bessie 0.1.0

an authenticated, chunked cipher based on BLAKE3
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285

use crate::*;
use std::io::Cursor;

const INPUT_SIZES: &[usize] = &[
    0,
    1,
    63,
    64,
    65,
    CHUNK_LEN - 1,
    CHUNK_LEN,
    CHUNK_LEN + 1,
    2 * CHUNK_LEN - 1,
    2 * CHUNK_LEN,
    2 * CHUNK_LEN + 1,
    3 * CHUNK_LEN - 1,
    3 * CHUNK_LEN,
    3 * CHUNK_LEN + 1,
];

fn paint_input(input: &mut [u8]) {
    for i in 0..input.len() {
        // 251 is the largest prime that fits in a byte.
        input[i] = (i % 251) as u8;
    }
}

fn test_key() -> Key {
    let mut key = [0; KEY_LEN];
    paint_input(&mut key);
    key
}

fn test_input(size: usize) -> Vec<u8> {
    let mut input = vec![0; size];
    paint_input(&mut input);
    input
}

#[test]
fn test_round_trip() {
    for &size in INPUT_SIZES {
        let input = test_input(size);
        let ciphertext = encrypt(&test_key(), &input);
        assert_eq!(decrypt(&test_key(), &ciphertext).unwrap(), input);
    }
}

#[test]
fn test_big_and_small_encryption_writes() {
    for &size in INPUT_SIZES {
        dbg!(size);
        let input = test_input(size);

        let mut all_at_once_writer = EncryptWriter::new(&test_key(), Vec::new());

        // Make a verbatim copy of the writer. This is nonce reuse, which would normally be
        // extremely unsafe, and the privacy rules normally forbid this. It works here because
        // this test is within the module that defines EncryptWriter.
        let mut one_at_a_time_writer = EncryptWriter {
            inner_writer: Vec::new(),
            ..all_at_once_writer
        };

        // Feed the input into all_at_once_writer with a single large write.
        all_at_once_writer.write_all(&input).unwrap();
        all_at_once_writer.finalize().unwrap();
        let all_at_once_ciphertext = all_at_once_writer.into_inner();

        // Feed the input into one_at_a_time_writer with many small writes.
        for &byte in &input {
            one_at_a_time_writer.write_all(&[byte]).unwrap();
        }
        one_at_a_time_writer.finalize().unwrap();
        let one_at_a_time_ciphertext = one_at_a_time_writer.into_inner();

        // Make sure the two ciphertexts are identical.
        assert_eq!(all_at_once_ciphertext, one_at_a_time_ciphertext);

        // Make sure the ciphertext decrypts successfully and correctly.
        assert_eq!(
            decrypt(&test_key(), &all_at_once_ciphertext).unwrap(),
            input
        );
    }
}

#[test]
fn test_big_and_small_decryption_reads() {
    for &size in INPUT_SIZES {
        dbg!(size);
        let input = test_input(size);
        let ciphertext = encrypt(&test_key(), &input);

        let mut all_at_once_reader = DecryptReader::new(&test_key(), &ciphertext[..]);

        // Make a verbatim copy of the reader. Unlike the writer in the previous test, this is
        // safe, and the public API also allows this.
        let mut one_at_a_time_reader = all_at_once_reader.clone();

        // Read the all_at_once_reader with big reads.
        let mut all_at_once_plaintext = Vec::with_capacity(size);
        all_at_once_reader
            .read_to_end(&mut all_at_once_plaintext)
            .unwrap();
        assert_eq!(all_at_once_plaintext, input);
        if input.len() > 0 {
            assert_eq!(all_at_once_plaintext.capacity(), input.len());
        }

        // Read the one_at_a_time_reader with small reads. Assert the bytes are the same.
        for i in 0..input.len() {
            let mut buf = [0];
            assert_eq!(one_at_a_time_reader.read(&mut buf).unwrap(), 1);
            assert_eq!(buf[0], input[i]);
        }
        assert_eq!(one_at_a_time_reader.read(&mut [0]).unwrap(), 0);
    }
}

#[test]
fn test_length_functions() {
    for &size in INPUT_SIZES {
        let ciphertext = encrypt(&[0; 32], &vec![0; size]);
        assert_eq!(Some(ciphertext.len() as u64), ciphertext_len(size as u64));
        assert_eq!(Some(size as u64), plaintext_len(ciphertext.len() as u64));
    }

    assert_eq!(None, plaintext_len(0));
    assert_eq!(None, plaintext_len((NONCE_LEN + TAG_LEN - 1) as u64));
    assert_eq!(
        None,
        plaintext_len((NONCE_LEN + CHUNK_LEN + TAG_LEN) as u64)
    );
    assert_eq!(None, ciphertext_len(u64::MAX));
}

#[test]
fn test_just_seek() {
    for &size in INPUT_SIZES {
        dbg!(size);
        let input = test_input(size);
        let ciphertext = encrypt(&test_key(), &input);

        for &target in INPUT_SIZES {
            dbg!(target);

            // from start
            {
                let mut reader = DecryptReader::new(&test_key(), Cursor::new(&ciphertext[..]));
                let n = reader.seek(SeekFrom::Start(target as u64)).unwrap();
                assert_eq!(n as usize, min(target, size));
                let n = reader.seek(SeekFrom::Start(target as u64)).unwrap();
                assert_eq!(n as usize, min(target, size));
            }

