purecrypto 0.6.12

A pure-Rust cryptography toolkit with no foreign-code dependencies, from constant-time primitives up to keys, X.509 and TLS.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154

//! Symmetric ciphers.
//!
//! Provides the AES block cipher ([`Aes128`], [`Aes192`], [`Aes256`]) and
//! [`Sm4`] with constant-time implementations: the S-boxes are computed by
//! GF(2⁸) inversion rather than table lookup, so there are no
//! secret-dependent memory accesses and hence no cache-timing leak.
//!
//! Block ciphers expose only the raw block transform via [`BlockCipher`];
//! modes of operation (CTR, CBC, GCM, …) are layered on top separately.
//!
//! Also provides the [`ChaCha20`] stream cipher and [`Poly1305`] authenticator,
//! combined as the [`ChaCha20Poly1305`] AEAD (RFC 8439) — both inherently
//! constant time, built from 32-bit ARX and 130-bit limb arithmetic.

mod aegis;
mod aes;
#[cfg(feature = "aez")]
mod aez;
pub(crate) mod blowfish;
mod cbc;
mod ccm;
mod cfb;
mod chacha20;
mod chacha20poly1305;
#[cfg(all(feature = "std", any(target_arch = "x86_64", target_arch = "aarch64")))]
mod clmul;
mod cmac;
mod ctr;
mod des;
mod gcm;
mod gcm_siv;
mod gmac;
mod kw;
mod ofb;
mod poly1305;
pub(crate) mod salsa20;
mod sm4;
// AES-SIV returns variable-length `Vec` output (RFC 5297), so it needs `alloc`.
#[cfg(feature = "alloc")]
mod siv;
mod xchacha20poly1305;
mod xts;

pub use aegis::{Aegis128L, Aegis256};
pub use aes::{Aes128, Aes192, Aes256};
#[cfg(feature = "aez")]
pub use aez::Aez;
pub use cbc::Cbc;
pub use ccm::{Aes128Ccm, Aes128Ccm8, Aes192Ccm, Aes256Ccm, Aes256Ccm8, Ccm};
pub use cfb::Cfb;
pub use chacha20::ChaCha20;
pub use chacha20poly1305::ChaCha20Poly1305;
pub use cmac::{AesCmac128, AesCmac256, Cmac};
pub use ctr::Ctr;
pub use des::{Cbc64, Des, TdesEde2, TdesEde3};
pub use gcm::{Aes128Gcm, Aes256Gcm, Gcm};
pub use gcm_siv::{Aes128GcmSiv, Aes256GcmSiv, AesGcmSiv};
pub use gmac::{AesGmac128, AesGmac256, Gmac};
pub use kw::{
    Aes128Kw, Aes128Kwp, Aes192Kw, Aes192Kwp, Aes256Kw, Aes256Kwp, AesKw, AesKwp, KwError,
    kw_ciphertext_len, kwp_ciphertext_len,
};
pub use ofb::Ofb;
pub use poly1305::Poly1305;
#[cfg(feature = "alloc")]
pub use siv::AesSiv;
pub use sm4::Sm4;
pub use xchacha20poly1305::XChaCha20Poly1305;
pub use xts::{Aes128Xts, Aes256Xts, Xts};

/// A block cipher: a keyed, invertible permutation on fixed-size blocks.
pub trait BlockCipher {
    /// Block size in bytes.
    const BLOCK_SIZE: usize;
    /// Key size in bytes.
    const KEY_SIZE: usize;

    /// Encrypts one block in place.
    fn encrypt_block(&self, block: &mut [u8; 16]);

    /// Decrypts one block in place.
    fn decrypt_block(&self, block: &mut [u8; 16]);

    /// Applies the forward permutation to each consecutive 16-byte block of
    /// `blocks`, treating the blocks as independent (no chaining). `blocks.len()`
    /// must be a multiple of 16.
    ///
    /// The default loops over [`encrypt_block`](Self::encrypt_block); hardware
    /// backends (e.g. AES-NI / ARMv8-AES) override this to pipeline several
    /// blocks at once. This is the batched primitive that counter-style modes
    /// (CTR, GCM, GCM-SIV, OFB) build on — they prepare the counter blocks and
    /// XOR the result, so all counter arithmetic stays in the mode. Like the
    /// single-block path it is constant-time.
    fn encrypt_blocks(&self, blocks: &mut [u8]) {
        debug_assert_eq!(blocks.len() % 16, 0, "encrypt_blocks needs whole blocks");
        for chunk in blocks.chunks_exact_mut(16) {
            let block: &mut [u8; 16] = chunk.try_into().expect("16-byte chunk");
            self.encrypt_block(block);
        }
    }

    /// Applies the inverse permutation to each consecutive 16-byte block of
    /// `blocks` independently (no chaining). `blocks.len()` must be a multiple
    /// of 16. Default loops over [`decrypt_block`](Self::decrypt_block);
    /// hardware backends override to pipeline. Constant-time.
    fn decrypt_blocks(&self, blocks: &mut [u8]) {
        debug_assert_eq!(blocks.len() % 16, 0, "decrypt_blocks needs whole blocks");
        for chunk in blocks.chunks_exact_mut(16) {
            let block: &mut [u8; 16] = chunk.try_into().expect("16-byte chunk");
            self.decrypt_block(block);
        }
    }
}

/// A 64-bit-block cipher: parallel to [`BlockCipher`] but for legacy
/// 8-byte-block primitives (DES, 3-DES). Wire this up via [`Cbc64`] for
/// CBC-mode interop; new code should use the 128-bit `BlockCipher` and
/// `Cbc` instead.
pub trait BlockCipher64 {
    /// Key size in bytes.
    const KEY_SIZE: usize;

    /// Encrypts one 8-byte block in place.
    fn encrypt_block(&self, block: &mut [u8; 8]);

    /// Decrypts one 8-byte block in place.
    fn decrypt_block(&self, block: &mut [u8; 8]);
}

/// Error returned by block-oriented modes (e.g. CBC) when the input length is
/// not a whole number of blocks.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub struct InvalidLength;

impl core::fmt::Display for InvalidLength {
    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
        f.write_str("input length is not a multiple of the block size")
    }
}

impl core::error::Error for InvalidLength {}

/// Error returned by AEAD decryption when the authentication tag does not
/// match — the ciphertext is inauthentic and the plaintext must be discarded.
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub struct TagMismatch;

impl core::fmt::Display for TagMismatch {
    fn fmt(&self, f: &mut core::fmt::Formatter<'_>) -> core::fmt::Result {
        f.write_str("AEAD authentication tag mismatch")
    }
}

impl core::error::Error for TagMismatch {}