Compare commits

..

10 commits

Author SHA1 Message Date
df1b2129c1 Tmp fixes 2024-10-09 11:22:08 +02:00
satvrn
84b358c934
better WASM support 2023-08-02 14:11:26 +00:00
satvrn
2b559b79f9 add std support, wording changes, code improvements 2023-07-19 21:50:58 +00:00
satvrn
45916848ad update deps + bump version 2023-07-19 02:28:13 +00:00
satvrn
d5f9760546
Update LICENSE 2023-07-18 19:03:42 -07:00
satvrn
921208970b bump version 2023-07-18 23:39:06 +00:00
satvrn
bff1cca0f1 update gitignore and remove magnetite mentions 2023-07-18 23:33:31 +00:00
satvrn
d8c9e9b36c reinstate repo with source from crates.io 2023-07-18 23:27:53 +00:00
Hannes
93727cedf1
Merge pull request #50 from Dione-Software/dependabot/cargo/bumpalo-3.12.0
Bump bumpalo from 3.10.0 to 3.12.0
2023-01-24 13:03:58 +01:00
dependabot[bot]
035861df05
Bump bumpalo from 3.10.0 to 3.12.0
Bumps [bumpalo](https://github.com/fitzgen/bumpalo) from 3.10.0 to 3.12.0.
- [Release notes](https://github.com/fitzgen/bumpalo/releases)
- [Changelog](https://github.com/fitzgen/bumpalo/blob/main/CHANGELOG.md)
- [Commits](https://github.com/fitzgen/bumpalo/compare/3.10.0...3.12.0)

---
updated-dependencies:
- dependency-name: bumpalo
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-20 22:13:15 +00:00
20 changed files with 708 additions and 2057 deletions

View file

@ -1,2 +0,0 @@
ignore:
- "../*"

View file

@ -1,11 +0,0 @@
# To get started with Dependabot version updates, you'll need to specify which
# package ecosystems to update and where the package manifests are located.
# Please see the documentation for all configuration options:
# https://help.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
version: 2
updates:
- package-ecosystem: "cargo" # See documentation for possible values
directory: "/" # Location of package manifests
schedule:
interval: "daily"

View file

@ -1,15 +0,0 @@
name: Security audit
on:
push:
branches:
- "*"
schedule:
- cron: '0 0 * * *'
jobs:
security_audit:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v1
- uses: actions-rs/audit-check@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}

View file

@ -1,60 +0,0 @@
name: Rust
on:
push
env:
CARGO_TERM_COLOR: always
jobs:
build-and-test-native:
strategy:
matrix:
platform: [ubuntu-latest, macos-latest, windows-latest]
runs-on: ${{ matrix.platform }}
steps:
- uses: actions/checkout@v2
# `cargo check` command here will use installed `nightly`
# as it is set as an "override" for current directory
- name: Run cargo check
run: cargo check
- name: Run cargo test
run: cargo test
- name: Run cargo build
run: cargo build
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Actions-rs
uses: actions-rs/toolchain@v1
with:
toolchain: nightly
override: true
- name: Run Test
uses: actions-rs/cargo@v1
with:
command: test
args: --all-features --no-fail-fast
env:
CARGO_INCREMENTAL: '0'
RUSTFLAGS: '-Zprofile -Ccodegen-units=1 -Cinline-threshold=0 -Clink-dead-code -Coverflow-checks=off -Cpanic=abort -Zpanic_abort_tests'
RUSTDOCFLAGS: '-Zprofile -Ccodegen-units=1 -Cinline-threshold=0 -Clink-dead-code -Coverflow-checks=off -Cpanic=abort -Zpanic_abort_tests'
- id: coverage
uses: actions-rs/grcov@v0.1
- name: Coveralls upload
uses: coverallsapp/github-action@master
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
path-to-lcov: ${{ steps.coverage.outputs.report }}

16
.gitignore vendored
View file

@ -1,2 +1,14 @@
/target # Generated by Cargo
/.idea # will have compiled files and executables
debug/
target/
# Remove Cargo.lock from gitignore if creating an executable, leave it for libraries
# More information here https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html
Cargo.lock
# These are backup files generated by rustfmt
**/*.rs.bk
# MSVC Windows builds of rustc generate these, which store debugging information
*.pdb

1109
Cargo.lock generated

File diff suppressed because it is too large Load diff

View file

@ -1,37 +1,39 @@
[package] [package]
name = "double-ratchet-2" name = "double-ratchet-rs"
authors = ["Hannes Furmans"] version = "0.4.6"
description = "Implementation of Double Ratchet as specified by Signal." authors = ["satvrn", "Hannes Furmans", "Pascal Engélibert"]
homepage = "https://github.com/Dione-Software/double-ratchet-2" edition = "2021"
repository = "https://github.com/Dione-Software/double-ratchet-2" rust-version = "1.60"
description = "A pure Rust implementation of the Double Ratchet algorithm as described by Signal."
documentation = "https://docs.rs/double-ratchet-rs"
readme = "README.md" readme = "README.md"
keywords = ["double-ratchet", "crypto", "cryptography", "signal"] homepage = "https://git.txmn.tk/tuxmain/double-ratchet-rs"
version = "0.3.7" repository = "https://git.txmn.tk/tuxmain/double-ratchet-rs"
edition = "2018"
license = "MIT" license = "MIT"
keywords = ["double-ratchet", "signal"]
# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html categories = ["algorithms", "cryptography", "no-std"]
[badges]
maintenance = { status = "actively-developed" }
[dependencies] [dependencies]
p256 = {version = "0.10", features = ["ecdh", "arithmetic", "pem", "jwk"]} x25519-dalek = {version = "2", default-features = false, features = ["serde", "static_secrets", "zeroize"]}
rand_core = {version = "0.6"} rand_core = "0.6"
getrandom = {version = "0.2.3"}
hkdf = "0.12" hkdf = "0.12"
hmac = "0.12" hmac = "0.12"
aes-gcm-siv = {version = "0.10.3"} aes-gcm-siv = "0.11"
sha2 = {version = "0.10"} sha2 = {version = "0.10", default-features = false}
serde = {version = "1", default-features = false, features = ["derive"]} serde = {version = "1.0", default-features = false, features = ["derive"]}
serde_bytes = "0.11" postcard = {version = "1.0", default-features = false, features = ["alloc"]}
bincode = "1" hashbrown = {version = "0.14", features = ["serde"], optional = true}
hashbrown = {version = "0.13", features = ["serde"]} zeroize = {version = "1.6", default-features = false, features = ["zeroize_derive"]}
zeroize = {version = "1.3", features = ["zeroize_derive"]}
[dev-dependencies] [target.'cfg(all(target_family = "wasm", target_vendor = "unknown"))'.dependencies]
criterion = "0.4.0" getrandom = { version = "0.2", features = ["js"] }
[target.'cfg(not(target_family = "wasm"))'.dev-dependencies]
criterion = "0.4"
[target.'cfg(target_family = "wasm")'.dev-dependencies]
criterion = { version = "0.4", default-features = false, features = ["plotters", "cargo_bench_support"] }
wasm-bindgen-test = "0.2"
[[bench]] [[bench]]
name = "double_ratchet_bench" name = "double_ratchet_bench"
@ -41,4 +43,5 @@ harness = false
lto = true lto = true
[features] [features]
wasm = ["getrandom/js"] default = ["hashbrown"]
std = ["sha2/std", "serde/std", "postcard/use-std", "zeroize/std"]

View file

@ -1,6 +1,8 @@
MIT License MIT License
Copyright (c) 2023 satvrn
Copyright (c) 2021 Hannes Furmans Copyright (c) 2021 Hannes Furmans
Copyright (c) 2024 Pascal Engélibert
Permission is hereby granted, free of charge, to any person obtaining a copy Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal of this software and associated documentation files (the "Software"), to deal

163
README.md
View file

@ -1,71 +1,87 @@
[![Crate](https://img.shields.io/crates/v/double-ratchet-2)](https://crates.io/crates/double-ratchet-2) # double-ratchet-rs
[![License](https://img.shields.io/github/license/Dione-Software/double-ratchet-2)](https://github.com/Dione-Software/double-ratchet-2/blob/main/LICENSE)
[![Coverage Status](https://coveralls.io/repos/github/Dione-Software/double-ratchet-2/badge.svg?branch=main)](https://coveralls.io/github/Dione-Software/double-ratchet-2?branch=main)
[![Workflow Status](https://github.com/Dione-Software/double-ratchet-2/actions/workflows/rust.yml/badge.svg)](https://github.com/Dione-Software/double-ratchet-2/actions/workflows/rust.yml)
![Maintenance](https://img.shields.io/badge/maintenance-activly--developed-brightgreen.svg)
# double-ratchet-2 A pure Rust implementation of the Double Ratchet algorithm as described by [Signal][1].
Implementation of the double ratchet system/encryption as specified by [Signal][1]. This implementation follows the cryptographic recommendations provided by [Signal][2].
The AEAD algorithm uses a constant Nonce. This might be changed in the future.
**WARNING! This implementation uses P-256 NOT Curve25519 as specified by Signal!** Temporary fork of [double-ratchet-rs](https://github.com/notsatvrn/double-ratchet-rs), which is published on crates.io. Use this one instead because my fork is published for a proof of concept only, not meant to stay forever.
The implementation follows the cryptographic recommendations provided by [Signal][2]. ## Examples
The AEAD Algorithm uses a constant Nonce. This might be changed in the future.
## Example Usage: ### Standard Usage
Alice encrypts a message which is then decrypted by Bob.
### Standard:
```rust ```rust
use double_ratchet_2::ratchet::Ratchet; use double_ratchet_rs::Ratchet;
let sk = [1; 32]; // Initial Key created by a symmetric key agreement protocol let sk = [1; 32]; // Shared key created by a symmetric key agreement protocol
let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk); // Creating Bobs Ratchet (returns Bobs PublicKey)
let mut alice_ratchet = Ratchet::init_alice(sk, public_key); // Creating Alice Ratchet with Bobs PublicKey let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk); // Creating Bob's Ratchet (returns Bob's PublicKey)
let data = b"Hello World".to_vec(); // Data to be encrypted let mut alice_ratchet = Ratchet::init_alice(sk, public_key); // Creating Alice's Ratchet with Bob's PublicKey
let ad = b"Associated Data"; // Associated Data
let data = b"Hello World".to_vec(); // Data to be encrypted
let ad = b"Associated Data"; // Associated data
let (header, encrypted, nonce) = alice_ratchet.encrypt(&data, ad); // Encrypting message with Alice's Ratchet (Alice always needs to send the first message)
let decrypted = bob_ratchet.decrypt(&header, &encrypted, &nonce, ad); // Decrypt message with Bob's Ratchet
let (header, encrypted, nonce) = alice_ratchet.ratchet_encrypt(&data, ad); // Encrypting message with Alice Ratchet (Alice always needs to send the first message)
let decrypted = bob_ratchet.ratchet_decrypt(&header, &encrypted, &nonce, ad); // Decrypt message with Bobs Ratchet
assert_eq!(data, decrypted) assert_eq!(data, decrypted)
``` ```
### With lost message: ### Recovering a Lost Message
Alice encrypts 2 messages for Bob.
The latest message must be decrypted first.
```rust ```rust
use double_ratchet_rs::Ratchet;
let sk = [1; 32]; // Initial Key created by a symmetric key agreement protocol let sk = [1; 32]; // Shared key created by a symmetric key agreement protocol
let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk); // Creating Bobs Ratchet (returns Bobs PublicKey)
let mut alice_ratchet = Ratchet::init_alice(sk, public_key); // Creating Alice Ratchet with Bobs PublicKey
let data = b"Hello World".to_vec(); // Data to be encrypted
let ad = b"Associated Data"; // Associated Data
let (header1, encrypted1, nonce1) = alice_ratchet.ratchet_encrypt(&data, ad); // Lost message let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk); // Creating Bob's Ratchet (returns Bob's PublicKey)
let (header2, encrypted2, nonce2) = alice_ratchet.ratchet_encrypt(&data, ad); // Successful message let mut alice_ratchet = Ratchet::init_alice(sk, public_key); // Creating Alice's Ratchet with Bob's PublicKey
let decrypted2 = bob_ratchet.ratchet_decrypt(&header2, &encrypted2, &nonce2, ad); // Decrypting second message first let data = b"Hello World".to_vec(); // Data to be encrypted
let decrypted1 = bob_ratchet.ratchet_decrypt(&header1, &encrypted1, &nonce1, ad); // Decrypting latter message let ad = b"Associated Data"; // Associated data
let comp = decrypted1 == data && decrypted2 == data; let (header1, encrypted1, nonce1) = alice_ratchet.encrypt(&data, ad); // Lost message
assert!(comp); let (header2, encrypted2, nonce2) = alice_ratchet.encrypt(&data, ad); // Successful message
let decrypted2 = bob_ratchet.decrypt(&header2, &encrypted2, &nonce2, ad); // Decrypting second message first
let decrypted1 = bob_ratchet.decrypt(&header1, &encrypted1, &nonce1, ad); // Decrypting latter message
assert_eq!(data, decrypted1);
assert_eq!(data, decrypted2);
``` ```
### Encryption before recieving inital message ### Encryption Before Decrypting First Message
Bob encrypts a message before decrypting one from Alice.
This will result in a panic.
```rust ```rust
use double_ratchet_2::ratchet::Ratchet; use double_ratchet_rs::Ratchet;
let sk = [1; 32]; let sk = [1; 32];
let ad = b"Associated Data";
let (mut bob_ratchet, _) = Ratchet::init_bob(sk);
let data = b"Hello World".to_vec();
let (_, _, _) = bob_ratchet.ratchet_encrypt(&data, ad); let (mut bob_ratchet, _) = Ratchet::init_bob(sk);
let data = b"Hello World".to_vec();
let ad = b"Associated Data";
let (_, _, _) = bob_ratchet.encrypt(&data, ad);
``` ```
### Encryption after recieving initial message ### Encryption After Decrypting First Message
However bob can (of course) also encrypt messages. This is possible, after decrypting the first message from alice.
Bob *can* also encrypt messages.
This is only possible after decrypting one from Alice first though.
```rust ```rust
use double_ratchet_2::ratchet::Ratchet; use double_ratchet_rs::Ratchet;
let sk = [1; 32]; let sk = [1; 32];
let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk); let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk);
@ -74,64 +90,87 @@ let mut alice_ratchet = Ratchet::init_alice(sk, public_key);
let data = b"Hello World".to_vec(); let data = b"Hello World".to_vec();
let ad = b"Associated Data"; let ad = b"Associated Data";
let (header1, encrypted1, nonce1) = alice_ratchet.ratchet_encrypt(&data, ad); let (header1, encrypted1, nonce1) = alice_ratchet.encrypt(&data, ad);
let _decrypted1 = bob_ratchet.ratchet_decrypt(&header1, &encrypted1, &nonce1, ad); let _decrypted1 = bob_ratchet.decrypt(&header1, &encrypted1, &nonce1, ad);
let (header2, encrypted2, nonce2) = bob_ratchet.ratchet_encrypt(&data, ad); let (header2, encrypted2, nonce2) = bob_ratchet.encrypt(&data, ad);
let decrypted2 = alice_ratchet.ratchet_decrypt(&header2, &encrypted2, &nonce2, ad); let decrypted2 = alice_ratchet.decrypt(&header2, &encrypted2, &nonce2, ad);
assert_eq!(data, decrypted2); assert_eq!(data, decrypted2);
``` ```
### Constructing and Deconstructing Headers ### Constructing and Deconstructing Headers
```rust ```rust
use double_ratchet_rs::{Header, Ratchet};
let sk = [1; 32];
let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk);
let mut alice_ratchet = Ratchet::init_alice(sk, public_key);
let data = b"hello World".to_vec();
let ad = b"Associated Data";
let (header, _, _) = alice_ratchet.encrypt(&data, ad);
let header_bytes: Vec<u8> = header.clone().into(); let header_bytes: Vec<u8> = header.clone().into();
let header_const = Header::from(header_bytes); let header_const = Header::from(header_bytes);
assert_eq!(header, header_const); assert_eq!(header, header_const);
``` ```
## Example Ratchet with encrypted headers ### Encrypted Headers
```rust ```rust
use double_ratchet_2::ratchet::RatchetEncHeader; use double_ratchet_rs::RatchetEncHeader;
let sk = [0; 32]; let sk = [0; 32];
let shared_hka = [1; 32]; let shared_hka = [1; 32];
let shared_nhkb = [2; 32]; let shared_nhkb = [2; 32];
let (mut bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, shared_hka, shared_nhkb); let (mut bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, shared_hka, shared_nhkb);
let mut alice_ratchet = RatchetEncHeader::init_alice(sk, public_key, shared_hka, shared_nhkb); let mut alice_ratchet = RatchetEncHeader::init_alice(sk, public_key, shared_hka, shared_nhkb);
let data = b"Hello World".to_vec(); let data = b"Hello World".to_vec();
let ad = b"Associated Data"; let ad = b"Associated Data";
let (header, encrypted, nonce) = alice_ratchet.ratchet_encrypt(&data, ad); let (header, encrypted, nonce) = alice_ratchet.encrypt(&data, ad);
let decrypted = bob_ratchet.ratchet_decrypt(&header, &encrypted, &nonce, ad); let decrypted = bob_ratchet.decrypt(&header, &encrypted, &nonce, ad);
assert_eq!(data, decrypted) assert_eq!(data, decrypted)
``` ```
## Export / Import Ratchet with encrypted headers ### Exporting / Importing Ratchet w/ Encrypted Headers
This ratchet implements import and export functionality. This works over a bincode backend and
maybe useful for saving Ratchets to and loading from a file. This can be used for storing and using ratchets in a file.
```rust ```rust
use double_ratchet_rs::RatchetEncHeader;
let sk = [0; 32];
let shared_hka = [1; 32];
let shared_nhkb = [2; 32];
let (bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, shared_hka, shared_nhkb); let (bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, shared_hka, shared_nhkb);
let ex_ratchet = bob_ratchet.export(); let ex_ratchet = bob_ratchet.export();
let im_ratchet = RatchetEncHeader::import(&ex_ratchet); let im_ratchet = RatchetEncHeader::import(&ex_ratchet).unwrap();
assert_eq!(im_ratchet, bob_ratchet) assert_eq!(im_ratchet, bob_ratchet)
``` ```
## Features ## Features
Currently the crate only supports one feature: ring. If feature is enabled the crate switches - `hashbrown`: Use `hashbrown` for `HashMap`. Enabled by default for `no_std` support.
to ring-compat and uses ring as backend for Sha512 Hashing. May result in slightly better performance. - `std`: Use `std` instead of `alloc`. Can be used with `hashbrown`, but it isn't required.
## **M**inimum **S**upported **R**ust **V**ersion (MSRV)
TODO: The current MSRV is 1.60.0 without `hashbrown` and 1.64.0 with `hashbrown`.
- [x] Standard Double Ratchet
- [x] [Double Ratchet with encrypted headers][3] ## License
This project is licensed under the [MIT license](https://git.txmn.tk/tuxmain/double-ratchet-rs/blob/main/LICENSE).
[1]: https://signal.org/docs/specifications/doubleratchet/ [1]: https://signal.org/docs/specifications/doubleratchet/
[2]: https://signal.org/docs/specifications/doubleratchet/#recommended-cryptographic-algorithms [2]: https://signal.org/docs/specifications/doubleratchet/#recommended-cryptographic-algorithms
[3]: https://signal.org/docs/specifications/doubleratchet/#double-ratchet-with-header-encryption [3]: https://signal.org/docs/specifications/doubleratchet/#double-ratchet-with-header-encryption
Current version: 0.4.0
License: MIT