            // from current
            {
                let mut reader = DecryptReader::new(&test_key(), Cursor::new(&ciphertext[..]));
                let n = reader.seek(SeekFrom::Current(target as i64)).unwrap();
                assert_eq!(n as usize, min(target, size));
                let n = reader.seek(SeekFrom::Current(target as i64)).unwrap();
                // seeks past EOF get capped
                assert_eq!(n as usize, min(2 * target, size));
            }

            // from end
            {
                let mut reader = DecryptReader::new(&test_key(), Cursor::new(&ciphertext[..]));
                let n = reader.seek(SeekFrom::End(target as i64)).unwrap();
                // seeks past EOF get capped
                assert_eq!(n, size as u64);
                if target <= size {
                    let n = reader.seek(SeekFrom::End(-(target as i64))).unwrap();
                    assert_eq!(n, (size - target) as u64);
                }
            }
        }
    }
}

#[test]
fn test_seek_and_read() {
    for &size in INPUT_SIZES {
        dbg!(size);
        let input = test_input(size);
        let ciphertext = encrypt(&test_key(), &input);

        // Test regular from-the-start seeks.
        for &seek_target in INPUT_SIZES {
            dbg!(seek_target);
            let mut reader = DecryptReader::new(&test_key(), Cursor::new(&ciphertext[..]));
            reader.seek(SeekFrom::Start(seek_target as u64)).unwrap();
            let mut output = Vec::new();
            reader.read_to_end(&mut output).unwrap();
            let expected = &input[min(size, seek_target)..];
            assert_eq!(expected, output);
        }

        // Test a negative EOF-relative seek followed by a current-relative seek.
        for &eof_seek in INPUT_SIZES {
            dbg!(eof_seek);
            // We'll use this as a negative offset.
            let capped_eof_seek = min(size, eof_seek);
            let eof_target = size - capped_eof_seek;
            let mut reader = DecryptReader::new(&test_key(), Cursor::new(&ciphertext[..]));
            reader
                .seek(SeekFrom::End(-(capped_eof_seek as i64)))
                .unwrap();
            for &current_seek in INPUT_SIZES {
                dbg!(current_seek);
                let current_target = min(size, eof_target + current_seek);
                let mut reader = reader.clone();
                reader.seek(SeekFrom::Current(current_seek as i64)).unwrap();
                let mut output = Vec::new();
                reader.read_to_end(&mut output).unwrap();
                let expected = &input[current_target..];
                assert_eq!(expected, output);
            }
        }
    }
}

#[test]
fn test_bad_ciphertext() {
    for &size in INPUT_SIZES {
        dbg!(size);
        let input = test_input(size);
        let mut ciphertext = encrypt(&test_key(), &input);
        decrypt(&test_key(), &ciphertext).unwrap();
        // Corrupt a byte of ciphertext. If the input is longer than one chunk, put the
        // corruption in the first byte of the second chunk.
        if size > CHUNK_LEN {
            ciphertext[NONCE_LEN + CHUNK_LEN + TAG_LEN] ^= 1;
        } else {
            ciphertext[0] ^= 1;
        }
        decrypt(&test_key(), &ciphertext).unwrap_err();

        // Test the incremental decrypter.
        let mut reader = DecryptReader::new(&test_key(), Cursor::new(&ciphertext[..]));
        // If the input is longer than one chunk, confirm that the first chunk decrypts
        // successfully.
        if size > CHUNK_LEN {
            let mut first_chunk = [0; CHUNK_LEN];
            reader.read_exact(&mut first_chunk).unwrap();
        }
        // Fail on the corrupt chunk.
        let e = reader.read(&mut [0]).unwrap_err();
        assert_eq!(io::ErrorKind::InvalidData, e.kind());
        // If the input is longer than two chunks, confirm that seeking past the corrupt chunk
        // makes the rest decrypt successfully.
        if size > 2 * CHUNK_LEN {
            let mut rest = Vec::new();
            reader.seek(SeekFrom::Start(2 * CHUNK_LEN as u64)).unwrap();
            reader.read_to_end(&mut rest).unwrap();
            assert_eq!(&input[2 * CHUNK_LEN..], rest);
        }
    }
}

#[test]
fn test_zeroing_after_decryption_failure() {
    let input = vec![0xaa; 2 * CHUNK_LEN + 1];
    let mut ciphertext = encrypt(&test_key(), &input);
    let mut plaintext = vec![0xbb; 2 * CHUNK_LEN + 1];
    // Decrypt the ciphertext with the wrong key and make sure that the plaintext buffer gets
    // entirely zeroed out.
    decrypt_to_slice(&[0; 32], &ciphertext, &mut plaintext).unwrap_err();
    assert_eq!(plaintext, vec![0; plaintext.len()]);
    // Same but with the right key and a corrupted final byte.
    *ciphertext.last_mut().unwrap() ^= 1;
    let mut plaintext = vec![0xbb; 2 * CHUNK_LEN + 1];
    decrypt_to_slice(&test_key(), &ciphertext, &mut plaintext).unwrap_err();
    assert_eq!(plaintext, vec![0; plaintext.len()]);
}

#[test]
fn test_encrypt_with_nonce() {
    let input = vec![0xaa; 2 * CHUNK_LEN + 1];
    let ciphertext = encrypt(&test_key(), &input);
    let nonce = ciphertext[..NONCE_LEN].try_into().unwrap();
    let ciphertext_with_nonce = testing::encrypt_with_nonce(&test_key(), nonce, &input);
    assert_eq!(ciphertext, ciphertext_with_nonce);
}