vpncloud/src/crypto.rs

// VpnCloud - Peer-to-Peer VPN
// Copyright (C) 2015-2019  Dennis Schwerdel
// This software is licensed under GPL-3 or newer (see LICENSE.md)

use std::num::NonZeroU32;

use ring::{aead::*, pbkdf2, rand::*};

use super::types::Error;

const SALT: &[u8; 32] = b"vpncloudVPNCLOUDvpncl0udVpnCloud";
const HEX_PREFIX: &str = "hex:";
const HASH_PREFIX: &str = "hash:";

#[derive(Serialize, Deserialize, Debug, PartialEq, Clone, Copy)]
pub enum CryptoMethod {
    #[serde(rename = "chacha20")]
    ChaCha20,
    #[serde(rename = "aes256")]
    AES256
}

pub struct CryptoData {
    crypto_key: LessSafeKey,
    nonce: Vec<u8>,
    key: Vec<u8>
}

#[allow(unknown_lints, clippy::large_enum_variant)]
pub enum Crypto {
    None,
    ChaCha20Poly1305(CryptoData),
    AES256GCM(CryptoData)
}

fn inc_nonce(nonce: &mut [u8]) {
    let l = nonce.len();
    for i in (0..l).rev() {
        let mut num = nonce[i];
        num = num.wrapping_add(1);
        nonce[i] = num;
        if num > 0 {
            return
        }
    }
    warn!("Nonce overflowed");
}

impl Crypto {
    #[inline]
    pub fn method(&self) -> u8 {
        match *self {
            Crypto::None => 0,
            Crypto::ChaCha20Poly1305 { .. } => 1,
            Crypto::AES256GCM { .. } => 2
        }
    }

    #[inline]
    pub fn nonce_bytes(&self) -> usize {
        match *self {
            Crypto::None => 0,
            Crypto::ChaCha20Poly1305(ref data) | Crypto::AES256GCM(ref data) => data.crypto_key.algorithm().nonce_len()
        }
    }

    #[inline]
    pub fn get_key(&self) -> &[u8] {
        match *self {
            Crypto::None => &[],
            Crypto::ChaCha20Poly1305(ref data) | Crypto::AES256GCM(ref data) => &data.key
        }
    }

    #[inline]
    #[allow(unknown_lints, clippy::match_same_arms)]
    pub fn additional_bytes(&self) -> usize {
        match *self {
            Crypto::None => 0,
            Crypto::ChaCha20Poly1305(ref data) | Crypto::AES256GCM(ref data) => data.crypto_key.algorithm().tag_len()
        }
    }

    pub fn from_shared_key(method: CryptoMethod, password: &str) -> Self {
        let algo = match method {
            CryptoMethod::ChaCha20 => &CHACHA20_POLY1305,
            CryptoMethod::AES256 => &AES_256_GCM
        };
        let mut key: Vec<u8> = Vec::with_capacity(algo.key_len());
        for _ in 0..algo.key_len() {
            key.push(0);
        }
        if password.starts_with(HEX_PREFIX) {
            let password = &password[HEX_PREFIX.len()..];
            if password.len() != 2 * algo.key_len() {
                fail!("Raw secret key must be exactly {} bytes long", algo.key_len());
            }
            for i in 0..algo.key_len() {
                key[i] = try_fail!(
                    u8::from_str_radix(&password[2 * i..=2 * i + 1], 16),
                    "Failed to parse raw secret key: {}"
                );
            }
        } else {
            let password = if password.starts_with(HASH_PREFIX) { &password[HASH_PREFIX.len()..] } else { password };
            pbkdf2::derive(
                pbkdf2::PBKDF2_HMAC_SHA256,
                NonZeroU32::new(4096).unwrap(),
                SALT,
                password.as_bytes(),
                &mut key
            );
        }
        let crypto_key = LessSafeKey::new(UnboundKey::new(algo, &key[..algo.key_len()]).expect("Failed to create key"));
        let mut nonce: Vec<u8> = Vec::with_capacity(algo.nonce_len());
        for _ in 0..algo.nonce_len() {
            nonce.push(0);
        }
        // leave the highest byte of the nonce 0 so it will not overflow
        if SystemRandom::new().fill(&mut nonce[1..]).is_err() {
            fail!("Randomizing nonce failed");
        }
        let data = CryptoData { crypto_key, nonce, key };
        match method {
            CryptoMethod::ChaCha20 => Crypto::ChaCha20Poly1305(data),
            CryptoMethod::AES256 => Crypto::AES256GCM(data)
        }
    }

