apfsds-crypto 0.4.0

Cryptographic primitives for APFSDS (X25519, AES-GCM, Ed25519)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163

//! Replay protection cache

use dashmap::DashMap;
use std::time::{Duration, Instant};

/// Thread-safe replay cache for nonce/UUID deduplication
pub struct ReplayCache {
    /// Map of nonce -> expiration time
    seen: DashMap<[u8; 32], Instant>,
    /// TTL for entries
    ttl: Duration,
}

impl ReplayCache {
    /// Create a new replay cache with the given TTL
    pub fn new(ttl: Duration) -> Self {
        Self {
            seen: DashMap::new(),
            ttl,
        }
    }

    /// Check if a nonce has been seen and insert it if not
    /// Returns true if the nonce is new (not a replay)
    pub fn check_and_insert(&self, nonce: &[u8; 32]) -> bool {
        let now = Instant::now();
        let expiry = now + self.ttl;

        // Check if already exists and not expired
        if let Some(existing) = self.seen.get(nonce) {
            if *existing > now {
                return false; // Replay detected
            }
        }

        // Insert or update
        self.seen.insert(*nonce, expiry);
        true
    }

    /// Check if a nonce has been seen (without inserting)
    pub fn contains(&self, nonce: &[u8; 32]) -> bool {
        if let Some(expiry) = self.seen.get(nonce) {
            *expiry > Instant::now()
        } else {
            false
        }
    }

    /// Remove expired entries
    pub fn cleanup(&self) {
        let now = Instant::now();
        self.seen.retain(|_, expiry| *expiry > now);
    }

    /// Get the number of entries
    pub fn len(&self) -> usize {
        self.seen.len()
    }

    /// Check if empty
    pub fn is_empty(&self) -> bool {
        self.seen.is_empty()
    }

    /// Clear all entries
    pub fn clear(&self) {
        self.seen.clear();
    }
}

/// UUID-based replay cache (16-byte keys)
pub struct UuidReplayCache {
    seen: DashMap<[u8; 16], Instant>,
    ttl: Duration,
}

impl UuidReplayCache {
    pub fn new(ttl: Duration) -> Self {
        Self {
            seen: DashMap::new(),
            ttl,
        }
    }

    pub fn check_and_insert(&self, uuid: &[u8; 16]) -> bool {
        let now = Instant::now();
        let expiry = now + self.ttl;

        if let Some(existing) = self.seen.get(uuid) {
            if *existing > now {
                return false;
            }
        }

        self.seen.insert(*uuid, expiry);
        true
    }

    pub fn cleanup(&self) {
        let now = Instant::now();
        self.seen.retain(|_, expiry| *expiry > now);
    }

    pub fn len(&self) -> usize {
        self.seen.len()
    }

    pub fn is_empty(&self) -> bool {
        self.seen.is_empty()
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_replay_detection() {
        let cache = ReplayCache::new(Duration::from_secs(60));
        let nonce = [42u8; 32];

        // First time should succeed
        assert!(cache.check_and_insert(&nonce));

        // Second time should fail (replay)
        assert!(!cache.check_and_insert(&nonce));
    }

    #[test]
    fn test_different_nonces() {
        let cache = ReplayCache::new(Duration::from_secs(60));
        let nonce1 = [1u8; 32];
        let nonce2 = [2u8; 32];

        assert!(cache.check_and_insert(&nonce1));
        assert!(cache.check_and_insert(&nonce2));
    }

    #[test]
    fn test_cleanup() {
        let cache = ReplayCache::new(Duration::from_millis(10));
        let nonce = [42u8; 32];

        cache.check_and_insert(&nonce);
        assert_eq!(cache.len(), 1);

        // Wait for expiration
        std::thread::sleep(Duration::from_millis(20));

        cache.cleanup();
        assert_eq!(cache.len(), 0);
    }

    #[test]
    fn test_uuid_cache() {
        let cache = UuidReplayCache::new(Duration::from_secs(60));
        let uuid = [42u8; 16];

        assert!(cache.check_and_insert(&uuid));
        assert!(!cache.check_and_insert(&uuid));
    }
}