everrs 0.2.1

Bindings for the HACL*/EverCrypt crypto library
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257

use super::bind::{
    EverCrypt_Chacha20Poly1305_aead_decrypt, EverCrypt_Chacha20Poly1305_aead_encrypt,
};

const SIZE_KEY: usize = 32;
const SIZE_TAG: usize = 16;
const SIZE_NONCE: usize = 24;

/// Decrypt & authenticate a buffer with ChaCha20Poly1305
///
/// # Arguments
///
/// - `key`: 256-bit key.
/// - `nonce`: 192-bit nonce (unique for every message).
/// - `ad`: Buffer of associated data.
/// - `pt`: The plaintext buffer.
/// - `ct`: The resulting ciphertext buffer.
/// - `tag`: The buffer to hold the resulting authentication tag.
///
/// # Notes
///
/// The AD must be less than 2^32 bytes.
/// The plaintext buffer must be less than 2^32 bytes.
/// The ciphertext buffer must be at least the size of the plaintext buffer.
///
/// # Result
///
/// Returns a Result with Err indicating authentication failure.
/// Checking the Result is crucial for security.
#[must_use = "authentication failure must be handled"]
pub fn open(
    key: &[u8; SIZE_KEY],
    nonce: &[u8; SIZE_NONCE],
    ad: &[u8],
    pt: &mut [u8],
    ct: &[u8],
    tag: &[u8; SIZE_TAG],
) -> Result<(), ()> {
    assert!(ct.len() <= pt.len());
    assert!(ct.len() <= u32::max_value() as usize);
    assert!(ad.len() <= u32::max_value() as usize);
    let ok = unsafe {
        EverCrypt_Chacha20Poly1305_aead_decrypt(
            key.as_ptr(),
            nonce.as_ptr(),
            ad.len() as cty::uint32_t,
            ad.as_ptr(),
            ct.len() as cty::uint32_t,
            pt.as_mut_ptr(),
            ct.as_ptr(),
            tag.as_ptr(),
        )
    };
    if ok == 0 {
        Ok(())
    } else {
        Err(())
    }
}

/// Decrypt & authenticate a buffer with ChaCha20Poly1305 in-place
///
/// # Arguments
///
/// - `key`: 256-bit key.
/// - `nonce`: 192-bit nonce (unique for every message).
/// - `ad`: Buffer of associated data.
/// - `msg`: The ciphertext (and resulting plaintext) buffer.
/// - `tag`: The buffer holding the authentication tag.
///
/// # Notes
///
/// The tag buffer must be exactly 16 bytes long.
/// The nonce buffer must be exactly 24 bytes long.
/// The associated data must be less than 2^32 bytes.
/// The plaintext buffer must be less than 2^32 bytes.
///
/// # Result
///
/// Returns a Result with Err indicating authentication failure.
/// Checking the Result is crucial for security.
#[must_use = "authentication failure must be handled"]
pub fn open_inplace(
    key: &[u8; SIZE_KEY],
    nonce: &[u8],
    ad: &[u8],
    msg: &mut [u8],
    tag: &[u8; SIZE_TAG],
) -> Result<(), ()> {
    assert!(ad.len() <= u32::max_value() as usize);
    assert!(msg.len() <= u32::max_value() as usize);
    assert_eq!(nonce.len(), 24, "nonce must be 24 bytes long");
    assert_eq!(tag.len(), 16, "tag buffer must be 16 bytes");
    let ok = unsafe {
        EverCrypt_Chacha20Poly1305_aead_decrypt(
            key.as_ptr(),
            nonce.as_ptr(),
            ad.len() as cty::uint32_t,
            ad.as_ptr(),
            msg.len() as cty::uint32_t,
            msg.as_mut_ptr(),
            msg.as_ptr(),
            tag.as_ptr(),
        )
    };
    if ok == 0 {
        Ok(())
    } else {
        Err(())
    }
}