    pub fn decrypt(&self, buf: &mut [u8], nonce: &[u8], header: &[u8]) -> Result<usize, Error> {
        match *self {
            Crypto::None => Ok(buf.len()),
            Crypto::ChaCha20Poly1305(ref data) | Crypto::AES256GCM(ref data) => {
                let nonce = Nonce::try_assume_unique_for_key(nonce).unwrap();
                match data.crypto_key.open_in_place(nonce, Aad::from(header), buf) {
                    Ok(plaintext) => Ok(plaintext.len()),
                    Err(_) => Err(Error::Crypto("Failed to decrypt"))
                }
            }
        }
    }

    pub fn encrypt(&mut self, buf: &mut [u8], mlen: usize, nonce_bytes: &mut [u8], header: &[u8]) -> usize {
        let tag_len = self.additional_bytes();
        match *self {
            Crypto::None => mlen,
            Crypto::ChaCha20Poly1305(ref mut data) | Crypto::AES256GCM(ref mut data) => {
                inc_nonce(&mut data.nonce);
                assert!(buf.len() - mlen >= tag_len);
                let nonce = Nonce::try_assume_unique_for_key(&data.nonce).unwrap();
                let tag = data
                    .crypto_key
                    .seal_in_place_separate_tag(nonce, Aad::from(header), &mut buf[..mlen])
                    .expect("Failed to encrypt");
                buf[mlen..mlen + tag_len].copy_from_slice(tag.as_ref());
                nonce_bytes.clone_from_slice(&data.nonce);
                mlen + tag_len
            }
        }
    }
}

#[test]
fn encrypt_decrypt_chacha20poly1305() {
    let mut sender = Crypto::from_shared_key(CryptoMethod::ChaCha20, "test");
    let receiver = Crypto::from_shared_key(CryptoMethod::ChaCha20, "test");
    let msg = "HelloWorld0123456789";
    let msg_bytes = msg.as_bytes();
    let mut buffer = [0u8; 1024];
    let header = [0u8; 8];
    for i in 0..msg_bytes.len() {
        buffer[i] = msg_bytes[i];
    }
    let mut nonce1 = [0u8; 12];
    let size = sender.encrypt(&mut buffer, msg_bytes.len(), &mut nonce1, &header);
    assert_eq!(size, msg_bytes.len() + sender.additional_bytes());
    assert!(msg_bytes != &buffer[..msg_bytes.len()] as &[u8]);
    receiver.decrypt(&mut buffer[..size], &nonce1, &header).unwrap();
    assert_eq!(msg_bytes, &buffer[..msg_bytes.len()] as &[u8]);
    let mut nonce2 = [0u8; 12];
    let size = sender.encrypt(&mut buffer, msg_bytes.len(), &mut nonce2, &header);
    assert!(nonce1 != nonce2);
    receiver.decrypt(&mut buffer[..size], &nonce2, &header).unwrap();
    assert_eq!(msg_bytes, &buffer[..msg_bytes.len()] as &[u8]);
}

