2023-02-17 22:09:49 +00:00
|
|
|
/// Create Nonce from array
|
2023-06-19 17:26:21 +00:00
|
|
|
pub fn from_slice(raw: [u8; Self::len().0]) -> Self {
|
2023-05-27 08:57:15 +00:00
|
|
|
Self { raw }
|
2023-02-16 18:11:45 +00:00
|
|
|
}
|
2023-02-17 22:09:49 +00:00
|
|
|
/// Go to the next nonce
|
2023-06-19 17:26:21 +00:00
|
|
|
pub fn advance(&mut self) -> Self {
|
|
|
|
|
let old_nonce = self.clone();
|
2023-02-16 18:11:45 +00:00
|
|
|
#[allow(unsafe_code)]
|
|
|
|
|
unsafe {
|
|
|
|
|
let old_low = self.num.low;
|
|
|
|
|
self.num.low = self.num.low + 1;
|
|
|
|
|
if self.num.low < old_low {
|
|
|
|
|
self.num.high = self.num.high;
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-02-26 09:44:21 +00:00
|
|
|
old_nonce
|
|
|
|
|
}
|
|
|
|
|
}
|
2023-06-19 17:26:21 +00:00
|
|
|
|
2023-06-01 09:41:10 +00:00
|
|
|
/// Select the best cipher from our supported list
|
|
|
|
|
/// and the other endpoint supported list.
|
|
|
|
|
/// Give priority to our list
|
|
|
|
|
pub fn server_select_cipher(
|
|
|
|
|
cfg: &Config,
|
2023-06-19 17:26:21 +00:00
|
|
|
client_supported: &Vec<Kind>,
|
|
|
|
|
) -> Option<Kind> {
|
2023-06-01 09:41:10 +00:00
|
|
|
cfg.ciphers
|
|
|
|
|
.iter()
|
|
|
|
|
.find(|c| client_supported.contains(c))
|
|
|
|
|
.copied()
|
|
|
|
|
}
|
|
|
|
|
/// Select the best cipher from our supported list
|
|
|
|
|
/// and the other endpoint supported list.
|
|
|
|
|
/// Give priority to the server list
|
|
|
|
|
/// This is used only in the Directory synchronized handshake
|
|
|
|
|
pub fn client_select_cipher(
|
|
|
|
|
cfg: &Config,
|
2023-06-19 17:26:21 +00:00
|
|
|
server_supported: &Vec<Kind>,
|
|
|
|
|
) -> Option<Kind> {
|
2023-06-01 09:41:10 +00:00
|
|
|
server_supported
|
|
|
|
|
.iter()
|
|
|
|
|
.find(|c| cfg.ciphers.contains(c))
|
|
|
|
|
.copied()
|
|
|
|
|
}
|