View file

@ -1,13 +0,0 @@
[![Crate](https://img.shields.io/crates/v/double-ratchet-2)](https://crates.io/crates/double-ratchet-2)
[![License](https://img.shields.io/github/license/Dione-Software/double-ratchet-2)](https://github.com/Dione-Software/double-ratchet-2/blob/main/LICENSE)
[![Coverage Status](https://coveralls.io/repos/github/Dione-Software/double-ratchet-2/badge.svg?branch=main)](https://coveralls.io/github/Dione-Software/double-ratchet-2?branch=main)
[![Workflow Status](https://github.com/Dione-Software/double-ratchet-2/actions/workflows/rust.yml/badge.svg)](https://github.com/Dione-Software/double-ratchet-2/actions/workflows/rust.yml)
{{badges}}
# {{crate}}
{{readme}}
Current version: {{version}}
License: {{license}}

View file

@ -1,13 +1,13 @@
use double_ratchet_2::ratchet::{Ratchet, RatchetEncHeader}; use criterion::{criterion_group, criterion_main, Criterion};
use criterion::{Criterion, criterion_main, criterion_group}; use double_ratchet_rs::{Ratchet, RatchetEncHeader};
fn ratchet_enc_single() { fn ratchet_enc_single() {
let sk = [1; 32]; let sk = [1; 32];
let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk); let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk);
let mut alice_ratchet = Ratchet::init_alice(sk, public_key); let mut alice_ratchet = Ratchet::init_alice(sk, public_key);
let data = include_bytes!("../src/header.rs").to_vec(); let data = include_bytes!("../src/header.rs").to_vec();
let (header, encrypted, nonce) = alice_ratchet.ratchet_encrypt(&data, b""); let (header, encrypted, nonce) = alice_ratchet.encrypt(&data, b"");
let _decrypted = bob_ratchet.ratchet_decrypt(&header, &encrypted, &nonce, b""); let _decrypted = bob_ratchet.decrypt(&header, &encrypted, &nonce, b"");
} }
fn criterion_benchmark_1(c: &mut Criterion) { fn criterion_benchmark_1(c: &mut Criterion) {
@ -19,93 +19,99 @@ fn ratchet_enc_skip() {
let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk); let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk);
let mut alice_ratchet = Ratchet::init_alice(sk, public_key); let mut alice_ratchet = Ratchet::init_alice(sk, public_key);
let data = include_bytes!("../src/header.rs").to_vec(); let data = include_bytes!("../src/header.rs").to_vec();
let (header1, encrypted1, nonce1) = alice_ratchet.ratchet_encrypt(&data, b""); let (header1, encrypted1, nonce1) = alice_ratchet.encrypt(&data, b"");
let (header2, encrypted2, nonce2) = alice_ratchet.ratchet_encrypt(&data, b""); let (header2, encrypted2, nonce2) = alice_ratchet.encrypt(&data, b"");
let _decrypted2 = bob_ratchet.ratchet_decrypt(&header2, &encrypted2, &nonce2, b""); let _decrypted2 = bob_ratchet.decrypt(&header2, &encrypted2, &nonce2, b"");
let _decrypted1 = bob_ratchet.ratchet_decrypt(&header1, &encrypted1, &nonce1, b""); let _decrypted1 = bob_ratchet.decrypt(&header1, &encrypted1, &nonce1, b"");
} }
fn criterion_benchmark_2(c: &mut Criterion) { fn criterion_benchmark_2(c: &mut Criterion) {
c.bench_function("Ratchet Enc Skip", |b| b.iter(|| ratchet_enc_skip())); c.bench_function("Ratchet Enc Skip", |b| b.iter(|| ratchet_enc_skip()));
} }
fn ratchet_encryt_decrypt_four() { fn ratchet_encrypt_decrypt_four() {
let sk = [1; 32]; let sk = [1; 32];
let data = include_bytes!("../src/dh.rs").to_vec(); let data = include_bytes!("../src/dh.rs").to_vec();
let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk); let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk);
let mut alice_ratchet = Ratchet::init_alice(sk, public_key); let mut alice_ratchet = Ratchet::init_alice(sk, public_key);
let (header1, encrypted1, nonce1) = alice_ratchet.ratchet_encrypt(&data, b""); let (header1, encrypted1, nonce1) = alice_ratchet.encrypt(&data, b"");
let _decrypted1 = bob_ratchet.ratchet_decrypt(&header1, &encrypted1, &nonce1, b""); let _decrypted1 = bob_ratchet.decrypt(&header1, &encrypted1, &nonce1, b"").unwrap();
let (header2, encrypted2, nonce2) = bob_ratchet.ratchet_encrypt(&data, b""); let (header2, encrypted2, nonce2) = bob_ratchet.encrypt(&data, b"");
let _decrypted2 = alice_ratchet.ratchet_decrypt(&header2, &encrypted2, &nonce2, b""); let _decrypted2 = alice_ratchet.decrypt(&header2, &encrypted2, &nonce2, b"").unwrap();
} }
fn criterion_benchmark_3(c: &mut Criterion) { fn criterion_benchmark_3(c: &mut Criterion) {
c.bench_function("Ratchet Dec Four", |b| b.iter(|| ratchet_encryt_decrypt_four())); c.bench_function("Ratchet Dec Four", |b| {
b.iter(|| ratchet_encrypt_decrypt_four())
});
} }
fn ratchet_ench_enc_single() { fn ratchet_ench_enc_single() {
let sk = [1; 32]; let sk = [1; 32];
let shared_hka = [2; 32]; let shared_hka = [2; 32];
let shared_nhkb = [3; 32]; let shared_nhkb = [3; 32];
let (mut bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, let (mut bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, shared_hka, shared_nhkb);
shared_hka, let mut alice_ratchet = RatchetEncHeader::init_alice(sk, public_key, shared_hka, shared_nhkb);
shared_nhkb);
let mut alice_ratchet = RatchetEncHeader::init_alice(sk,
public_key,
shared_hka,
shared_nhkb);
let data = include_bytes!("../src/header.rs").to_vec(); let data = include_bytes!("../src/header.rs").to_vec();
let (header, encrypted, nonce) = alice_ratchet.ratchet_encrypt(&data, b""); let (header, encrypted, nonce) = alice_ratchet.encrypt(&data, b"");
let decrypted = bob_ratchet.ratchet_decrypt(&header, &encrypted, &nonce, b""); let decrypted = bob_ratchet.decrypt(&header, &encrypted, &nonce, b"").unwrap();
assert_eq!(data, decrypted) assert_eq!(data, decrypted)
} }
fn criterion_benchmark_4(c: &mut Criterion) { fn criterion_benchmark_4(c: &mut Criterion) {
c.bench_function("Encrypted Header Ratchet Enc Single", |b| b.iter(|| ratchet_ench_enc_single())); c.bench_function("Encrypted Header Ratchet Enc Single", |b| {
b.iter(|| ratchet_ench_enc_single())
});
} }
fn ratchet_ench_enc_skip() { fn ratchet_ench_enc_skip() {
let sk = [1; 32]; let sk = [1; 32];
let shared_hka = [2; 32]; let shared_hka = [2; 32];
let shared_nhkb = [3; 32]; let shared_nhkb = [3; 32];
let (mut bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, let (mut bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, shared_hka, shared_nhkb);
shared_hka, let mut alice_ratchet = RatchetEncHeader::init_alice(sk, public_key, shared_hka, shared_nhkb);
shared_nhkb);
let mut alice_ratchet = RatchetEncHeader::init_alice(sk,
public_key,
shared_hka,
shared_nhkb);
let data = include_bytes!("../src/header.rs").to_vec(); let data = include_bytes!("../src/header.rs").to_vec();
let (header1, encrypted1, nonce1) = alice_ratchet.ratchet_encrypt(&data, b""); let (header1, encrypted1, nonce1) = alice_ratchet.encrypt(&data, b"");
let (header2, encrypted2, nonce2) = alice_ratchet.ratchet_encrypt(&data, b""); let (header2, encrypted2, nonce2) = alice_ratchet.encrypt(&data, b"");
let _decrypted2 = bob_ratchet.ratchet_decrypt(&header2, &encrypted2, &nonce2, b""); let _decrypted2 = bob_ratchet.decrypt(&header2, &encrypted2, &nonce2, b"");
let _decrypted1 = bob_ratchet.ratchet_decrypt(&header1, &encrypted1, &nonce1, b""); let _decrypted1 = bob_ratchet.decrypt(&header1, &encrypted1, &nonce1, b"");
} }
fn criterion_benchmark_5(c: &mut Criterion) { fn criterion_benchmark_5(c: &mut Criterion) {
c.bench_function("Encrypted Header Ratchet Enc Skip", |b| b.iter(|| ratchet_ench_enc_skip())); c.bench_function("Encrypted Header Ratchet Enc Skip", |b| {
b.iter(|| ratchet_ench_enc_skip())
});
} }
fn ratchet_ench_decrypt_four() { fn ratchet_ench_decrypt_four() {
let sk = [1; 32]; let sk = [1; 32];
let shared_hka = [2; 32]; let shared_hka = [2; 32];
let shared_nhkb = [3; 32]; let shared_nhkb = [3; 32];
let (mut bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, let (mut bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, shared_hka, shared_nhkb);
shared_hka,
shared_nhkb);
let mut alice_ratchet = RatchetEncHeader::init_alice(sk, public_key, shared_hka, shared_nhkb); let mut alice_ratchet = RatchetEncHeader::init_alice(sk, public_key, shared_hka, shared_nhkb);
let data = include_bytes!("../src/dh.rs").to_vec(); let data = include_bytes!("../src/dh.rs").to_vec();
let (header1, encrypted1, nonce1) = alice_ratchet.ratchet_encrypt(&data, b""); let (header1, encrypted1, nonce1) = alice_ratchet.encrypt(&data, b"");
let _decrypted1 = bob_ratchet.ratchet_decrypt(&header1, &encrypted1, &nonce1, b""); let _decrypted1 = bob_ratchet.decrypt(&header1, &encrypted1, &nonce1, b"").unwrap();
let (header2, encrypted2, nonce2) = bob_ratchet.ratchet_encrypt(&data, b""); let (header2, encrypted2, nonce2) = bob_ratchet.encrypt(&data, b"");
let _decrypted2 = alice_ratchet.ratchet_decrypt(&header2, &encrypted2, &nonce2, b""); let _decrypted2 = alice_ratchet.decrypt(&header2, &encrypted2, &nonce2, b"").unwrap();
} }
fn criterion_benchmark_6(c: &mut Criterion) { fn criterion_benchmark_6(c: &mut Criterion) {
c.bench_function("Encrypted Header Ratchet Dec Four", |b| b.iter(|| ratchet_ench_decrypt_four())); c.bench_function("Encrypted Header Ratchet Dec Four", |b| {
b.iter(|| ratchet_ench_decrypt_four())
});
} }
criterion_group!(without_enc_headerd, criterion_benchmark_1, criterion_benchmark_2, criterion_benchmark_3); criterion_group!(
criterion_group!(with_enc_headerd, criterion_benchmark_4, criterion_benchmark_5, criterion_benchmark_6); without_enc_headerd,
criterion_benchmark_1,
criterion_benchmark_2,
criterion_benchmark_3
);
criterion_group!(
with_enc_headerd,
criterion_benchmark_4,
criterion_benchmark_5,
criterion_benchmark_6
);
criterion_main!(without_enc_headerd, with_enc_headerd); criterion_main!(without_enc_headerd, with_enc_headerd);