#[test]
fn encrypt_decrypt_aes256() {
    let mut sender = Crypto::from_shared_key(CryptoMethod::AES256, "test");
    let receiver = Crypto::from_shared_key(CryptoMethod::AES256, "test");
    let msg = "HelloWorld0123456789";
    let msg_bytes = msg.as_bytes();
    let mut buffer = [0u8; 1024];
    let header = [0u8; 8];
    for i in 0..msg_bytes.len() {
        buffer[i] = msg_bytes[i];
    }
    let mut nonce1 = [0u8; 12];
    let size = sender.encrypt(&mut buffer, msg_bytes.len(), &mut nonce1, &header);
    assert_eq!(size, msg_bytes.len() + sender.additional_bytes());
    assert!(msg_bytes != &buffer[..msg_bytes.len()] as &[u8]);
    receiver.decrypt(&mut buffer[..size], &nonce1, &header).unwrap();
    assert_eq!(msg_bytes, &buffer[..msg_bytes.len()] as &[u8]);
    let mut nonce2 = [0u8; 12];
    let size = sender.encrypt(&mut buffer, msg_bytes.len(), &mut nonce2, &header);
    assert!(nonce1 != nonce2);
    receiver.decrypt(&mut buffer[..size], &nonce2, &header).unwrap();
    assert_eq!(msg_bytes, &buffer[..msg_bytes.len()] as &[u8]);
}
Added license and copyright information 2016-02-05 15:58:32 +00:00			`// VpnCloud - Peer-to-Peer VPN`
Updated deps 2019-02-14 21:51:10 +00:00			`// Copyright (C) 2015-2019 Dennis Schwerdel`
Added license and copyright information 2016-02-05 15:58:32 +00:00			`// This software is licensed under GPL-3 or newer (see LICENSE.md)`

Updated deps 2019-02-14 21:51:10 +00:00			`use std::num::NonZeroU32;`

Updated dependencies, rustfmt 2019-12-04 08:32:35 +00:00			`use ring::{aead::, pbkdf2, rand::};`
Include libsodium in builds 2015-11-30 16:27:50 +00:00
			`use super::types::Error;`

Updates 2019-02-15 21:42:13 +00:00			`const SALT: &[u8; 32] = b"vpncloudVPNCLOUDvpncl0udVpnCloud";`
			`const HEX_PREFIX: &str = "hex:";`
			`const HASH_PREFIX: &str = "hash:";`

Many changes for 0.9.0 2019-01-10 18:36:50 +00:00			`#[derive(Serialize, Deserialize, Debug, PartialEq, Clone, Copy)]`
Include libsodium in builds 2015-11-30 16:27:50 +00:00			`pub enum CryptoMethod {`
Fixed tests and serialization constants 2017-07-22 14:42:32 +00:00			`#[serde(rename = "chacha20")]`
			`ChaCha20,`
			`#[serde(rename = "aes256")]`
			`AES256`
Include libsodium in builds 2015-11-30 16:27:50 +00:00			`}`

Ring instead of libsodium 2019-01-04 12:53:12 +00:00			`pub struct CryptoData {`
Updated dependencies, rustfmt 2019-12-04 08:32:35 +00:00			`crypto_key: LessSafeKey,`
Full beacon encode/decode 2019-02-19 17:42:50 +00:00			`nonce: Vec<u8>,`
			`key: Vec<u8>`
Ring instead of libsodium 2019-01-04 12:53:12 +00:00			`}`

Removed libsodium completely 2019-01-08 19:32:47 +00:00			`#[allow(unknown_lints, clippy::large_enum_variant)]`
Include libsodium in builds 2015-11-30 16:27:50 +00:00			`pub enum Crypto {`
			`None,`
Ring instead of libsodium 2019-01-04 12:53:12 +00:00			`ChaCha20Poly1305(CryptoData),`
			`AES256GCM(CryptoData)`
Include libsodium in builds 2015-11-30 16:27:50 +00:00			`}`

Ring instead of libsodium 2019-01-04 12:53:12 +00:00			`fn inc_nonce(nonce: &mut [u8]) {`
			`let l = nonce.len();`
			`for i in (0..l).rev() {`
			`let mut num = nonce[i];`
Include libsodium in builds 2015-11-30 16:27:50 +00:00			`num = num.wrapping_add(1);`
Ring instead of libsodium 2019-01-04 12:53:12 +00:00			`nonce[i] = num;`
Include libsodium in builds 2015-11-30 16:27:50 +00:00			`if num > 0 {`
Removed libsodium completely 2019-01-08 19:32:47 +00:00			`return`
Include libsodium in builds 2015-11-30 16:27:50 +00:00			`}`
			`}`
Removed libsodium completely 2019-01-08 19:32:47 +00:00			`warn!("Nonce overflowed");`
Include libsodium in builds 2015-11-30 16:27:50 +00:00			`}`

