melodies-core 0.1.0

a sweet implementation of the noise protocol
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162

use core::marker::PhantomData;

use zeroize::{Zeroize, ZeroizeOnDrop, Zeroizing};

use crate::{
    cipher_state::CipherState,
    crypto::{hkdf, Cipher, HashFunction, TAG_SIZE},
    handshake_state::ProtocolName,
};

#[derive(Zeroize, ZeroizeOnDrop)]
pub(crate) struct SymmetricStateData<const HASHLEN: usize> {
    h: [u8; HASHLEN],
    ck: [u8; HASHLEN],
    has_key: bool,
}

#[derive(Zeroize, ZeroizeOnDrop)]
pub(crate) struct SymmetricState<const HASHLEN: usize, H: HashFunction<HASHLEN>> {
    data: SymmetricStateData<HASHLEN>,
    cipher: CipherState<u64>,
    #[zeroize(skip)]
    phantom: PhantomData<H>,
}

fn protocol_name_to_hash<const HASHLEN: usize, H: HashFunction<HASHLEN>>(
    protocol_name: &ProtocolName,
) -> [u8; HASHLEN] {
    let protocol_name_len: usize = protocol_name.iter().map(|chunk| chunk.len()).sum();
    let mut hash = [0; HASHLEN];
    if protocol_name_len > hash.len() {
        let mut hasher = H::new();
        for chunk in protocol_name {
            hasher.update(chunk.as_bytes());
        }
        hasher.finalize_reset(&mut hash);
        hash
    } else {
        let mut i = 0;
        for chunk in protocol_name {
            hash[i..][..chunk.len()].copy_from_slice(chunk.as_bytes());
            i += chunk.len();
        }
        hash
    }
}

impl<const HASHLEN: usize, H: HashFunction<HASHLEN>> SymmetricState<HASHLEN, H> {
    #[inline(always)] pub(crate) fn snapshot(&self) -> SymmetricStateData<HASHLEN> {
        SymmetricStateData {
            h: self.data.h,
            ck: self.data.ck,
            has_key: self.data.has_key
        }
    }
    #[inline(always)] pub(crate) fn restore(&mut self, data: SymmetricStateData<HASHLEN>) {
        self.data = data
    }

    pub fn has_key(&self) -> bool {
        self.data.has_key
    }

    pub fn new(protocol_name: &ProtocolName, cipher: &'static dyn Cipher) -> Self {
        let hash = protocol_name_to_hash::<HASHLEN, H>(protocol_name);
        Self {
            cipher: CipherState::new(cipher),
            data: SymmetricStateData {
                ck: hash,
                h: hash,
                has_key: false,
            },
            phantom: PhantomData,
        }
    }

    pub fn mix_key(&mut self, input_key_material: &[u8]) {
        let mut ck = Zeroizing::new([0; HASHLEN]);
        let mut temp_k = Zeroizing::new([0; HASHLEN]);
        hkdf::<HASHLEN, H>(
            &self.data.ck,
            input_key_material,
            &mut [&mut ck, &mut temp_k],
        );
        self.data.ck.as_mut().copy_from_slice(ck.as_ref());
        self.cipher
            .initialize_key(&temp_k[..32].try_into().unwrap());
        self.data.has_key = true;
    }

    pub fn mix_hash(&mut self, data: &[u8]) {
        let mut hash = H::new();
        hash.update(self.data.h.as_ref());
        hash.update(data);
        hash.finalize_reset(&mut self.data.h);
    }

    /// This function is used for handling pre-shared symmetric keys, as described in Section 9.
    pub fn mix_key_and_hash(&mut self, input_key_material: &[u8]) {
        let mut ck = Zeroizing::new([0; HASHLEN]);
        let mut temp_h = Zeroizing::new([0; HASHLEN]);
        let mut temp_k = Zeroizing::new([0; HASHLEN]);
        hkdf::<HASHLEN, H>(
            &self.data.ck,
            input_key_material,
            &mut [&mut ck, &mut temp_h, &mut temp_k],
        );
        self.data.ck.as_mut().copy_from_slice(ck.as_ref());
        self.mix_hash(temp_h.as_ref());
        self.cipher
            .initialize_key(&temp_k[..32].try_into().unwrap());
        self.data.has_key = true;
    }

    /// Sets ciphertext = EncryptWithAd(h, plaintext), calls MixHash(ciphertext).
    ///
    /// Note that if k is empty, the EncryptWithAd() call will set ciphertext equal to plaintext.
    pub fn encrypt_and_hash(&mut self, buf: &mut [u8]) -> usize {
        let buf = if self.has_key() {
            let len = self.cipher.encrypt(&self.data.h, buf);
            &buf[..len]
        } else {
            &buf[..buf.len() - TAG_SIZE]
        };
        self.mix_hash(buf);
        buf.len()
    }

    /// Sets plaintext = DecryptWithAd(h, ciphertext), calls MixHash(ciphertext), and returns plaintext.
    ///
    /// Note that if k is empty, the DecryptWithAd() call will set plaintext equal to ciphertext.
    pub fn decrypt_and_hash<'a>(&mut self, buf: &'a mut [u8]) -> Option<&'a [u8]> {
        let mut hash = H::new();
        hash.update(&self.data.h);
        hash.update(buf);
        let out = if self.has_key() {
            self.cipher.decrypt(&self.data.h, buf)?
        } else {
            buf
        };
        hash.finalize_reset(&mut self.data.h);
        Some(out)
    }

    /// Returns a pair of CipherState objects for encrypting transport messages.
    ///
    /// The output is a handshake hash, which can be used for channel binding, as described in Section 11.2
    #[inline(always)]
    pub fn split(self) -> (CipherState, CipherState, [u8; HASHLEN]) {
        let mut temp_k1 = Zeroizing::new([0; HASHLEN]);
        let mut temp_k2 = Zeroizing::new([0; HASHLEN]);
        hkdf::<HASHLEN, H>(&self.data.ck, &[], &mut [&mut temp_k1, &mut temp_k2]);
        let mut out = (
            CipherState::new(self.cipher.cipher),
            CipherState::new(self.cipher.cipher),
            self.data.h,
        );
        out.0.initialize_key(&temp_k1[..32].try_into().unwrap());
        out.1.initialize_key(&temp_k2[..32].try_into().unwrap());
        out
    }
}