204
deny.toml
View file

@ -1,204 +0,0 @@
# This template contains all of the possible sections and their default values
# Note that all fields that take a lint level have these possible values:
# * deny - An error will be produced and the check will fail
# * warn - A warning will be produced, but the check will not fail
# * allow - No warning or error will be produced, though in some cases a note
# will be
# The values provided in this template are the default values that will be used
# when any section or field is not specified in your own configuration
# If 1 or more target triples (and optionally, target_features) are specified,
# only the specified targets will be checked when running `cargo deny check`.
# This means, if a particular package is only ever used as a target specific
# dependency, such as, for example, the `nix` crate only being used via the
# `target_family = "unix"` configuration, that only having windows targets in
# this list would mean the nix crate, as well as any of its exclusive
# dependencies not shared by any other crates, would be ignored, as the target
# list here is effectively saying which targets you are building for.
targets = [
# The triple can be any string, but only the target triples built in to
# rustc (as of 1.40) can be checked against actual config expressions
#{ triple = "x86_64-unknown-linux-musl" },
# You can also specify which target_features you promise are enabled for a
# particular target. target_features are currently not validated against
# the actual valid features supported by the target architecture.
#{ triple = "wasm32-unknown-unknown", features = ["atomics"] },
]
# This section is considered when running `cargo deny check advisories`
# More documentation for the advisories section can be found here:
# https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html
[advisories]
# The path where the advisory database is cloned/fetched into
db-path = "~/.cargo/advisory-db"
# The url(s) of the advisory databases to use
db-urls = ["https://github.com/rustsec/advisory-db"]
# The lint level for security vulnerabilities
vulnerability = "deny"
# The lint level for unmaintained crates
unmaintained = "warn"
# The lint level for crates that have been yanked from their source registry
yanked = "warn"
# The lint level for crates with security notices. Note that as of
# 2019-12-17 there are no security notice advisories in
# https://github.com/rustsec/advisory-db
notice = "warn"
# A list of advisory IDs to ignore. Note that ignored advisories will still
# output a note when they are encountered.
ignore = [
#"RUSTSEC-0000-0000",
]
# Threshold for security vulnerabilities, any vulnerability with a CVSS score
# lower than the range specified will be ignored. Note that ignored advisories
# will still output a note when they are encountered.
# * None - CVSS Score 0.0
# * Low - CVSS Score 0.1 - 3.9
# * Medium - CVSS Score 4.0 - 6.9
# * High - CVSS Score 7.0 - 8.9
# * Critical - CVSS Score 9.0 - 10.0
#severity-threshold =
# This section is considered when running `cargo deny check licenses`
# More documentation for the licenses section can be found here:
# https://embarkstudios.github.io/cargo-deny/checks/licenses/cfg.html
[licenses]
# The lint level for crates which do not have a detectable license
unlicensed = "deny"
# List of explictly allowed licenses
# See https://spdx.org/licenses/ for list of possible licenses
# [possible values: any SPDX 3.11 short identifier (+ optional exception)].
allow = [
"MIT",
"Apache-2.0",
"BSD-3-Clause",
#"Apache-2.0 WITH LLVM-exception",
]
# List of explictly disallowed licenses
# See https://spdx.org/licenses/ for list of possible licenses
# [possible values: any SPDX 3.11 short identifier (+ optional exception)].
deny = [
#"Nokia",
]
# Lint level for licenses considered copyleft
copyleft = "warn"
# Blanket approval or denial for OSI-approved or FSF Free/Libre licenses
# * both - The license will be approved if it is both OSI-approved *AND* FSF
# * either - The license will be approved if it is either OSI-approved *OR* FSF
# * osi-only - The license will be approved if is OSI-approved *AND NOT* FSF
# * fsf-only - The license will be approved if is FSF *AND NOT* OSI-approved
# * neither - This predicate is ignored and the default lint level is used
allow-osi-fsf-free = "neither"
# Lint level used when no other predicates are matched
# 1. License isn't in the allow or deny lists
# 2. License isn't copyleft
# 3. License isn't OSI/FSF, or allow-osi-fsf-free = "neither"
default = "deny"
# The confidence threshold for detecting a license from license text.
# The higher the value, the more closely the license text must be to the
# canonical license text of a valid SPDX license file.
# [possible values: any between 0.0 and 1.0].
confidence-threshold = 0.8
# Allow 1 or more licenses on a per-crate basis, so that particular licenses
# aren't accepted for every possible crate as with the normal allow list
exceptions = [
# Each entry is the crate and version constraint, and its specific allow
# list
#{ allow = ["Zlib"], name = "adler32", version = "*" },
]
# Some crates don't have (easily) machine readable licensing information,
# adding a clarification entry for it allows you to manually specify the
# licensing information
#[[licenses.clarify]]
# The name of the crate the clarification applies to
#name = "ring"
# The optional version constraint for the crate
#version = "*"
# The SPDX expression for the license requirements of the crate
#expression = "MIT AND ISC AND OpenSSL"
# One or more files in the crate's source used as the "source of truth" for
# the license expression. If the contents match, the clarification will be used
# when running the license check, otherwise the clarification will be ignored
# and the crate will be checked normally, which may produce warnings or errors
# depending on the rest of your configuration
#license-files = [
# Each entry is a crate relative path, and the (opaque) hash of its contents
#{ path = "LICENSE", hash = 0xbd0eed23 }
#]
[licenses.private]
# If true, ignores workspace crates that aren't published, or are only
# published to private registries
ignore = false
# One or more private registries that you might publish crates to, if a crate
# is only published to private registries, and ignore is true, the crate will
# not have its license(s) checked
registries = [
#"https://sekretz.com/registry
]
# This section is considered when running `cargo deny check bans`.
# More documentation about the 'bans' section can be found here:
# https://embarkstudios.github.io/cargo-deny/checks/bans/cfg.html
[bans]
# Lint level for when multiple versions of the same crate are detected
multiple-versions = "warn"
# Lint level for when a crate version requirement is `*`
wildcards = "allow"
# The graph highlighting used when creating dotgraphs for crates
# with multiple versions
# * lowest-version - The path to the lowest versioned duplicate is highlighted
# * simplest-path - The path to the version with the fewest edges is highlighted
# * all - Both lowest-version and simplest-path are used
highlight = "all"
# List of crates that are allowed. Use with care!
allow = [
#{ name = "ansi_term", version = "=0.11.0" },
]
# List of crates to deny
deny = [
# Each entry the name of a crate and a version range. If version is
# not specified, all versions will be matched.
#{ name = "ansi_term", version = "=0.11.0" },
#
# Wrapper crates can optionally be specified to allow the crate when it
# is a direct dependency of the otherwise banned crate
#{ name = "ansi_term", version = "=0.11.0", wrappers = [] },
]
# Certain crates/versions that will be skipped when doing duplicate detection.
skip = [
#{ name = "ansi_term", version = "=0.11.0" },
]
# Similarly to `skip` allows you to skip certain crates during duplicate
# detection. Unlike skip, it also includes the entire tree of transitive
# dependencies starting at the specified crate, up to a certain depth, which is
# by default infinite
skip-tree = [
#{ name = "ansi_term", version = "=0.11.0", depth = 20 },
]
# This section is considered when running `cargo deny check sources`.
# More documentation about the 'sources' section can be found here:
# https://embarkstudios.github.io/cargo-deny/checks/sources/cfg.html
[sources]
# Lint level for what to happen when a crate from a crate registry that is not
# in the allow list is encountered
unknown-registry = "warn"
# Lint level for what to happen when a crate from a git repository that is not
# in the allow list is encountered
unknown-git = "warn"
# List of URLs for allowed crate registries. Defaults to the crates.io index
# if not specified. If it is specified but empty, no registries are allowed.
allow-registry = ["https://github.com/rust-lang/crates.io-index"]
# List of URLs for allowed Git repositories
allow-git = []
[sources.allow-org]
# 1 or more github.com organizations to allow git sources for
# github = [""]
# 1 or more gitlab.com organizations to allow git sources for
# gitlab = [""]
# 1 or more bitbucket.org organizations to allow git sources for
# bitbucket = [""]

View file

@ -1,45 +1,62 @@
use aes_gcm_siv::{Key, Aes256GcmSiv, Nonce}; use aes_gcm_siv::aead::AeadInPlace;
use aes_gcm_siv::aead::{NewAead, AeadInPlace}; use aes_gcm_siv::{Aes256GcmSiv, KeyInit, Nonce};
use alloc::vec::Vec;
use rand_core::{OsRng, RngCore}; use rand_core::{OsRng, RngCore};
pub fn encrypt(mk: &[u8; 32], plaintext: &[u8], associated_data: &[u8]) -> (Vec<u8>, [u8; 12]) { #[cfg(not(feature = "std"))]
let key = Key::from_slice(mk); use alloc::vec::Vec;
let cipher = Aes256GcmSiv::new(key);
let mut nonce_data = [0_u8; 12]; pub fn encrypt(mk: &[u8; 32], data: &[u8], associated_data: &[u8]) -> (Vec<u8>, [u8; 12]) {
OsRng::fill_bytes(&mut OsRng, &mut nonce_data); let cipher = Aes256GcmSiv::new_from_slice(mk).expect("Encryption failure {}");
let nonce = Nonce::from_slice(&nonce_data);
let mut buffer = Vec::new(); let mut nonce_data = [0u8; 12];
buffer.extend_from_slice(plaintext); OsRng.fill_bytes(&mut nonce_data);
let nonce = Nonce::from_slice(&nonce_data);
let mut buffer = Vec::new();
buffer.extend_from_slice(data);
cipher
.encrypt_in_place(nonce, associated_data, &mut buffer)
.expect("Encryption failure {}");
cipher.encrypt_in_place(nonce, associated_data, &mut buffer)
.expect("Encryption failed");
(buffer, nonce_data) (buffer, nonce_data)
} }
pub fn decrypt(mk: &[u8; 32], ciphertext: &[u8], associated_data: &[u8], nonce: &[u8; 12]) -> Vec<u8> { #[derive(Clone, Debug, Eq, PartialEq)]
let key = Key::from_slice(mk); pub struct InvalidAd;
let cipher = Aes256GcmSiv::new(key);
pub fn decrypt(
mk: &[u8; 32],
enc_data: &[u8],
associated_data: &[u8],
nonce: &[u8; 12],
) -> Result<Vec<u8>, InvalidAd> {
let cipher = Aes256GcmSiv::new_from_slice(mk).expect("unreachable");
let nonce = Nonce::from_slice(nonce); let nonce = Nonce::from_slice(nonce);
let mut buffer = Vec::new(); let mut buffer = Vec::new();
buffer.extend_from_slice(ciphertext); buffer.extend_from_slice(enc_data);
cipher.decrypt_in_place(nonce, associated_data, &mut buffer).expect("Decryption failure {}");
buffer cipher
.decrypt_in_place(nonce, associated_data, &mut buffer)
.map_err(|_| InvalidAd)?;
Ok(buffer)
} }
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {
use crate::aead::{decrypt, encrypt};
use crate::kdf_chain::gen_mk; use crate::kdf_chain::gen_mk;
use crate::aead::{encrypt, decrypt};
#[test] #[test]
fn enc_a_dec() { fn enc_a_dec() {
let test_data = include_bytes!("aead.rs").to_vec(); let test_data = include_bytes!("aead.rs");
let associated_data = include_bytes!("lib.rs").to_vec(); let associated_data = include_bytes!("lib.rs");
let mk = gen_mk(); let mk = gen_mk();
let (ciphertext, nonce) = encrypt(&mk, &test_data, &associated_data); let (enc_data, nonce) = encrypt(&mk, test_data, associated_data);
let plaintext = decrypt(&mk, &ciphertext, &associated_data, &nonce); let data = decrypt(&mk, &enc_data, associated_data, &nonce).unwrap();
assert_eq!(test_data, plaintext) assert_eq!(test_data, data.as_slice())
} }
} }