			`impl Crypto {`
Code cleanup 2016-06-29 06:43:39 +00:00			`#[inline]`
Include libsodium in builds 2015-11-30 16:27:50 +00:00			`pub fn method(&self) -> u8 {`
Making clippy happy 2016-06-11 14:08:57 +00:00			`match *self {`
			`Crypto::None => 0,`
Updated dependencies, rustfmt 2019-12-04 08:32:35 +00:00			`Crypto::ChaCha20Poly1305 { .. } => 1,`
			`Crypto::AES256GCM { .. } => 2`
Include libsodium in builds 2015-11-30 16:27:50 +00:00			`}`
			`}`

Code cleanup 2016-06-29 06:43:39 +00:00			`#[inline]`
Include libsodium in builds 2015-11-30 16:27:50 +00:00			`pub fn nonce_bytes(&self) -> usize {`
Making clippy happy 2016-06-11 14:08:57 +00:00			`match *self {`
			`Crypto::None => 0,`
Updated dependencies, rustfmt 2019-12-04 08:32:35 +00:00			`Crypto::ChaCha20Poly1305(ref data) \| Crypto::AES256GCM(ref data) => data.crypto_key.algorithm().nonce_len()`
Include libsodium in builds 2015-11-30 16:27:50 +00:00			`}`
			`}`

Full beacon encode/decode 2019-02-19 17:42:50 +00:00			`#[inline]`
			`pub fn get_key(&self) -> &[u8] {`
			`match *self {`
			`Crypto::None => &[],`
			`Crypto::ChaCha20Poly1305(ref data) \| Crypto::AES256GCM(ref data) => &data.key`
			`}`
			`}`

Code cleanup 2016-06-29 06:43:39 +00:00			`#[inline]`
Updated dependencies, rustfmt 2019-12-04 08:32:35 +00:00			`#[allow(unknown_lints, clippy::match_same_arms)]`
Include libsodium in builds 2015-11-30 16:27:50 +00:00			`pub fn additional_bytes(&self) -> usize {`
Making clippy happy 2016-06-11 14:08:57 +00:00			`match *self {`
			`Crypto::None => 0,`
Updated dependencies, rustfmt 2019-12-04 08:32:35 +00:00			`Crypto::ChaCha20Poly1305(ref data) \| Crypto::AES256GCM(ref data) => data.crypto_key.algorithm().tag_len()`
Include libsodium in builds 2015-11-30 16:27:50 +00:00			`}`
			`}`

