gbp-sframe 1.8.1

SFrame (draft-ietf-sframe-enc) E2EE for GAP audio streams in the Group Protocol Stack
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213

use std::collections::HashMap;

use aes_gcm::aead::{Aead, KeyInit, Payload};
use aes_gcm::{Aes128Gcm, Aes256Gcm};

use crate::error::SFrameError;
use crate::header::SFrameHeader;
use crate::kdf::{CipherSuite, ParticipantKeys, derive_participant, make_nonce};
use crate::replay::ReplayWindow;

// ─── Internal AEAD helper ────────────────────────────────────────────────────

enum AeadCipher {
    Aes128(Aes128Gcm),
    Aes256(Aes256Gcm),
}

impl AeadCipher {
    fn new(key: &[u8], suite: CipherSuite) -> Self {
        match suite {
            CipherSuite::Aes128Gcm => {
                Self::Aes128(Aes128Gcm::new_from_slice(key).expect("key length matches suite"))
            }
            CipherSuite::Aes256Gcm => {
                Self::Aes256(Aes256Gcm::new_from_slice(key).expect("key length matches suite"))
            }
        }
    }

    fn encrypt(
        &self,
        nonce: &[u8; 12],
        plaintext: &[u8],
        aad: &[u8],
    ) -> Result<Vec<u8>, SFrameError> {
        let n = aes_gcm::Nonce::from_slice(nonce);
        let payload = Payload {
            msg: plaintext,
            aad,
        };
        match self {
            Self::Aes128(c) => c.encrypt(n, payload).map_err(|_| SFrameError::Encrypt),
            Self::Aes256(c) => c.encrypt(n, payload).map_err(|_| SFrameError::Encrypt),
        }
    }

    fn decrypt(
        &self,
        nonce: &[u8; 12],
        ciphertext: &[u8],
        aad: &[u8],
    ) -> Result<Vec<u8>, SFrameError> {
        let n = aes_gcm::Nonce::from_slice(nonce);
        let payload = Payload {
            msg: ciphertext,
            aad,
        };
        match self {
            Self::Aes128(c) => c.decrypt(n, payload).map_err(|_| SFrameError::Decrypt),
            Self::Aes256(c) => c.decrypt(n, payload).map_err(|_| SFrameError::Decrypt),
        }
    }
}

// ─── SFrameEncryptor ─────────────────────────────────────────────────────────

/// Stateful per-sender SFrame encryptor.
///
/// Holds the derived key+salt for one `(epoch, leaf_index)` pair and an
/// internal counter that increments on every call to [`encrypt`].
///
/// Obtain via [`crate::SFrameSession::encryptor`].
pub struct SFrameEncryptor {
    cipher: AeadCipher,
    base_nonce: [u8; 12],
    kid: u64,
    ctr: u64,
}

impl SFrameEncryptor {
    pub(crate) fn new(keys: ParticipantKeys, kid: u64, suite: CipherSuite) -> Self {
        Self {
            cipher: AeadCipher::new(&keys.key, suite),
            base_nonce: keys.base_nonce,
            kid,
            ctr: 0,
        }
    }

    /// Encrypts `plaintext` and returns the complete SFrame payload:
    /// `header ‖ ciphertext ‖ GCM-tag`.
    ///
    /// `extra_aad` is appended to the SFrame header to form the full AAD
    /// (e.g. pass an RTP header or an empty slice).
    pub fn encrypt(&mut self, plaintext: &[u8], extra_aad: &[u8]) -> Result<Vec<u8>, SFrameError> {
        let header = SFrameHeader {
            kid: self.kid,
            ctr: self.ctr,
        };
        let header_bytes = header.encode();

        let mut aad = Vec::with_capacity(header_bytes.len() + extra_aad.len());
        aad.extend_from_slice(&header_bytes);
        aad.extend_from_slice(extra_aad);

        let nonce = make_nonce(&self.base_nonce, self.ctr);
        let ciphertext = self.cipher.encrypt(&nonce, plaintext, &aad)?;

        self.ctr = self.ctr.wrapping_add(1);

        let mut out = Vec::with_capacity(header_bytes.len() + ciphertext.len());
        out.extend_from_slice(&header_bytes);
        out.extend_from_slice(&ciphertext);
        Ok(out)
    }

    /// Current counter value (number of frames encrypted so far).
    pub fn counter(&self) -> u64 {
        self.ctr
    }

    /// KID this encryptor was created for.
    pub fn kid(&self) -> u64 {
        self.kid
    }
}

// ─── SFrameDecryptor ─────────────────────────────────────────────────────────

/// Per-sender decryption state maintained inside [`SFrameDecryptor`].
struct SenderState {
    cipher: AeadCipher,
    base_nonce: [u8; 12],
    window: ReplayWindow,
}

/// Multi-sender SFrame decryptor for one epoch.
///
/// Lazily derives per-sender key material from the epoch's base key as new
/// `KID`s are encountered.  Maintains an independent replay window per sender.
///
/// Obtain via [`crate::SFrameSession::decryptor`].
pub struct SFrameDecryptor {
    base_key: [u8; 32],
    epoch: u64,
    suite: CipherSuite,
    /// Keyed by `leaf_index`.
    senders: HashMap<u32, SenderState>,
}

impl SFrameDecryptor {
    pub(crate) fn new(base_key: [u8; 32], epoch: u64, suite: CipherSuite) -> Self {
        Self {
            base_key,
            epoch,
            suite,
            senders: HashMap::new(),
        }
    }

    /// Decrypts an SFrame `payload` and returns `(plaintext, sender_leaf)`.
    ///
    /// `extra_aad` must be the same slice passed on the encrypting side.
    pub fn decrypt(
        &mut self,
        payload: &[u8],
        extra_aad: &[u8],
    ) -> Result<(Vec<u8>, u32), SFrameError> {
        let (header, header_len) = SFrameHeader::decode(payload)?;

        let frame_epoch = SFrameHeader::epoch_from_kid(header.kid);
        if frame_epoch != self.epoch {
            return Err(SFrameError::UnknownKid(header.kid));
        }
        let leaf = SFrameHeader::leaf_from_kid(header.kid);

        // Lazily derive key material for this sender.
        let state = self.senders.entry(leaf).or_insert_with(|| {
            let keys = derive_participant(&self.base_key, leaf, self.suite);
            SenderState {
                cipher: AeadCipher::new(&keys.key, self.suite),
                base_nonce: keys.base_nonce,
                window: ReplayWindow::new(),
            }
        });

        // Replay check before decryption (fast path for replays).
        state
            .window
            .check_and_mark(header.ctr)
            .map_err(|_| SFrameError::Replay {
                kid: header.kid,
                ctr: header.ctr,
            })?;

        let header_bytes = &payload[..header_len];
        let ciphertext = &payload[header_len..];

        let mut aad = Vec::with_capacity(header_bytes.len() + extra_aad.len());
        aad.extend_from_slice(header_bytes);
        aad.extend_from_slice(extra_aad);

        let nonce = make_nonce(&state.base_nonce, header.ctr);
        let plaintext = state.cipher.decrypt(&nonce, ciphertext, &aad)?;

        Ok((plaintext, leaf))
    }

    /// Resets all per-sender replay windows (call on epoch change).
    pub fn reset(&mut self) {
        self.senders.values_mut().for_each(|s| s.window.reset());
    }
}