View file

@ -1,43 +1,31 @@
use core::fmt::{Debug, Formatter, Result};
use rand_core::OsRng; use rand_core::OsRng;
use core::fmt::{Debug, Formatter}; use serde::{Deserialize, Serialize};
use core::fmt; use x25519_dalek::{PublicKey, SharedSecret, StaticSecret};
use p256::PublicKey as PublicKey;
use p256::ecdh::SharedSecret;
use p256::SecretKey;
use alloc::vec::Vec;
use alloc::string::ToString;
use p256::elliptic_curve::ecdh::diffie_hellman;
#[derive(Clone)] #[derive(Deserialize, Serialize, Clone)]
pub struct DhKeyPair { pub struct DhKeyPair {
pub private_key: SecretKey, pub private_key: StaticSecret,
pub public_key: PublicKey, pub public_key: PublicKey,
} }
impl DhKeyPair {
fn ex_public_key_bytes(&self) -> Vec<u8> {
self.public_key.to_string().as_bytes().to_vec()
}
}
impl PartialEq for DhKeyPair { impl PartialEq for DhKeyPair {
fn eq(&self, other: &Self) -> bool { fn eq(&self, other: &Self) -> bool {
if self.private_key.to_be_bytes() != other.private_key.to_be_bytes() { if self.private_key.to_bytes() != other.private_key.to_bytes() {
return false return false;
} }
if self.ex_public_key_bytes() != other.ex_public_key_bytes() { if self.public_key != other.public_key {
return false return false;
} }
true true
} }
} }
impl Debug for DhKeyPair { impl Debug for DhKeyPair {
fn fmt(&self, f: &mut Formatter<'_>) -> fmt::Result { fn fmt(&self, f: &mut Formatter<'_>) -> Result {
f.debug_struct("DhKeyPair") f.debug_struct("DhKeyPair")
.field("private_key", &self.private_key.to_be_bytes()) .field("private_key", self.private_key.as_bytes())
.field("public_key", &self.ex_public_key_bytes()) .field("public_key", self.public_key.as_bytes())
.finish() .finish()
} }
} }
@ -50,8 +38,8 @@ impl Default for DhKeyPair {
impl DhKeyPair { impl DhKeyPair {
pub fn new() -> Self { pub fn new() -> Self {
let secret = SecretKey::random(&mut OsRng); let secret = StaticSecret::random_from_rng(OsRng);
let public = secret.public_key(); let public = PublicKey::from(&secret);
DhKeyPair { DhKeyPair {
private_key: secret, private_key: secret,
public_key: public, public_key: public,
@ -59,7 +47,7 @@ impl DhKeyPair {
} }
pub fn key_agreement(&self, public_key: &PublicKey) -> SharedSecret { pub fn key_agreement(&self, public_key: &PublicKey) -> SharedSecret {
diffie_hellman(self.private_key.to_nonzero_scalar(), public_key.as_affine()) self.private_key.diffie_hellman(public_key)
} }
} }
@ -70,15 +58,9 @@ pub fn gen_shared_secret() -> SharedSecret {
alice_pair.key_agreement(&bob_pair.public_key) alice_pair.key_agreement(&bob_pair.public_key)
} }
#[cfg(test)]
pub fn gen_key_pair() -> DhKeyPair {
DhKeyPair::new()
}
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {
use crate::dh::DhKeyPair; use crate::dh::DhKeyPair;
use alloc::string::ToString;
#[test] #[test]
fn key_generation() { fn key_generation() {
@ -96,14 +78,6 @@ mod tests {
assert_eq!(alice_shared_secret.as_bytes(), bob_shared_secret.as_bytes()) assert_eq!(alice_shared_secret.as_bytes(), bob_shared_secret.as_bytes())
} }
#[test]
fn ex_public_key() {
let key_pair = DhKeyPair::new();
let public_key_bytes = key_pair.ex_public_key_bytes();
let extracted_pk = key_pair.public_key.to_string().as_bytes().to_vec();
assert_eq!(extracted_pk, public_key_bytes)
}
#[test] #[test]
fn nq_key_pair() { fn nq_key_pair() {
let key_pair1 = DhKeyPair::new(); let key_pair1 = DhKeyPair::new();

View file

@ -1,107 +1,61 @@
use p256::PublicKey; //! Message header.
use crate::dh::DhKeyPair;
use alloc::vec::Vec;
use serde::{Serialize, Deserialize};
use crate::aead::encrypt;
use aes_gcm_siv::{Key, Nonce, Aes256GcmSiv};
use aes_gcm_siv::aead::{NewAead, AeadInPlace};
#[cfg(test)] use crate::aead::encrypt;
use crate::dh::gen_key_pair; use crate::dh::DhKeyPair;
use alloc::string::{ToString, String}; use aes_gcm_siv::aead::AeadInPlace;
use core::str::FromStr; use aes_gcm_siv::{Aes256GcmSiv, KeyInit, Nonce};
use serde::{Deserialize, Serialize};
use x25519_dalek::PublicKey;
use zeroize::Zeroize; use zeroize::Zeroize;
#[derive(Debug, Clone)] #[cfg(not(feature = "std"))]
pub struct Header { use alloc::vec::Vec;
pub public_key: PublicKey,
pub pn: usize, // Previous Chain Length
pub n: usize, // Message Number
}
#[derive(Serialize, Deserialize, Debug, Zeroize)] #[derive(Serialize, Deserialize, Debug, Zeroize, Clone, PartialEq, Eq)]
#[zeroize(drop)] #[zeroize(drop)]
struct ExHeader { pub struct Header {
#[serde(with = "serde_bytes")] pub ad: Vec<u8>,
ad: Vec<u8>, pub public_key: PublicKey,
public_key: Vec<u8>, pub pn: usize,
pn: usize, pub n: usize,
n: usize
} }
// Message Header // A message header.
impl Header { impl Header {
// #[doc(hidden)] /// Create a new message header.
/// Requires a [DhKeyPair], previous chain length, and message number.
/// Returns a [Header].
pub fn new(dh_pair: &DhKeyPair, pn: usize, n: usize) -> Self { pub fn new(dh_pair: &DhKeyPair, pn: usize, n: usize) -> Self {
Header { Header {
ad: Vec::new(),
public_key: dh_pair.public_key, public_key: dh_pair.public_key,
pn, pn,
n, n,
} }
} }
// #[doc(hidden)]
pub fn concat(&self, ad: &[u8]) -> Vec<u8> { pub fn concat(&self, ad: &[u8]) -> Vec<u8> {
let ex_header = ExHeader { let mut header = self.clone();
ad: ad.to_vec(), header.ad = ad.to_vec();
public_key: self.public_key.to_string().as_bytes().to_vec(), postcard::to_allocvec(&header).expect("Failed to serialize Header")
pn: self.pn,
n: self.n
};
bincode::serialize(&ex_header).expect("Failed to serialize Header")
} }
pub fn encrypt(&self, hk: &[u8; 32], ad: &[u8]) -> (Vec<u8>, [u8; 12]) { pub fn encrypt(&self, hk: &[u8; 32], ad: &[u8]) -> EncryptedHeader {
let header_data = self.concat(ad); let header_data = self.concat(ad);
encrypt(hk, &header_data, b"") let enc_header = encrypt(hk, &header_data, b"");
} EncryptedHeader(enc_header.0, enc_header.1)
pub fn decrypt(hk: &Option<[u8; 32]>, ciphertext: &[u8], nonce: &[u8; 12]) -> Option<Self> {
let key_d = match hk {
None => {
return None
},
Some(d) => d
};
let key = Key::from_slice(key_d);
let cipher = Aes256GcmSiv::new(key);
let nonce = Nonce::from_slice(nonce);
let mut buffer = Vec::new();
buffer.extend_from_slice(ciphertext);
match cipher.decrypt_in_place(nonce, b"", &mut buffer) {
Ok(_) => {}
Err(_) => {
return None
}
};
Some(Header::from(buffer))
}
pub fn ex_public_key_bytes(&self) -> Vec<u8> {
self.public_key.to_string().as_bytes().to_vec()
} }
} }
impl From<Vec<u8>> for Header { impl From<Vec<u8>> for Header {
fn from(d: Vec<u8>) -> Self { fn from(d: Vec<u8>) -> Self {
let ex_header: ExHeader = bincode::deserialize(&d).unwrap(); postcard::from_bytes(&d).unwrap()
let public_key_string = String::from_utf8(ex_header.public_key.clone()).unwrap();
Header {
public_key: PublicKey::from_str(&public_key_string).unwrap(),
pn: ex_header.pn,
n: ex_header.n,
}
} }
} }
impl From<&[u8]> for Header { impl From<&[u8]> for Header {
fn from(d: &[u8]) -> Self { fn from(d: &[u8]) -> Self {
let ex_header: ExHeader = bincode::deserialize(d).unwrap(); postcard::from_bytes(d).unwrap()
let public_key_string = String::from_utf8(ex_header.public_key.clone()).unwrap();
Header {
public_key: PublicKey::from_str(&public_key_string).unwrap(),
pn: ex_header.pn,
n: ex_header.n,
}
} }
} }
@ -111,31 +65,46 @@ impl From<Header> for Vec<u8> {
} }
} }
impl PartialEq for Header { pub struct EncryptedHeader(Vec<u8>, [u8; 12]);
fn eq(&self, other: &Self) -> bool {
if self.public_key == other.public_key impl EncryptedHeader {
&& self.pn == other.pn pub fn decrypt(&self, hk: &Option<[u8; 32]>) -> Option<Header> {
&& self.n == other.n { let key_d = match hk {
return true None => return None,
} Some(d) => d,
false };
let cipher = match Aes256GcmSiv::new_from_slice(key_d) {
Ok(v) => v,
Err(_) => return None,
};
let nonce = Nonce::from_slice(&self.1);
let mut buffer = Vec::new();
buffer.extend_from_slice(&self.0);
match cipher.decrypt_in_place(nonce, b"", &mut buffer) {
Ok(_) => {}
Err(_) => return None,
};
Some(Header::from(buffer))
} }
} }
#[cfg(test)] #[cfg(test)]
pub fn gen_header() -> Header { pub fn gen_header() -> Header {
let dh_pair = gen_key_pair(); let dh_pair = DhKeyPair::new();
let pn = 10; let pn = 10;
let n = 50; let n = 50;
Header::new(&dh_pair, pn, n) Header::new(&dh_pair, pn, n)
} }
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {
use crate::header::{gen_header, Header, ExHeader}; use x25519_dalek::PublicKey;
use crate::aead::{decrypt, encrypt};
use crate::header::{gen_header, Header};
use crate::kdf_chain::gen_mk; use crate::kdf_chain::gen_mk;
use crate::aead::{encrypt, decrypt};
#[test] #[test]
fn ser_des() { fn ser_des() {
@ -153,7 +122,7 @@ mod tests {
let header_data = header.concat(b""); let header_data = header.concat(b"");
let data = include_bytes!("aead.rs"); let data = include_bytes!("aead.rs");
let (encrypted, nonce) = encrypt(&mk, data, &header_data); let (encrypted, nonce) = encrypt(&mk, data, &header_data);
let decrypted = decrypt(&mk, &encrypted, &header_data, &nonce); let decrypted = decrypt(&mk, &encrypted, &header_data, &nonce).unwrap();
assert_eq!(decrypted, data.to_vec()) assert_eq!(decrypted, data.to_vec())
} }
@ -172,11 +141,11 @@ mod tests {
#[test] #[test]
fn gen_ex_header() { fn gen_ex_header() {
let ex_header = ExHeader { let ex_header = Header {
ad: alloc::vec![0], ad: alloc::vec![0],
public_key: alloc::vec![1], public_key: PublicKey::from([1; 32]),
pn: 0, pn: 0,
n: 0 n: 0,
}; };
let _string = alloc::format!("{:?}", ex_header); let _string = alloc::format!("{:?}", ex_header);
} }
@ -184,8 +153,8 @@ mod tests {
#[test] #[test]
fn dec_header() { fn dec_header() {
let header = gen_header(); let header = gen_header();
let (encrypted, nonce) = header.encrypt(&[0; 32], &[0]); let encrypted = header.encrypt(&[0; 32], &[0]);
let decrypted = Header::decrypt(&Some([1_u8; 32]), &encrypted, &nonce); let decrypted = encrypted.decrypt(&Some([1u8; 32]));
assert_eq!(None, decrypted) assert_eq!(None, decrypted)
} }
} }

View file

@ -1,8 +1,6 @@
use hmac::{Hmac, Mac};
use sha2::Sha512;
use core::convert::TryInto; use core::convert::TryInto;
use hmac::{Hmac, Mac};
use sha2::Sha512;
#[cfg(test)] #[cfg(test)]
use crate::kdf_root::gen_ck; use crate::kdf_root::gen_ck;
@ -10,14 +8,14 @@ use crate::kdf_root::gen_ck;
type HmacSha512 = Hmac<Sha512>; type HmacSha512 = Hmac<Sha512>;
pub fn kdf_ck(ck: &[u8; 32]) -> ([u8; 32], [u8; 32]) { pub fn kdf_ck(ck: &[u8; 32]) -> ([u8; 32], [u8; 32]) {
let mac = HmacSha512::new_from_slice(ck) let mac = HmacSha512::new_from_slice(ck).expect("Invalid Key Length");
.expect("Invalid Key Length");
let result = mac.finalize().into_bytes(); let result = mac.finalize().into_bytes();
let (a, b) = result.split_at(32); let (a, b) = result.split_at(32);
(a.try_into()
.expect("Incorrect Length"), (
b.try_into() a.try_into().expect("Incorrect Length"),
.expect("Incorrect Length")) b.try_into().expect("Incorrect Length"),
)
} }
#[cfg(test)] #[cfg(test)]
@ -29,8 +27,8 @@ pub fn gen_mk() -> [u8; 32] {
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {
use crate::kdf_root::gen_ck;
use crate::kdf_chain::kdf_ck; use crate::kdf_chain::kdf_ck;
use crate::kdf_root::gen_ck;
#[test] #[test]
fn kdf_chain_ratchet() { fn kdf_chain_ratchet() {
let ck = gen_ck(); let ck = gen_ck();