			`pub fn from_shared_key(method: CryptoMethod, password: &str) -> Self {`
Ring instead of libsodium 2019-01-04 12:53:12 +00:00			`let algo = match method {`
			`CryptoMethod::ChaCha20 => &CHACHA20_POLY1305,`
			`CryptoMethod::AES256 => &AES_256_GCM`
			`};`
Removed libsodium completely 2019-01-08 19:32:47 +00:00			`let mut key: Vec<u8> = Vec::with_capacity(algo.key_len());`
			`for _ in 0..algo.key_len() {`
			`key.push(0);`
			`}`
Updates 2019-02-15 21:42:13 +00:00			`if password.starts_with(HEX_PREFIX) {`
			`let password = &password[HEX_PREFIX.len()..];`
			`if password.len() != 2 * algo.key_len() {`
			`fail!("Raw secret key must be exactly {} bytes long", algo.key_len());`
			`}`
			`for i in 0..algo.key_len() {`
Updated dependencies, rustfmt 2019-12-04 08:32:35 +00:00			`key[i] = try_fail!(`
			`u8::from_str_radix(&password[2 * i..=2 * i + 1], 16),`
			`"Failed to parse raw secret key: {}"`
			`);`
Updates 2019-02-15 21:42:13 +00:00			`}`
			`} else {`
Updated dependencies, rustfmt 2019-12-04 08:32:35 +00:00			`let password = if password.starts_with(HASH_PREFIX) { &password[HASH_PREFIX.len()..] } else { password };`
			`pbkdf2::derive(`
			`pbkdf2::PBKDF2_HMAC_SHA256,`
			`NonZeroU32::new(4096).unwrap(),`
			`SALT,`
			`password.as_bytes(),`
			`&mut key`
			`);`
Updates 2019-02-15 21:42:13 +00:00			`}`
Updated dependencies, rustfmt 2019-12-04 08:32:35 +00:00			`let crypto_key = LessSafeKey::new(UnboundKey::new(algo, &key[..algo.key_len()]).expect("Failed to create key"));`
Ring instead of libsodium 2019-01-04 12:53:12 +00:00			`let mut nonce: Vec<u8> = Vec::with_capacity(algo.nonce_len());`
			`for _ in 0..algo.nonce_len() {`
			`nonce.push(0);`
			`}`
Updates 2019-02-15 21:42:13 +00:00			`// leave the highest byte of the nonce 0 so it will not overflow`
			`if SystemRandom::new().fill(&mut nonce[1..]).is_err() {`
Removed libsodium completely 2019-01-08 19:32:47 +00:00			`fail!("Randomizing nonce failed");`
			`}`
Updated dependencies, rustfmt 2019-12-04 08:32:35 +00:00			`let data = CryptoData { crypto_key, nonce, key };`
Include libsodium in builds 2015-11-30 16:27:50 +00:00			`match method {`
Ring instead of libsodium 2019-01-04 12:53:12 +00:00			`CryptoMethod::ChaCha20 => Crypto::ChaCha20Poly1305(data),`
			`CryptoMethod::AES256 => Crypto::AES256GCM(data)`
Include libsodium in builds 2015-11-30 16:27:50 +00:00			`}`
			`}`

Fixed wrong address 2019-01-01 21:55:15 +00:00			`pub fn decrypt(&self, buf: &mut [u8], nonce: &[u8], header: &[u8]) -> Result<usize, Error> {`
Making clippy happy 2016-06-11 14:08:57 +00:00			`match *self {`
			`Crypto::None => Ok(buf.len()),`
Ring instead of libsodium 2019-01-04 12:53:12 +00:00			`Crypto::ChaCha20Poly1305(ref data) \| Crypto::AES256GCM(ref data) => {`
Updated deps 2019-02-14 21:51:10 +00:00			`let nonce = Nonce::try_assume_unique_for_key(nonce).unwrap();`
Updated dependencies, rustfmt 2019-12-04 08:32:35 +00:00			`match data.crypto_key.open_in_place(nonce, Aad::from(header), buf) {`
			`Ok(plaintext) => Ok(plaintext.len()),`
			`Err(_) => Err(Error::Crypto("Failed to decrypt"))`
Removed libsodium completely 2019-01-08 19:32:47 +00:00			`}`
Include libsodium in builds 2015-11-30 16:27:50 +00:00			`}`
			`}`
			`}`