/// Encrypt a buffer with ChaCha20Poly1305
///
/// # Arguments
///
/// - `key`: 256-bit key
/// - `nonce`: 192-bit nonce (unique for every message)
/// - `ad`: Buffer of associated data
/// - `pt`: The plaintext buffer
/// - `ct`: The resulting ciphertext buffer
/// - `tag`: The buffer to hold the resulting authentication tag
///
/// # Notes
///
/// The AD must be less than 2^32 bytes.
/// The plaintext buffer must be less than 2^32 bytes.
/// The ciphertext buffer must be at least the size of the plaintext buffer.
pub fn seal(
    key: &[u8; SIZE_KEY],
    nonce: &[u8; SIZE_NONCE],
    ad: &[u8],
    pt: &[u8],
    ct: &mut [u8],
    tag: &mut [u8; SIZE_TAG],
) {
    assert!(ct.len() >= pt.len());
    assert!(pt.len() <= u32::max_value() as usize);
    assert!(ad.len() <= u32::max_value() as usize);
    unsafe {
        EverCrypt_Chacha20Poly1305_aead_encrypt(
            key.as_ptr(),
            nonce.as_ptr(),
            ad.len() as cty::uint32_t,
            ad.as_ptr(),
            pt.len() as cty::uint32_t,
            pt.as_ptr(),
            ct.as_mut_ptr(),
            tag.as_mut_ptr(),
        );
    }
}

/// Encrypt a buffer in-place with ChaCha20Poly1305
///
/// # Arguments
///
/// - `key`: 256-bit key
/// - `nonce`: 192-bit nonce (unique for every message)
/// - `ad`: Buffer of associated data
/// - `msg`: The message buffer to encrypt (in-place)
/// - `tag`: The buffer to hold the resulting authentication tag
///
/// # Usage
///
/// A continuous region of memory can be encrypted and the tag
/// appended/pre-pended by using the `std::slice::split_at_mut`
/// function to obtain two disjoint mutable slices.
///
/// # Notes
///
/// The AD must be less than 2^32 bytes.
/// The message buffer must be less than 2^32 bytes.
/// The tag buffer must be exactly 16 bytes.
pub fn seal_inplace(
    key: &[u8; SIZE_KEY],
    nonce: &[u8; SIZE_NONCE],
    ad: &[u8],
    msg: &mut [u8],
    tag: &mut [u8; SIZE_TAG],
) {
    assert!(ad.len() <= u32::max_value() as usize);
    assert!(msg.len() <= u32::max_value() as usize);
    assert_eq!(nonce.len(), 24, "nonce must be 24 bytes long");
    assert_eq!(tag.len(), 16, "tag buffer must be 16 bytes");
    unsafe {
        EverCrypt_Chacha20Poly1305_aead_encrypt(
            key.as_ptr(),
            nonce.as_ptr(),
            ad.len() as cty::uint32_t,
            ad.as_ptr(),
            msg.len() as cty::uint32_t,
            msg.as_ptr(),
            msg.as_mut_ptr(),
            tag.as_mut_ptr(),
        );
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    use core::convert::TryInto;
    use proptest::prelude::*;
    use std::vec::Vec;

    #[cfg(feature = "nightly")]
    use test::Bencher;

    proptest! {
        #[test]
        fn seal_test(pt: Vec<u8>, ad: Vec<u8>, key: [u8; 32], nonce: [u8; 24]) {
            let mut ct : Vec<u8> = vec![0; pt.len()];
            let mut ptt : Vec<u8> = vec![0; pt.len()];
            let mut tag : [u8; 16] = [0; 16];
            seal(&key, &nonce, &ad[..], &pt, &mut ct, &mut tag);
            open(&key, &nonce, &ad[..], &mut ptt, &ct, &tag).unwrap();
            assert_eq!(&ptt[..], &pt[..], "open \\circ seal != id");
        }

        #[test]
        fn seal_test_inplace(pt: Vec<u8>, ad: Vec<u8>, key: [u8; 32], nonce: [u8; 24]) {
            let mut ptt : Vec<u8> = pt.clone();

            // make space for tag in the same buffer
            ptt.extend(&[0u8; 16]);

            // split into plaintext and tag part
            let (pb, tb) = ptt.split_at_mut(pt.len());

            // encrypt / decrypt in-place
            seal_inplace(&key, &nonce, &ad[..], pb, tb.try_into().unwrap());
            open_inplace(&key, &nonce, &ad[..], pb, (&*tb).try_into().unwrap()).unwrap();
            assert_eq!(&pb[..], &pt[..], "open_inplace \\circ seal_inplace != id");
        }
    }

    #[cfg(feature = "nightly")]
    #[bench]
    fn bench_seal(b: &mut Bencher) {
        let key: [u8; 32] = [1; 32];
        let nonce: [u8; 24] = [0; 24];
        let ad: [u8; 0] = [];
        let mut tag: [u8; 16] = [0; 16];
        let mut pt: Vec<u8> = vec![0; 1024 * 1024];
        b.iter(|| {
            seal_inplace(
                &key,
                &nonce,
                &ad[..],
                &mut pt[..],
                (&mut tag[..]).try_into().unwrap(),
            );
        });
    }
}