View file

@ -1,14 +1,10 @@
use hkdf::Hkdf;
use sha2::Sha512;
use core::convert::TryInto; use core::convert::TryInto;
use hkdf::Hkdf;
use sha2::Sha512;
#[cfg(test)] #[cfg(test)]
use crate::dh::gen_shared_secret; use crate::dh::gen_shared_secret;
use p256::ecdh::SharedSecret; use x25519_dalek::SharedSecret;
pub fn kdf_rk(rk: &[u8; 32], dh_out: &SharedSecret) -> ([u8; 32], [u8; 32]) { pub fn kdf_rk(rk: &[u8; 32], dh_out: &SharedSecret) -> ([u8; 32], [u8; 32]) {
let h = Hkdf::<Sha512>::new(Some(rk), dh_out.as_bytes()); let h = Hkdf::<Sha512>::new(Some(rk), dh_out.as_bytes());
@ -16,10 +12,10 @@ pub fn kdf_rk(rk: &[u8; 32], dh_out: &SharedSecret) -> ([u8; 32], [u8; 32]) {
let info = b"Root Key Info"; let info = b"Root Key Info";
h.expand(info, &mut okm).unwrap(); h.expand(info, &mut okm).unwrap();
let (a, b) = okm.split_at(32); let (a, b) = okm.split_at(32);
(a.try_into() (
.expect("Incorrect length"), a.try_into().expect("Incorrect length"),
b.try_into() b.try_into().expect("Incorrect length"),
.expect("Incorrect length")) )
} }
pub fn kdf_rk_he(rk: &[u8; 32], dh_out: &SharedSecret) -> ([u8; 32], [u8; 32], [u8; 32]) { pub fn kdf_rk_he(rk: &[u8; 32], dh_out: &SharedSecret) -> ([u8; 32], [u8; 32], [u8; 32]) {
@ -32,7 +28,7 @@ pub fn kdf_rk_he(rk: &[u8; 32], dh_out: &SharedSecret) -> ([u8; 32], [u8; 32], [
( (
rk.try_into().expect("Wrong length"), rk.try_into().expect("Wrong length"),
ck.try_into().expect("Wrong length"), ck.try_into().expect("Wrong length"),
nhk.try_into().expect("Wrong length") nhk.try_into().expect("Wrong length"),
) )
} }

View file

@ -1,64 +1,85 @@
//! Implementation of the double ratchet system/encryption as specified by [Signal][1]. //! A pure Rust implementation of the Double Ratchet algorithm as described by [Signal][1].
//! //!
//! **WARNING! This implementation uses P-256 NOT Curve25519 as specified by Signal!** //! This implementation follows the cryptographic recommendations provided by [Signal][2].
//! The AEAD algorithm uses a constant Nonce. This might be changed in the future.
//! //!
//! The implementation follows the cryptographic recommendations provided by [Signal][2]. //! Fork of [double-ratchet-2](https://github.com/Dione-Software/double-ratchet-2).
//! The AEAD Algorithm uses a constant Nonce. This might be changed in the future.
//! //!
//! # Example Usage: //! ## Examples
//!
//! ### Standard Usage
//!
//! Alice encrypts a message which is then decrypted by Bob.
//! //!
//! ## Standard:
//! ``` //! ```
//! use double_ratchet_2::ratchet::Ratchet; //! use double_ratchet_rs::Ratchet;
//! //!
//! let sk = [1; 32]; // Initial Key created by a symmetric key agreement protocol //! let sk = [1; 32]; // Shared key created by a symmetric key agreement protocol
//! let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk); // Creating Bobs Ratchet (returns Bobs PublicKey) //!
//! let mut alice_ratchet = Ratchet::init_alice(sk, public_key); // Creating Alice Ratchet with Bobs PublicKey //! let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk); // Creating Bob's Ratchet (returns Bob's PublicKey)
//! let data = b"Hello World".to_vec(); // Data to be encrypted //! let mut alice_ratchet = Ratchet::init_alice(sk, public_key); // Creating Alice's Ratchet with Bob's PublicKey
//! let ad = b"Associated Data"; // Associated Data //!
//! let data = b"Hello World".to_vec(); // Data to be encrypted
//! let ad = b"Associated Data"; // Associated data
//!
//! let (header, encrypted, nonce) = alice_ratchet.encrypt(&data, ad); // Encrypting message with Alice's Ratchet (Alice always needs to send the first message)
//! let decrypted = bob_ratchet.decrypt(&header, &encrypted, &nonce, ad); // Decrypt message with Bob's Ratchet
//! //!
//! let (header, encrypted, nonce) = alice_ratchet.ratchet_encrypt(&data, ad); // Encrypting message with Alice Ratchet (Alice always needs to send the first message)
//! let decrypted = bob_ratchet.ratchet_decrypt(&header, &encrypted, &nonce, ad); // Decrypt message with Bobs Ratchet
//! assert_eq!(data, decrypted) //! assert_eq!(data, decrypted)
//! ``` //! ```
//! //!
//! ## With lost message: //! ### Recovering a Lost Message
//!
//! Alice encrypts 2 messages for Bob.
//! The latest message must be decrypted first.
//!
//! ``` //! ```
//! # use double_ratchet_2::ratchet::Ratchet; //! use double_ratchet_rs::Ratchet;
//! //!
//! let sk = [1; 32]; // Initial Key created by a symmetric key agreement protocol //! let sk = [1; 32]; // Shared key created by a symmetric key agreement protocol
//! let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk); // Creating Bobs Ratchet (returns Bobs PublicKey)
//! let mut alice_ratchet = Ratchet::init_alice(sk, public_key); // Creating Alice Ratchet with Bobs PublicKey
//! let data = b"Hello World".to_vec(); // Data to be encrypted
//! let ad = b"Associated Data"; // Associated Data
//! //!
//! let (header1, encrypted1, nonce1) = alice_ratchet.ratchet_encrypt(&data, ad); // Lost message //! let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk); // Creating Bob's Ratchet (returns Bob's PublicKey)
//! let (header2, encrypted2, nonce2) = alice_ratchet.ratchet_encrypt(&data, ad); // Successful message //! let mut alice_ratchet = Ratchet::init_alice(sk, public_key); // Creating Alice's Ratchet with Bob's PublicKey
//! //!
//! let decrypted2 = bob_ratchet.ratchet_decrypt(&header2, &encrypted2, &nonce2, ad); // Decrypting second message first //! let data = b"Hello World".to_vec(); // Data to be encrypted
//! let decrypted1 = bob_ratchet.ratchet_decrypt(&header1, &encrypted1, &nonce1, ad); // Decrypting latter message //! let ad = b"Associated Data"; // Associated data
//! //!
//! let comp = decrypted1 == data && decrypted2 == data; //! let (header1, encrypted1, nonce1) = alice_ratchet.encrypt(&data, ad); // Lost message
//! assert!(comp); //! let (header2, encrypted2, nonce2) = alice_ratchet.encrypt(&data, ad); // Successful message
//!
//! let decrypted2 = bob_ratchet.decrypt(&header2, &encrypted2, &nonce2, ad); // Decrypting second message first
//! let decrypted1 = bob_ratchet.decrypt(&header1, &encrypted1, &nonce1, ad); // Decrypting latter message
//!
//! assert_eq!(data, decrypted1);
//! assert_eq!(data, decrypted2);
//! ``` //! ```
//! //!
//! ## Encryption before recieving inital message //! ### Encryption Before Decrypting First Message
//!
//! Bob encrypts a message before decrypting one from Alice.
//! This will result in a panic.
//! //!
//! ```should_panic //! ```should_panic
//! use double_ratchet_2::ratchet::Ratchet; //! use double_ratchet_rs::Ratchet;
//!
//! let sk = [1; 32]; //! let sk = [1; 32];
//! let ad = b"Associated Data"; //!
//! let (mut bob_ratchet, _) = Ratchet::init_bob(sk); //! let (mut bob_ratchet, _) = Ratchet::init_bob(sk);
//!
//! let data = b"Hello World".to_vec(); //! let data = b"Hello World".to_vec();
//! let ad = b"Associated Data";
//! //!
//! let (_, _, _) = bob_ratchet.ratchet_encrypt(&data, ad); //! let (_, _, _) = bob_ratchet.encrypt(&data, ad);
//! ``` //! ```
//! //!
//! ## Encryption after recieving initial message //! ### Encryption After Decrypting First Message
//! However bob can (of course) also encrypt messages. This is possible, after decrypting the first message from alice. //!
//! Bob *can* also encrypt messages.
//! This is only possible after decrypting one from Alice first though.
//! //!
//! ``` //! ```
//! use double_ratchet_2::ratchet::Ratchet; //! use double_ratchet_rs::Ratchet;
//!
//! let sk = [1; 32]; //! let sk = [1; 32];
//! //!
//! let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk); //! let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk);
@ -67,90 +88,109 @@
//! let data = b"Hello World".to_vec(); //! let data = b"Hello World".to_vec();
//! let ad = b"Associated Data"; //! let ad = b"Associated Data";
//! //!
//! let (header1, encrypted1, nonce1) = alice_ratchet.ratchet_encrypt(&data, ad); //! let (header1, encrypted1, nonce1) = alice_ratchet.encrypt(&data, ad);
//! let _decrypted1 = bob_ratchet.ratchet_decrypt(&header1, &encrypted1, &nonce1, ad); //! let _decrypted1 = bob_ratchet.decrypt(&header1, &encrypted1, &nonce1, ad);
//! //!
//! let (header2, encrypted2, nonce2) = bob_ratchet.ratchet_encrypt(&data, ad); //! let (header2, encrypted2, nonce2) = bob_ratchet.encrypt(&data, ad);
//! let decrypted2 = alice_ratchet.ratchet_decrypt(&header2, &encrypted2, &nonce2, ad); //! let decrypted2 = alice_ratchet.decrypt(&header2, &encrypted2, &nonce2, ad);
//! //!
//! assert_eq!(data, decrypted2); //! assert_eq!(data, decrypted2);
//! ``` //! ```
//! ## Constructing and Deconstructing Headers //!
//! ### Constructing and Deconstructing Headers
//! //!
//! ``` //! ```
//! # use double_ratchet_2::ratchet::Ratchet; //! use double_ratchet_rs::{Header, Ratchet};
//! # use double_ratchet_2::header::Header; //!
//! # let sk = [1; 32]; //! let sk = [1; 32];
//! # let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk); //!
//! # let mut alice_ratchet = Ratchet::init_alice(sk, public_key); //! let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk);
//! # let data = b"hello World".to_vec(); //! let mut alice_ratchet = Ratchet::init_alice(sk, public_key);
//! # let ad = b"Associated Data"; //!
//! # let (header, _, _) = alice_ratchet.ratchet_encrypt(&data, ad); //! let data = b"hello World".to_vec();
//! let ad = b"Associated Data";
//!
//! let (header, _, _) = alice_ratchet.encrypt(&data, ad);
//! let header_bytes: Vec<u8> = header.clone().into(); //! let header_bytes: Vec<u8> = header.clone().into();
//! let header_const = Header::from(header_bytes); //! let header_const = Header::from(header_bytes);
//!
//! assert_eq!(header, header_const); //! assert_eq!(header, header_const);
//! ``` //! ```
//! //!
//! # Example Ratchet with encrypted headers //! ### Encrypted Headers
//! //!
//! ``` //! ```
//! use double_ratchet_2::ratchet::RatchetEncHeader; //! use double_ratchet_rs::RatchetEncHeader;
//!
//! let sk = [0; 32]; //! let sk = [0; 32];
//! let shared_hka = [1; 32]; //! let shared_hka = [1; 32];
//! let shared_nhkb = [2; 32]; //! let shared_nhkb = [2; 32];
//! //!
//! let (mut bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, shared_hka, shared_nhkb); //! let (mut bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, shared_hka, shared_nhkb);
//! let mut alice_ratchet = RatchetEncHeader::init_alice(sk, public_key, shared_hka, shared_nhkb); //! let mut alice_ratchet = RatchetEncHeader::init_alice(sk, public_key, shared_hka, shared_nhkb);
//!
//! let data = b"Hello World".to_vec(); //! let data = b"Hello World".to_vec();
//! let ad = b"Associated Data"; //! let ad = b"Associated Data";
//! //!
//! let (header, encrypted, nonce) = alice_ratchet.ratchet_encrypt(&data, ad); //! let (header, encrypted, nonce) = alice_ratchet.encrypt(&data, ad);
//! let decrypted = bob_ratchet.ratchet_decrypt(&header, &encrypted, &nonce, ad); //! let decrypted = bob_ratchet.decrypt(&header, &encrypted, &nonce, ad);
//!
//! assert_eq!(data, decrypted) //! assert_eq!(data, decrypted)
//! ``` //! ```
//! //!
//! # Export / Import Ratchet with encrypted headers //! ### Exporting / Importing Ratchet w/ Encrypted Headers
//! This ratchet implements import and export functionality. This works over a bincode backend and //!
//! maybe useful for saving Ratchets to and loading from a file. //! This can be used for storing and using ratchets in a file.
//!
//! ``` //! ```
//! # use double_ratchet_2::ratchet::RatchetEncHeader; //! use double_ratchet_rs::RatchetEncHeader;
//! # let sk = [0; 32]; //!
//! # let shared_hka = [1; 32]; //! let sk = [0; 32];
//! # let shared_nhkb = [2; 32]; //! let shared_hka = [1; 32];
//! let shared_nhkb = [2; 32];
//!
//! let (bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, shared_hka, shared_nhkb); //! let (bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, shared_hka, shared_nhkb);
//! let ex_ratchet = bob_ratchet.export(); //! let ex_ratchet = bob_ratchet.export();
//! let im_ratchet = RatchetEncHeader::import(&ex_ratchet).unwrap(); //! let im_ratchet = RatchetEncHeader::import(&ex_ratchet).unwrap();
//!
//! assert_eq!(im_ratchet, bob_ratchet) //! assert_eq!(im_ratchet, bob_ratchet)
//! ``` //! ```
//! //!
//! # Features //! ## Features
//! //!
//! Currently the crate only supports one feature: ring. If feature is enabled the crate switches //! - `hashbrown`: Use `hashbrown` for `HashMap`. Enabled by default for `no_std` support.
//! to ring-compat and uses ring as backend for Sha512 Hashing. May result in slightly better performance. //! - `std`: Use `std` instead of `alloc`. Can be used with `hashbrown`, but it isn't required.
//! //!
//! ## **M**inimum **S**upported **R**ust **V**ersion (MSRV)
//! //!
//! TODO: //! The current MSRV is 1.60.0 without `hashbrown` and 1.64.0 with `hashbrown`.
//! - [x] Standard Double Ratchet //!
//! - [x] [Double Ratchet with encrypted headers][3] //! ## License
//!
//! This project is licensed under the [MIT license](https://github.com/notsatvrn/double-ratchet-rs/blob/main/LICENSE).
//! //!
//! [1]: https://signal.org/docs/specifications/doubleratchet/ //! [1]: https://signal.org/docs/specifications/doubleratchet/
//! [2]: https://signal.org/docs/specifications/doubleratchet/#recommended-cryptographic-algorithms //! [2]: https://signal.org/docs/specifications/doubleratchet/#recommended-cryptographic-algorithms
//! [3]: https://signal.org/docs/specifications/doubleratchet/#double-ratchet-with-header-encryption //! [3]: https://signal.org/docs/specifications/doubleratchet/#double-ratchet-with-header-encryption
#![no_std] #![cfg_attr(not(feature = "std"), no_std)]
#![allow(stable_features)] #![allow(stable_features)]
#[cfg(not(feature = "std"))]
extern crate alloc; extern crate alloc;
pub use p256::PublicKey; #[cfg(feature = "std")]
extern crate std as alloc;
pub use x25519_dalek::PublicKey;
mod aead; mod aead;
mod dh; mod dh;
mod kdf_root; mod header;
mod kdf_chain; mod kdf_chain;
mod kdf_root;
mod ratchet;
pub mod ratchet; pub use dh::*;
pub use header::*;
/// Message Header pub use ratchet::*;
pub mod header;