Fixed wrong address 2019-01-01 21:55:15 +00:00			`pub fn encrypt(&mut self, buf: &mut [u8], mlen: usize, nonce_bytes: &mut [u8], header: &[u8]) -> usize {`
Removed libsodium completely 2019-01-08 19:32:47 +00:00			`let tag_len = self.additional_bytes();`
Making clippy happy 2016-06-11 14:08:57 +00:00			`match *self {`
			`Crypto::None => mlen,`
Ring instead of libsodium 2019-01-04 12:53:12 +00:00			`Crypto::ChaCha20Poly1305(ref mut data) \| Crypto::AES256GCM(ref mut data) => {`
			`inc_nonce(&mut data.nonce);`
			`assert!(buf.len() - mlen >= tag_len);`
Updated deps 2019-02-14 21:51:10 +00:00			`let nonce = Nonce::try_assume_unique_for_key(&data.nonce).unwrap();`
Updated dependencies, rustfmt 2019-12-04 08:32:35 +00:00			`let tag = data`
			`.crypto_key`
			`.seal_in_place_separate_tag(nonce, Aad::from(header), &mut buf[..mlen])`
			`.expect("Failed to encrypt");`
			`buf[mlen..mlen + tag_len].copy_from_slice(tag.as_ref());`
Removed libsodium completely 2019-01-08 19:32:47 +00:00			`nonce_bytes.clone_from_slice(&data.nonce);`
Updated dependencies, rustfmt 2019-12-04 08:32:35 +00:00			`mlen + tag_len`
Include libsodium in builds 2015-11-30 16:27:50 +00:00			`}`
			`}`
			`}`
			`}`
Full beacon encode/decode 2019-02-19 17:42:50 +00:00
			`#[test]`
			`fn encrypt_decrypt_chacha20poly1305() {`
			`let mut sender = Crypto::from_shared_key(CryptoMethod::ChaCha20, "test");`
			`let receiver = Crypto::from_shared_key(CryptoMethod::ChaCha20, "test");`
			`let msg = "HelloWorld0123456789";`
			`let msg_bytes = msg.as_bytes();`
			`let mut buffer = [0u8; 1024];`
			`let header = [0u8; 8];`
			`for i in 0..msg_bytes.len() {`
			`buffer[i] = msg_bytes[i];`
			`}`
			`let mut nonce1 = [0u8; 12];`
			`let size = sender.encrypt(&mut buffer, msg_bytes.len(), &mut nonce1, &header);`
			`assert_eq!(size, msg_bytes.len() + sender.additional_bytes());`
			`assert!(msg_bytes != &buffer[..msg_bytes.len()] as &[u8]);`
			`receiver.decrypt(&mut buffer[..size], &nonce1, &header).unwrap();`
			`assert_eq!(msg_bytes, &buffer[..msg_bytes.len()] as &[u8]);`
			`let mut nonce2 = [0u8; 12];`
			`let size = sender.encrypt(&mut buffer, msg_bytes.len(), &mut nonce2, &header);`
			`assert!(nonce1 != nonce2);`
			`receiver.decrypt(&mut buffer[..size], &nonce2, &header).unwrap();`
			`assert_eq!(msg_bytes, &buffer[..msg_bytes.len()] as &[u8]);`
			`}`

			`#[test]`
			`fn encrypt_decrypt_aes256() {`
			`let mut sender = Crypto::from_shared_key(CryptoMethod::AES256, "test");`
			`let receiver = Crypto::from_shared_key(CryptoMethod::AES256, "test");`
			`let msg = "HelloWorld0123456789";`
			`let msg_bytes = msg.as_bytes();`
			`let mut buffer = [0u8; 1024];`
			`let header = [0u8; 8];`
			`for i in 0..msg_bytes.len() {`
			`buffer[i] = msg_bytes[i];`
			`}`
			`let mut nonce1 = [0u8; 12];`
			`let size = sender.encrypt(&mut buffer, msg_bytes.len(), &mut nonce1, &header);`
			`assert_eq!(size, msg_bytes.len() + sender.additional_bytes());`
			`assert!(msg_bytes != &buffer[..msg_bytes.len()] as &[u8]);`
			`receiver.decrypt(&mut buffer[..size], &nonce1, &header).unwrap();`
			`assert_eq!(msg_bytes, &buffer[..msg_bytes.len()] as &[u8]);`
			`let mut nonce2 = [0u8; 12];`
			`let size = sender.encrypt(&mut buffer, msg_bytes.len(), &mut nonce2, &header);`
			`assert!(nonce1 != nonce2);`
			`receiver.decrypt(&mut buffer[..size], &nonce2, &header).unwrap();`
			`assert_eq!(msg_bytes, &buffer[..msg_bytes.len()] as &[u8]);`
			`}`