View file

@ -1,24 +1,25 @@
//! Encryption with encrypted Headers //! Ratchet providing encryption and decryption.
//!
use crate::aead::{decrypt, encrypt, InvalidAd};
use crate::dh::DhKeyPair; use crate::dh::DhKeyPair;
use p256::{PublicKey, SecretKey}; use crate::header::{EncryptedHeader, Header};
use hashbrown::HashMap;
use crate::kdf_root::{kdf_rk, kdf_rk_he};
use crate::header::Header;
use alloc::vec::Vec;
use crate::kdf_chain::kdf_ck; use crate::kdf_chain::kdf_ck;
use crate::aead::{encrypt, decrypt}; use crate::kdf_root::{kdf_rk, kdf_rk_he};
use alloc::string::{ToString, String};
use zeroize::Zeroize;
use rand_core::OsRng;
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use x25519_dalek::PublicKey;
use zeroize::Zeroize;
#[cfg(not(feature = "std"))]
use alloc::vec::Vec;
#[cfg(any(not(feature = "std"), feature = "hashbrown"))]
use hashbrown::HashMap;
#[cfg(all(feature = "std", not(feature = "hashbrown")))]
use std::collections::HashMap;
const MAX_SKIP: usize = 100; const MAX_SKIP: usize = 100;
type HeaderNonceCipherNonce = ((Vec<u8>, [u8; 12]), Vec<u8>, [u8; 12]); /// A standard ratchet.
#[derive(Deserialize, Serialize, PartialEq, Debug)]
/// Object Representing Ratchet
pub struct Ratchet { pub struct Ratchet {
dhs: DhKeyPair, dhs: DhKeyPair,
dhr: Option<PublicKey>, dhr: Option<PublicKey>,
@ -28,18 +29,14 @@ pub struct Ratchet {
ns: usize, ns: usize,
nr: usize, nr: usize,
pn: usize, pn: usize,
mkskipped: HashMap<(Vec<u8>, usize), [u8; 32]>, mkskipped: HashMap<([u8; 32], usize), [u8; 32]>,
} }
impl Drop for Ratchet { impl Zeroize for Ratchet {
fn drop(&mut self) { fn zeroize(&mut self) {
if let Some(mut _d) = self.dhr {
let sk = SecretKey::random(&mut OsRng);
_d = sk.public_key()
}
self.rk.zeroize(); self.rk.zeroize();
self.ckr.zeroize();
self.cks.zeroize(); self.cks.zeroize();
self.ckr.zeroize();
self.ns.zeroize(); self.ns.zeroize();
self.nr.zeroize(); self.nr.zeroize();
self.pn.zeroize(); self.pn.zeroize();
@ -47,12 +44,19 @@ impl Drop for Ratchet {
} }
} }
impl Drop for Ratchet {
fn drop(&mut self) {
self.zeroize();
}
}
impl Ratchet { impl Ratchet {
/// Init Ratchet with other [PublicKey]. Initialized second. /// Initialize a [Ratchet] with a remote [PublicKey]. Initialized second.
/// Requires a shared key and a [PublicKey].
/// Returns a [Ratchet].
pub fn init_alice(sk: [u8; 32], bob_dh_public_key: PublicKey) -> Self { pub fn init_alice(sk: [u8; 32], bob_dh_public_key: PublicKey) -> Self {
let dhs = DhKeyPair::new(); let dhs = DhKeyPair::new();
let (rk, cks) = kdf_rk(&sk, let (rk, cks) = kdf_rk(&sk, &dhs.key_agreement(&bob_dh_public_key));
&dhs.key_agreement(&bob_dh_public_key));
Ratchet { Ratchet {
dhs, dhs,
dhr: Some(bob_dh_public_key), dhr: Some(bob_dh_public_key),
@ -66,7 +70,9 @@ impl Ratchet {
} }
} }
/// Init Ratchet without other [PublicKey]. Initialized first. Returns [Ratchet] and [PublicKey]. /// Initialize a [Ratchet] without a remote [PublicKey]. Initialized first.
/// Requires a shared key.
/// Returns a [Ratchet] and a [PublicKey].
pub fn init_bob(sk: [u8; 32]) -> (Self, PublicKey) { pub fn init_bob(sk: [u8; 32]) -> (Self, PublicKey) {
let dhs = DhKeyPair::new(); let dhs = DhKeyPair::new();
let public_key = dhs.public_key; let public_key = dhs.public_key;
@ -84,22 +90,42 @@ impl Ratchet {
(ratchet, public_key) (ratchet, public_key)
} }
/// Encrypt Plaintext with [Ratchet]. Returns Message [Header] and ciphertext. /// Encrypt bytes with a [Ratchet].
pub fn ratchet_encrypt(&mut self, plaintext: &[u8], ad: &[u8]) -> (Header, Vec<u8>, [u8; 12]) { /// Requires bytes and associated bytes.
/// Returns a [Header], encrypted bytes, and a nonce.
pub fn encrypt(&mut self, data: &[u8], associated_data: &[u8]) -> (Header, Vec<u8>, [u8; 12]) {
let (cks, mk) = kdf_ck(&self.cks.unwrap()); let (cks, mk) = kdf_ck(&self.cks.unwrap());
self.cks = Some(cks); self.cks = Some(cks);
let header = Header::new(&self.dhs, self.pn, self.ns); let header = Header::new(&self.dhs, self.pn, self.ns);
self.ns += 1; self.ns += 1;
let (encrypted_data, nonce) = encrypt(&mk, plaintext, &header.concat(ad)); let (encrypted_data, nonce) = encrypt(&mk, data, &header.concat(associated_data));
(header, encrypted_data, nonce) (header, encrypted_data, nonce)
} }
fn try_skipped_message_keys(&mut self, header: &Header, ciphertext: &[u8], nonce: &[u8; 12], ad: &[u8]) -> Option<Vec<u8>> { fn try_skipped_message_keys(
if self.mkskipped.contains_key(&(header.ex_public_key_bytes(), header.n)) { &mut self,
let mk = *self.mkskipped.get(&(header.ex_public_key_bytes(), header.n)) header: &Header,
enc_data: &[u8],
nonce: &[u8; 12],
associated_data: &[u8],
) -> Option<Result<Vec<u8>, InvalidAd>> {
if self
.mkskipped
.contains_key(&(header.public_key.to_bytes(), header.n))
{
let mk = *self
.mkskipped
.get(&(header.public_key.to_bytes(), header.n))
.unwrap(); .unwrap();
self.mkskipped.remove(&(header.ex_public_key_bytes(), header.n)).unwrap(); self.mkskipped
Some(decrypt(&mk, ciphertext, &header.concat(ad), nonce)) .remove(&(header.public_key.to_bytes(), header.n))
.unwrap();
Some(decrypt(
&mk,
enc_data,
&header.concat(associated_data),
nonce,
))
} else { } else {
None None
} }
@ -115,23 +141,32 @@ impl Ratchet {
let (ckr, mk) = kdf_ck(&d); let (ckr, mk) = kdf_ck(&d);
self.ckr = Some(ckr); self.ckr = Some(ckr);
d = ckr; d = ckr;
self.mkskipped.insert((self.dhr.unwrap().to_string().as_bytes().to_vec(), self.nr), mk); self.mkskipped
.insert((self.dhr.unwrap().to_bytes(), self.nr), mk);
self.nr += 1 self.nr += 1
} }
Ok(()) Ok(())
}, }
None => { Err("No Ckr set") } None => Err("No Ckr set"),
} }
} }
/// Decrypt ciphertext with ratchet. Requires Header. Returns plaintext. /// Decrypt encrypted bytes with a [Ratchet].
pub fn ratchet_decrypt(&mut self, header: &Header, ciphertext: &[u8], nonce: &[u8; 12], ad: &[u8]) -> Vec<u8> { /// Requires a [Header], encrypted bytes, a nonce, and associated bytes.
let plaintext = self.try_skipped_message_keys(header, ciphertext, nonce, ad); /// Returns decrypted bytes.
match plaintext { pub fn decrypt(
&mut self,
header: &Header,
enc_data: &[u8],
nonce: &[u8; 12],
associated_data: &[u8],
) -> Result<Vec<u8>, InvalidAd> {
let data = self.try_skipped_message_keys(header, enc_data, nonce, associated_data);
match data {
Some(d) => d, Some(d) => d,
None => { None => {
if Some(header.public_key) != self.dhr { if Some(header.public_key) != self.dhr {
if self.ckr != None { if self.ckr.is_some() {
self.skip_message_keys(header.pn).unwrap(); self.skip_message_keys(header.pn).unwrap();
} }
self.dhratchet(header); self.dhratchet(header);
@ -140,7 +175,7 @@ impl Ratchet {
let (ckr, mk) = kdf_ck(&self.ckr.unwrap()); let (ckr, mk) = kdf_ck(&self.ckr.unwrap());
self.ckr = Some(ckr); self.ckr = Some(ckr);
self.nr += 1; self.nr += 1;
decrypt(&mk, ciphertext, &header.concat(ad), nonce) decrypt(&mk, enc_data, &header.concat(associated_data), nonce)
} }
} }
} }
@ -150,19 +185,31 @@ impl Ratchet {
self.ns = 0; self.ns = 0;
self.nr = 0; self.nr = 0;
self.dhr = Some(header.public_key); self.dhr = Some(header.public_key);
let (rk, ckr) = kdf_rk(&self.rk, let (rk, ckr) = kdf_rk(&self.rk, &self.dhs.key_agreement(&self.dhr.unwrap()));
&self.dhs.key_agreement(&self.dhr.unwrap()));
self.rk = rk; self.rk = rk;
self.ckr = Some(ckr); self.ckr = Some(ckr);
self.dhs = DhKeyPair::new(); self.dhs = DhKeyPair::new();
let (rk, cks) = kdf_rk(&self.rk, let (rk, cks) = kdf_rk(&self.rk, &self.dhs.key_agreement(&self.dhr.unwrap()));
&self.dhs.key_agreement(&self.dhr.unwrap()));
self.rk = rk; self.rk = rk;
self.cks = Some(cks); self.cks = Some(cks);
} }
/// Export a [Ratchet].
/// Returns bytes.
pub fn export(&self) -> Vec<u8> {
postcard::to_allocvec(&self).unwrap()
}
/// Import a previously exported [Ratchet].
/// Requires bytes.
/// Returns a [Ratchet], or nothing if invalid data is provided.
pub fn import(data: &[u8]) -> Option<Self> {
postcard::from_bytes(data).ok()
}
} }
#[derive(PartialEq, Debug)] /// A [Ratchet], but with header encryption.
#[derive(Deserialize, Serialize, PartialEq, Debug)]
pub struct RatchetEncHeader { pub struct RatchetEncHeader {
dhs: DhKeyPair, dhs: DhKeyPair,
dhr: Option<PublicKey>, dhr: Option<PublicKey>,
@ -176,7 +223,7 @@ pub struct RatchetEncHeader {
hkr: Option<[u8; 32]>, hkr: Option<[u8; 32]>,
nhks: Option<[u8; 32]>, nhks: Option<[u8; 32]>,
nhkr: Option<[u8; 32]>, nhkr: Option<[u8; 32]>,
mkskipped: HashMap<(Option<[u8; 32]>, usize), [u8; 32]> mkskipped: HashMap<(Option<[u8; 32]>, usize), [u8; 32]>,
} }
impl Zeroize for RatchetEncHeader { impl Zeroize for RatchetEncHeader {
@ -192,7 +239,6 @@ impl Zeroize for RatchetEncHeader {
self.nhks.zeroize(); self.nhks.zeroize();
self.nhkr.zeroize(); self.nhkr.zeroize();
self.mkskipped.clear(); self.mkskipped.clear();
} }
} }
@ -202,90 +248,16 @@ impl Drop for RatchetEncHeader {
} }
} }
#[derive(Serialize, Deserialize)]
struct ExRatchetEncHeader {
dhs: (String, String),
dhr: Option<String>,
rk: [u8; 32],
cks: Option<[u8; 32]>,
ckr: Option<[u8; 32]>,
ns: usize,
nr: usize,
pn: usize,
hks: Option<[u8; 32]>,
hkr: Option<[u8; 32]>,
nhks: Option<[u8; 32]>,
nhkr: Option<[u8; 32]>,
mkskipped: HashMap<(Option<[u8; 32]>, usize), [u8; 32]>
}
impl From<&RatchetEncHeader> for ExRatchetEncHeader {
fn from(reh: &RatchetEncHeader) -> Self {
let private_dhs = reh.dhs.private_key.to_jwk_string();
let public_dhs = reh.dhs.public_key.to_jwk_string();
let dhs = (private_dhs.to_string(), public_dhs);
let dhr = reh.dhr.map(|e| e.to_jwk_string());
let rk = reh.rk;
let cks = reh.cks;
let ckr = reh.ckr;
let ns = reh.ns;
let nr = reh.nr;
let pn = reh.pn;
let hks = reh.hks;
let hkr = reh.hkr;
let nhks = reh.nhks;
let nhkr = reh.nhkr;
let mkskipped = reh.mkskipped.clone();
Self {
dhs,
dhr,
rk,
cks,
ckr,
ns,
nr,
pn,
hks,
hkr,
nhks,
nhkr,
mkskipped
}
}
}
impl From<&ExRatchetEncHeader> for RatchetEncHeader {
fn from(ex_reh: &ExRatchetEncHeader) -> Self {
let private_dhs = SecretKey::from_jwk_str(&ex_reh.dhs.0).unwrap();
let public_dhs = PublicKey::from_jwk_str(&ex_reh.dhs.1).unwrap();
let dhs = DhKeyPair {
private_key: private_dhs,
public_key: public_dhs
};
let dhr = ex_reh.dhr.as_ref().map(|e| PublicKey::from_jwk_str(e).unwrap());
Self {
dhs,
dhr,
rk: ex_reh.rk,
cks: ex_reh.cks,
ckr: ex_reh.ckr,
ns: ex_reh.ns,
nr: ex_reh.nr,
pn: ex_reh.pn,
hks: ex_reh.hks,
hkr: ex_reh.hkr,
nhks: ex_reh.nhks,
nhkr: ex_reh.nhkr,
mkskipped: ex_reh.mkskipped.clone()
}
}
}
impl RatchetEncHeader { impl RatchetEncHeader {
pub fn init_alice(sk: [u8; 32], /// Initialize a [RatchetEncHeader] with a remote [PublicKey]. Initialized second.
bob_dh_public_key: PublicKey, /// Requires a shared key, a [PublicKey], a shared HKA, and a shared NHKB.
shared_hka: [u8; 32], /// Returns a [RatchetEncHeader].
shared_nhkb: [u8; 32]) -> Self { pub fn init_alice(
sk: [u8; 32],
bob_dh_public_key: PublicKey,
shared_hka: [u8; 32],
shared_nhkb: [u8; 32],
) -> Self {
let dhs = DhKeyPair::new(); let dhs = DhKeyPair::new();
let (rk, cks, nhks) = kdf_rk_he(&sk, &dhs.key_agreement(&bob_dh_public_key)); let (rk, cks, nhks) = kdf_rk_he(&sk, &dhs.key_agreement(&bob_dh_public_key));
RatchetEncHeader { RatchetEncHeader {
@ -305,7 +277,14 @@ impl RatchetEncHeader {
} }
} }
pub fn init_bob(sk: [u8; 32], shared_hka: [u8; 32], shared_nhkb: [u8; 32]) -> (Self, PublicKey) { /// Initialize a [RatchetEncHeader] without a remote [PublicKey]. Initialized first.
/// Requires a shared key, a shared HKA, and a shared NHKB.
/// Returns a [RatchetEncHeader] and a [PublicKey].
pub fn init_bob(
sk: [u8; 32],
shared_hka: [u8; 32],
shared_nhkb: [u8; 32],
) -> (Self, PublicKey) {
let dhs = DhKeyPair::new(); let dhs = DhKeyPair::new();
let public_key = dhs.public_key; let public_key = dhs.public_key;
let ratchet = Self { let ratchet = Self {
@ -326,50 +305,74 @@ impl RatchetEncHeader {
(ratchet, public_key) (ratchet, public_key)
} }
pub fn ratchet_encrypt(&mut self, plaintext: &[u8], ad: &[u8]) -> HeaderNonceCipherNonce { /// Encrypt bytes with a [RatchetEncHeader].
/// Requires bytes and associated bytes.
/// Returns an [EncryptedHeader], encrypted bytes, and a nonce.
pub fn encrypt(
&mut self,
data: &[u8],
associated_data: &[u8],
) -> (EncryptedHeader, Vec<u8>, [u8; 12]) {
let (cks, mk) = kdf_ck(&self.cks.unwrap()); let (cks, mk) = kdf_ck(&self.cks.unwrap());
self.cks = Some(cks); self.cks = Some(cks);
let header = Header::new(&self.dhs, self.pn, self.ns); let header = Header::new(&self.dhs, self.pn, self.ns);
let enc_header = header.encrypt(&self.hks.unwrap(), ad); let enc_header = header.encrypt(&self.hks.unwrap(), associated_data);
self.ns += 1; self.ns += 1;
let encrypted = encrypt(&mk, plaintext, &header.concat(ad)); let encrypted = encrypt(&mk, data, &header.concat(associated_data));
(enc_header, encrypted.0, encrypted.1) (enc_header, encrypted.0, encrypted.1)
} }
fn try_skipped_message_keys(&mut self, enc_header: &(Vec<u8>, [u8; 12]), fn try_skipped_message_keys(
ciphertext: &[u8], nonce: &[u8; 12], ad: &[u8]) -> (Option<Vec<u8>>, Option<Header>) { &mut self,
enc_header: &EncryptedHeader,
enc_data: &[u8],
nonce: &[u8; 12],
associated_data: &[u8],
) -> (Option<Result<Vec<u8>, InvalidAd>>, Option<Header>) {
let ret_data = self.mkskipped.clone().into_iter().find(|e| { let ret_data = self.mkskipped.clone().into_iter().find(|e| {
let header = Header::decrypt(&e.0.0, &enc_header.0, &enc_header.1); let header = enc_header.decrypt(&e.0 .0);
match header { match header {
None => false, None => false,
Some(h) => h.n == e.0.1 Some(h) => h.n == e.0 .1,
} }
}); });
match ret_data { match ret_data {
None => { (None, None) }, None => (None, None),
Some(data) => { Some(data) => {
let header = Header::decrypt(&data.0.0, &enc_header.0, &enc_header.1); let header = enc_header.decrypt(&data.0 .0);
let mk = data.1; let mk = data.1;
self.mkskipped.remove(&(data.0.0, data.0.1)); self.mkskipped.remove(&(data.0 .0, data.0 .1));
(Some(decrypt(&mk, ciphertext, &header.clone().unwrap().concat(ad), nonce)), header) (
Some(decrypt(
&mk,
enc_data,
&header.clone().unwrap().concat(associated_data),
nonce,
)),
header,
)
} }
} }
} }
fn decrypt_header(&mut self, enc_header: &(Vec<u8>, [u8; 12])) -> Result<(Header, bool), &str> { /// Decrypt an [EncryptedHeader] with a [RatchetEncHeader].
let header = Header::decrypt(&self.hkr, &enc_header.0, &enc_header.1); /// Requires an [EncryptedHeader].
if let Some(h) = header { return Ok((h, false)) }; /// Returns a decrypted [Header] and boolean, if decryption was successful.
let header = Header::decrypt(&self.nhkr, &enc_header.0, &enc_header.1); fn decrypt_header(&mut self, enc_header: &EncryptedHeader) -> Result<(Header, bool), &str> {
let header = enc_header.decrypt(&self.hkr);
if let Some(h) = header {
return Ok((h, false));
};
let header = enc_header.decrypt(&self.nhkr);
match header { match header {
Some(h) => Ok((h, true)), Some(h) => Ok((h, true)),
None => Err("Header is unencryptable!") None => Err("Header is unencryptable!"),
} }
} }
fn skip_message_keys(&mut self, until: usize) -> Result<(), &str> { fn skip_message_keys(&mut self, until: usize) -> Result<(), &str> {
if self.nr + MAX_SKIP < until { if self.nr + MAX_SKIP < until {
return Err("Skipping went wrong") return Err("Skipping went wrong");
} }
if let Some(d) = &mut self.ckr { if let Some(d) = &mut self.ckr {
while self.nr < until { while self.nr < until {
@ -389,22 +392,31 @@ impl RatchetEncHeader {
self.hks = self.nhks; self.hks = self.nhks;
self.hkr = self.nhkr; self.hkr = self.nhkr;
self.dhr = Some(header.public_key); self.dhr = Some(header.public_key);
let (rk, ckr, nhkr) = kdf_rk_he(&self.rk, let (rk, ckr, nhkr) = kdf_rk_he(&self.rk, &self.dhs.key_agreement(&self.dhr.unwrap()));
&self.dhs.key_agreement(&self.dhr.unwrap()));
self.rk = rk; self.rk = rk;
self.ckr = Some(ckr); self.ckr = Some(ckr);
self.nhkr = Some(nhkr); self.nhkr = Some(nhkr);
self.dhs = DhKeyPair::new(); self.dhs = DhKeyPair::new();
let (rk, cks, nhks) = kdf_rk_he(&self.rk, let (rk, cks, nhks) = kdf_rk_he(&self.rk, &self.dhs.key_agreement(&self.dhr.unwrap()));
&self.dhs.key_agreement(&self.dhr.unwrap()));
self.rk = rk; self.rk = rk;
self.cks = Some(cks); self.cks = Some(cks);
self.nhks = Some(nhks); self.nhks = Some(nhks);
} }
pub fn ratchet_decrypt(&mut self, enc_header: &(Vec<u8>, [u8; 12]), ciphertext: &[u8], nonce: &[u8; 12], ad: &[u8]) -> Vec<u8> { /// Decrypt encrypted bytes with a [RatchetEncHeader].
let (plaintext, _) = self.try_skipped_message_keys(enc_header, ciphertext, nonce, ad); /// Requires an [EncryptedHeader], encrypted bytes, a nonce, and associated bytes.
if let Some(d) = plaintext { return d }; /// Returns decrypted bytes.
pub fn decrypt(
&mut self,
enc_header: &EncryptedHeader,
enc_data: &[u8],
nonce: &[u8; 12],
associated_data: &[u8],
) -> Result<Vec<u8>, InvalidAd> {
let (data, _) = self.try_skipped_message_keys(enc_header, enc_data, nonce, associated_data);
if let Some(d) = data {
return d;
};
let (header, dh_ratchet) = self.decrypt_header(enc_header).unwrap(); let (header, dh_ratchet) = self.decrypt_header(enc_header).unwrap();
if dh_ratchet { if dh_ratchet {
self.skip_message_keys(header.pn).unwrap(); self.skip_message_keys(header.pn).unwrap();
@ -414,12 +426,24 @@ impl RatchetEncHeader {
let (ckr, mk) = kdf_ck(&self.ckr.unwrap()); let (ckr, mk) = kdf_ck(&self.ckr.unwrap());
self.ckr = Some(ckr); self.ckr = Some(ckr);
self.nr += 1; self.nr += 1;
decrypt(&mk, ciphertext, &header.concat(ad), nonce) decrypt(&mk, enc_data, &header.concat(associated_data), nonce)
} }
pub fn ratchet_decrypt_w_header(&mut self, enc_header: &(Vec<u8>, [u8; 12]), ciphertext: &[u8], nonce: &[u8; 12], ad: &[u8]) -> (Vec<u8>, Header) { /// Decrypt encrypted bytes and an [EncryptedHeader] with a [RatchetEncHeader].
let (plaintext, header) = self.try_skipped_message_keys(enc_header, ciphertext, nonce, ad); /// Requires an [EncryptedHeader], encrypted bytes, a nonce, and associated bytes.
if let Some(d) = plaintext { return (d, header.unwrap()) }; /// Returns decrypted bytes and a [Header].
pub fn decrypt_with_header(
&mut self,
enc_header: &EncryptedHeader,
enc_data: &[u8],
nonce: &[u8; 12],
associated_data: &[u8],
) -> (Result<Vec<u8>, InvalidAd>, Header) {
let (data, header) =
self.try_skipped_message_keys(enc_header, enc_data, nonce, associated_data);
if let Some(d) = data {
return (d, header.unwrap());
};
let (header, dh_ratchet) = self.decrypt_header(enc_header).unwrap(); let (header, dh_ratchet) = self.decrypt_header(enc_header).unwrap();
if dh_ratchet { if dh_ratchet {
self.skip_message_keys(header.pn).unwrap(); self.skip_message_keys(header.pn).unwrap();
@ -429,18 +453,22 @@ impl RatchetEncHeader {
let (ckr, mk) = kdf_ck(&self.ckr.unwrap()); let (ckr, mk) = kdf_ck(&self.ckr.unwrap());
self.ckr = Some(ckr); self.ckr = Some(ckr);
self.nr += 1; self.nr += 1;
(decrypt(&mk, ciphertext, &header.concat(ad), nonce), header) (
decrypt(&mk, enc_data, &header.concat(associated_data), nonce),
header,
)
} }
/// Export the ratchet to Binary data /// Export a [RatchetEncHeader].
/// Returns bytes.
pub fn export(&self) -> Vec<u8> { pub fn export(&self) -> Vec<u8> {
let ex: ExRatchetEncHeader = self.into(); postcard::to_allocvec(&self).unwrap()
bincode::serialize(&ex).unwrap()
} }
/// Import the ratchet from Binary data. Panics when binary data is invalid. /// Import a previously exported [RatchetEncHeader].
pub fn import(inp: &[u8]) -> Option<Self> { /// Requires bytes.
let ex: ExRatchetEncHeader = bincode::deserialize(inp).ok()?; /// Returns a [RatchetEncHeader], or nothing if invalid data is provided.
Some(RatchetEncHeader::from(&ex)) pub fn import(data: &[u8]) -> Option<Self> {
postcard::from_bytes(data).ok()
} }
} }

View file

@ -1,167 +1,150 @@
use double_ratchet_2::ratchet::{Ratchet, RatchetEncHeader}; use double_ratchet_rs::{Ratchet, RatchetEncHeader};
#[cfg(not(feature = "std"))]
extern crate alloc; extern crate alloc;
#[cfg(feature = "std")]
extern crate std as alloc;
#[test] #[test]
fn ratchet_init() { fn init() {
let sk = [1; 32]; let sk = [1; 32];
let (_bob_ratchet, public_key) = Ratchet::init_bob(sk); let (_bob_ratchet, public_key) = Ratchet::init_bob(sk);
let _alice_ratchet = Ratchet::init_alice(sk, public_key); let _alice_ratchet = Ratchet::init_alice(sk, public_key);
} }
#[test] #[test]
fn ratchet_enc_single() { fn enc_single() {
let sk = [1; 32]; let sk = [1; 32];
let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk); let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk);
let mut alice_ratchet = Ratchet::init_alice(sk, public_key); let mut alice_ratchet = Ratchet::init_alice(sk, public_key);
let data = include_bytes!("../src/header.rs").to_vec(); let data = include_bytes!("../src/header.rs").to_vec();
let (header, encrypted, nonce) = alice_ratchet.ratchet_encrypt(&data, b""); let (header, encrypted, nonce) = alice_ratchet.encrypt(&data, b"");
let decrypted = bob_ratchet.ratchet_decrypt(&header, &encrypted, &nonce, b""); let decrypted = bob_ratchet.decrypt(&header, &encrypted, &nonce, b"").unwrap();
assert_eq!(data, decrypted) assert_eq!(data, decrypted)
} }
#[test] #[test]
fn ratchet_enc_skip() { fn enc_skip() {
let sk = [1; 32]; let sk = [1; 32];
let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk); let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk);
let mut alice_ratchet = Ratchet::init_alice(sk, public_key); let mut alice_ratchet = Ratchet::init_alice(sk, public_key);
let data = include_bytes!("../src/header.rs").to_vec(); let data = include_bytes!("../src/header.rs").to_vec();
let (header1, encrypted1, nonce1) = alice_ratchet.ratchet_encrypt(&data, b""); let (header1, encrypted1, nonce1) = alice_ratchet.encrypt(&data, b"");
let (header2, encrypted2, nonce2) = alice_ratchet.ratchet_encrypt(&data, b""); let (header2, encrypted2, nonce2) = alice_ratchet.encrypt(&data, b"");
let (header3, encrypted3, nonce3) = alice_ratchet.ratchet_encrypt(&data, b""); let (header3, encrypted3, nonce3) = alice_ratchet.encrypt(&data, b"");
let decrypted3 = bob_ratchet.ratchet_decrypt(&header3, &encrypted3, &nonce3, b""); let decrypted3 = bob_ratchet.decrypt(&header3, &encrypted3, &nonce3, b"").unwrap();
let decrypted2 = bob_ratchet.ratchet_decrypt(&header2, &encrypted2, &nonce2, b""); let decrypted2 = bob_ratchet.decrypt(&header2, &encrypted2, &nonce2, b"").unwrap();
let decrypted1 = bob_ratchet.ratchet_decrypt(&header1, &encrypted1, &nonce1, b""); let decrypted1 = bob_ratchet.decrypt(&header1, &encrypted1, &nonce1, b"").unwrap();
let comp_res = decrypted1 == data && decrypted2 == data && decrypted3 == data; let comp_res = decrypted1 == data && decrypted2 == data && decrypted3 == data;
assert!(comp_res) assert!(comp_res)
} }
#[test] #[test]
#[should_panic] #[should_panic]
fn ratchet_panic_bob() { fn panic_bob() {
let sk = [1; 32]; let sk = [1; 32];
let (mut bob_ratchet, _) = Ratchet::init_bob(sk); let (mut bob_ratchet, _) = Ratchet::init_bob(sk);
let data = include_bytes!("../src/header.rs").to_vec(); let data = include_bytes!("../src/header.rs").to_vec();
let (_, _, _) = bob_ratchet.ratchet_encrypt(&data, b""); let (_, _, _) = bob_ratchet.encrypt(&data, b"");
} }
#[test] #[test]
fn ratchet_encryt_decrypt_four() { fn encryt_decrypt_four() {
let sk = [1; 32]; let sk = [1; 32];
let data = include_bytes!("../src/dh.rs").to_vec(); let data = include_bytes!("../src/dh.rs").to_vec();
let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk); let (mut bob_ratchet, public_key) = Ratchet::init_bob(sk);
let mut alice_ratchet = Ratchet::init_alice(sk, public_key); let mut alice_ratchet = Ratchet::init_alice(sk, public_key);
let (header1, encrypted1, nonce1) = alice_ratchet.ratchet_encrypt(&data, b""); let (header1, encrypted1, nonce1) = alice_ratchet.encrypt(&data, b"");
let decrypted1 = bob_ratchet.ratchet_decrypt(&header1, &encrypted1, &nonce1, b""); let decrypted1 = bob_ratchet.decrypt(&header1, &encrypted1, &nonce1, b"").unwrap();
let (header2, encrypted2, nonce2) = bob_ratchet.ratchet_encrypt(&data, b""); let (header2, encrypted2, nonce2) = bob_ratchet.encrypt(&data, b"");
let decrypted2 = alice_ratchet.ratchet_decrypt(&header2, &encrypted2, &nonce2, b""); let decrypted2 = alice_ratchet.decrypt(&header2, &encrypted2, &nonce2, b"").unwrap();
let comp_res = decrypted1 == data && decrypted2 == data; let comp_res = decrypted1 == data && decrypted2 == data;
assert!(comp_res) assert!(comp_res)
} }
#[test] #[test]
fn ratchet_ench_init() { fn ench_init() {
let sk = [1; 32]; let sk = [1; 32];
let shared_hka = [2; 32]; let shared_hka = [2; 32];
let shared_nhkb = [3; 32]; let shared_nhkb = [3; 32];
let (_bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, let (_bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, shared_hka, shared_nhkb);
shared_hka, let _alice_ratchet = RatchetEncHeader::init_alice(sk, public_key, shared_hka, shared_nhkb);
shared_nhkb);
let _alice_ratchet = RatchetEncHeader::init_alice(sk, public_key,
shared_hka, shared_nhkb);
} }
#[test] #[test]
fn ratchet_ench_enc_single() { fn ench_enc_single() {
let sk = [1; 32]; let sk = [1; 32];
let shared_hka = [2; 32]; let shared_hka = [2; 32];
let shared_nhkb = [3; 32]; let shared_nhkb = [3; 32];
let (mut bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, let (mut bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, shared_hka, shared_nhkb);
shared_hka, let mut alice_ratchet = RatchetEncHeader::init_alice(sk, public_key, shared_hka, shared_nhkb);
shared_nhkb);
let mut alice_ratchet = RatchetEncHeader::init_alice(sk,
public_key,
shared_hka,
shared_nhkb);
let data = include_bytes!("../src/header.rs").to_vec(); let data = include_bytes!("../src/header.rs").to_vec();
let (header, encrypted, nonce) = alice_ratchet.ratchet_encrypt(&data, b""); let (header, encrypted, nonce) = alice_ratchet.encrypt(&data, b"");
let decrypted = bob_ratchet.ratchet_decrypt(&header, &encrypted, &nonce, b""); let decrypted = bob_ratchet.decrypt(&header, &encrypted, &nonce, b"").unwrap();
assert_eq!(data, decrypted) assert_eq!(data, decrypted)
} }
#[test] #[test]
fn ratchet_ench_enc_skip() { fn ench_enc_skip() {
let sk = [1; 32]; let sk = [1; 32];
let shared_hka = [2; 32]; let shared_hka = [2; 32];
let shared_nhkb = [3; 32]; let shared_nhkb = [3; 32];
let (mut bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, let (mut bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, shared_hka, shared_nhkb);
shared_hka, let mut alice_ratchet = RatchetEncHeader::init_alice(sk, public_key, shared_hka, shared_nhkb);
shared_nhkb);
let mut alice_ratchet = RatchetEncHeader::init_alice(sk,
public_key,
shared_hka,
shared_nhkb);
let data = include_bytes!("../src/header.rs").to_vec(); let data = include_bytes!("../src/header.rs").to_vec();
let (header1, encrypted1, nonce1) = alice_ratchet.ratchet_encrypt(&data, b""); let (header1, encrypted1, nonce1) = alice_ratchet.encrypt(&data, b"");
let (header2, encrypted2, nonce2) = alice_ratchet.ratchet_encrypt(&data, b""); let (header2, encrypted2, nonce2) = alice_ratchet.encrypt(&data, b"");
let (header3, encrypted3, nonce3) = alice_ratchet.ratchet_encrypt(&data, b""); let (header3, encrypted3, nonce3) = alice_ratchet.encrypt(&data, b"");
let decrypted3 = bob_ratchet.ratchet_decrypt(&header3, &encrypted3, &nonce3, b""); let decrypted3 = bob_ratchet.decrypt(&header3, &encrypted3, &nonce3, b"").unwrap();
let decrypted2 = bob_ratchet.ratchet_decrypt(&header2, &encrypted2, &nonce2, b""); let decrypted2 = bob_ratchet.decrypt(&header2, &encrypted2, &nonce2, b"").unwrap();
let decrypted1 = bob_ratchet.ratchet_decrypt(&header1, &encrypted1, &nonce1, b""); let decrypted1 = bob_ratchet.decrypt(&header1, &encrypted1, &nonce1, b"").unwrap();
let comp_res = decrypted1 == data && decrypted2 == data && decrypted3 == data; let comp_res = decrypted1 == data && decrypted2 == data && decrypted3 == data;
assert!(comp_res) assert!(comp_res)
} }
#[test] #[test]
#[should_panic] #[should_panic]
fn ratchet_ench_panic_bob() { fn ench_panic_bob() {
let sk = [1; 32]; let sk = [1; 32];
let shared_hka = [2; 32]; let shared_hka = [2; 32];
let shared_nhkb = [3; 32]; let shared_nhkb = [3; 32];
let (mut bob_ratchet, _) = RatchetEncHeader::init_bob(sk, let (mut bob_ratchet, _) = RatchetEncHeader::init_bob(sk, shared_hka, shared_nhkb);
shared_hka,
shared_nhkb);
let data = include_bytes!("../src/header.rs").to_vec(); let data = include_bytes!("../src/header.rs").to_vec();
let (_, _, _) = bob_ratchet.ratchet_encrypt(&data, b""); let (_, _, _) = bob_ratchet.encrypt(&data, b"");
} }
#[test] #[test]
fn ratchet_ench_decrypt_four() { fn ench_decrypt_four() {
let sk = [1; 32]; let sk = [1; 32];
let shared_hka = [2; 32]; let shared_hka = [2; 32];
let shared_nhkb = [3; 32]; let shared_nhkb = [3; 32];
let (mut bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, let (mut bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, shared_hka, shared_nhkb);
shared_hka,
shared_nhkb);
let mut alice_ratchet = RatchetEncHeader::init_alice(sk, public_key, shared_hka, shared_nhkb); let mut alice_ratchet = RatchetEncHeader::init_alice(sk, public_key, shared_hka, shared_nhkb);
let data = include_bytes!("../src/dh.rs").to_vec(); let data = include_bytes!("../src/dh.rs").to_vec();
let (header1, encrypted1, nonce1) = alice_ratchet.ratchet_encrypt(&data, b""); let (header1, encrypted1, nonce1) = alice_ratchet.encrypt(&data, b"");
let decrypted1 = bob_ratchet.ratchet_decrypt(&header1, &encrypted1, &nonce1, b""); let decrypted1 = bob_ratchet.decrypt(&header1, &encrypted1, &nonce1, b"").unwrap();
let (header2, encrypted2, nonce2) = bob_ratchet.ratchet_encrypt(&data, b""); let (header2, encrypted2, nonce2) = bob_ratchet.encrypt(&data, b"");
let decrypted2 = alice_ratchet.ratchet_decrypt(&header2, &encrypted2, &nonce2, b""); let decrypted2 = alice_ratchet.decrypt(&header2, &encrypted2, &nonce2, b"").unwrap();
let comp_res = decrypted1 == data && decrypted2 == data; let comp_res = decrypted1 == data && decrypted2 == data;
assert!(comp_res) assert!(comp_res)
} }
#[test] #[test]
#[should_panic] #[should_panic]
fn ratchet_ench_enc_skip_panic() { fn ench_enc_skip_panic() {
let sk = [1; 32]; let sk = [1; 32];
let shared_hka = [2; 32]; let shared_hka = [2; 32];
let shared_nhkb = [3; 32]; let shared_nhkb = [3; 32];
let (mut bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, let (mut bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, shared_hka, shared_nhkb);
shared_hka, let mut alice_ratchet = RatchetEncHeader::init_alice(sk, public_key, shared_hka, shared_nhkb);
shared_nhkb);
let mut alice_ratchet = RatchetEncHeader::init_alice(sk,
public_key,
shared_hka,
shared_nhkb);
let data = include_bytes!("../src/header.rs").to_vec(); let data = include_bytes!("../src/header.rs").to_vec();
let mut headers = alloc::vec![]; let mut headers = alloc::vec![];
let mut encrypteds = alloc::vec![]; let mut encrypteds = alloc::vec![];
let mut nonces = alloc::vec![]; let mut nonces = alloc::vec![];
let mut decrypteds = alloc::vec![]; let mut decrypteds = alloc::vec![];
for _ in 0..200 { for _ in 0..200 {
let (header, encrypted, nonce) = alice_ratchet.ratchet_encrypt(&data, b""); let (header, encrypted, nonce) = alice_ratchet.encrypt(&data, b"");
headers.push(header); headers.push(header);
encrypteds.push(encrypted); encrypteds.push(encrypted);
nonces.push(nonce); nonces.push(nonce);
@ -173,7 +156,7 @@ fn ratchet_ench_enc_skip_panic() {
let header = headers.get(idx).unwrap(); let header = headers.get(idx).unwrap();
let encrypted = encrypteds.get(idx).unwrap(); let encrypted = encrypteds.get(idx).unwrap();
let nonce = nonces.get(idx).unwrap(); let nonce = nonces.get(idx).unwrap();
let decrypted = bob_ratchet.ratchet_decrypt(header, encrypted, nonce, b""); let decrypted = bob_ratchet.decrypt(header, encrypted, nonce, b"").unwrap();
decrypteds.push(decrypted); decrypteds.push(decrypted);
} }
} }
@ -183,9 +166,7 @@ fn import_export() {
let sk = [1; 32]; let sk = [1; 32];
let shared_hka = [2; 32]; let shared_hka = [2; 32];
let shared_nhkb = [3; 32]; let shared_nhkb = [3; 32];
let (bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, let (bob_ratchet, public_key) = RatchetEncHeader::init_bob(sk, shared_hka, shared_nhkb);
shared_hka,
shared_nhkb);
let alice_ratchet = RatchetEncHeader::init_alice(sk, public_key, shared_hka, shared_nhkb); let alice_ratchet = RatchetEncHeader::init_alice(sk, public_key, shared_hka, shared_nhkb);
let ex_bob_ratchet = bob_ratchet.export(); let ex_bob_ratchet = bob_ratchet.export();