repartee 0.9.1

A modern terminal IRC client built with Ratatui and Tokio
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312

//! RPE2E01 wire format: encode/decode `+RPE2E01 <msgid> <ts> <part>/<total> <nonce_b64>:<ct_b64>`.
//!
//! Each chunk is a standalone cryptographic unit โ€” receivers decrypt and
//! render immediately without reassembly state (see architecture spec ยง6).

// Items in this module are wired into `E2eManager` in later tasks (12+).
#![allow(dead_code)]

use base64::{Engine as _, engine::general_purpose::STANDARD as B64};

use crate::e2e::error::{E2eError, Result};
use crate::e2e::{MAX_CHUNKS, PROTO};

/// Wire prefix magic.
pub const WIRE_PREFIX: &str = "+RPE2E01";

/// 8-byte random message ID (shared across chunks of a single logical message).
pub type MsgId = [u8; 8];

/// Parsed components of a single RPE2E01 chunk.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct WireChunk {
    pub msgid: MsgId,
    pub ts: i64,
    pub part: u8,
    pub total: u8,
    pub nonce: [u8; 24],
    pub ciphertext: Vec<u8>,
}

impl WireChunk {
    /// Serialize into an IRC-safe one-line payload (no trailing newline).
    pub fn encode(&self) -> Result<String> {
        if self.total == 0 || self.total > MAX_CHUNKS {
            return Err(E2eError::ChunkLimit(self.total));
        }
        if self.part == 0 || self.part > self.total {
            return Err(E2eError::Wire(format!(
                "invalid part/total: {}/{}",
                self.part, self.total
            )));
        }
        let msgid = hex::encode(self.msgid);
        let nonce_b64 = B64.encode(self.nonce);
        let ct_b64 = B64.encode(&self.ciphertext);
        Ok(format!(
            "{WIRE_PREFIX} {msgid} {ts} {part}/{total} {nonce_b64}:{ct_b64}",
            ts = self.ts,
            part = self.part,
            total = self.total,
        ))
    }

    /// Parse an incoming wire line. Returns `Ok(None)` if the line does not
    /// start with the RPE2E01 prefix (i.e. cleartext), `Err` on malformed.
    pub fn parse(line: &str) -> Result<Option<Self>> {
        let rest = match line.strip_prefix(WIRE_PREFIX) {
            Some(r) => r.trim_start(),
            None => return Ok(None),
        };
        let mut fields = rest.split_whitespace();
        let msgid_hex = fields
            .next()
            .ok_or_else(|| E2eError::Wire("missing msgid".into()))?;
        let ts_str = fields
            .next()
            .ok_or_else(|| E2eError::Wire("missing ts".into()))?;
        let parttot = fields
            .next()
            .ok_or_else(|| E2eError::Wire("missing part/total".into()))?;
        let body = fields
            .next()
            .ok_or_else(|| E2eError::Wire("missing body".into()))?;
        if fields.next().is_some() {
            return Err(E2eError::Wire("extra fields".into()));
        }

        if msgid_hex.len() != 16 {
            return Err(E2eError::Wire("msgid must be 16 hex chars".into()));
        }
        let msgid_vec = hex::decode(msgid_hex)?;
        let mut msgid = [0u8; 8];
        msgid.copy_from_slice(&msgid_vec);

        let ts: i64 = ts_str
            .parse()
            .map_err(|e| E2eError::Wire(format!("bad ts: {e}")))?;

        let (p, t) = parttot
            .split_once('/')
            .ok_or_else(|| E2eError::Wire("part/total missing slash".into()))?;
        let part: u8 = p
            .parse()
            .map_err(|e| E2eError::Wire(format!("bad part: {e}")))?;
        let total: u8 = t
            .parse()
            .map_err(|e| E2eError::Wire(format!("bad total: {e}")))?;
        if total == 0 || total > MAX_CHUNKS || part == 0 || part > total {
            return Err(E2eError::Wire(format!("bad part/total {part}/{total}")));
        }

        let (nonce_b64, ct_b64) = body
            .split_once(':')
            .ok_or_else(|| E2eError::Wire("missing nonce:ct separator".into()))?;
        let nonce_vec = B64.decode(nonce_b64)?;
        if nonce_vec.len() != 24 {
            return Err(E2eError::Wire(format!(
                "nonce must be 24 bytes, got {}",
                nonce_vec.len()
            )));
        }
        let mut nonce = [0u8; 24];
        nonce.copy_from_slice(&nonce_vec);
        let ciphertext = B64.decode(ct_b64)?;

        Ok(Some(Self {
            msgid,
            ts,
            part,
            total,
            nonce,
            ciphertext,
        }))
    }
}

/// Construct the AAD (Additional Authenticated Data) for a chunk.
///
/// AAD layout (length-prefixed, big-endian):
///
/// ```text
/// PROTO(7 bytes, fixed)
///   || be16(channel.len)   || channel
///   || be16(8)              || msgid (8 bytes)
///   || be16(8)              || ts_be (8 bytes)
///   || be16(1)              || part  (1 byte)
///   || be16(1)              || total (1 byte)
/// ```
///
/// Every non-const field gets a `u16` big-endian length prefix โ€” even the
/// fixed-size ones โ€” so the parser is trivially position-independent and
/// no malicious channel name can shift later fields. The PROTO prefix is
/// a constant 7 bytes (`"RPE2E01"`) and is therefore not length-prefixed.
///
/// Note โ€” the sender handle is **not** in AAD. Sender authentication is
/// enforced at the keyring layer: on decrypt the receiver looks up the
/// incoming session by `(handle_from_IRC_prefix, channel)`, so only the
/// real server-stamped sender can produce a ciphertext the receiver will
/// even attempt to decrypt. Duplicating that binding inside AAD would
/// force the sender to know its own `ident@host` before encrypting, which
/// it does not on every IRC network.
pub fn build_aad(channel: &str, msgid: MsgId, ts: i64, part: u8, total: u8) -> Vec<u8> {
    // 7 (PROTO) + 2 + channel.len() + 2 + 8 + 2 + 8 + 2 + 1 + 2 + 1 = 35 + channel.len()
    let mut aad = Vec::with_capacity(35 + channel.len());
    aad.extend_from_slice(PROTO.as_bytes());
    // be16(channel.len) || channel
    let chan_len = u16::try_from(channel.len()).unwrap_or(u16::MAX);
    aad.extend_from_slice(&chan_len.to_be_bytes());
    aad.extend_from_slice(channel.as_bytes());
    // be16(8) || msgid
    aad.extend_from_slice(&8u16.to_be_bytes());
    aad.extend_from_slice(&msgid);
    // be16(8) || ts_be
    aad.extend_from_slice(&8u16.to_be_bytes());
    aad.extend_from_slice(&ts.to_be_bytes());
    // be16(1) || part
    aad.extend_from_slice(&1u16.to_be_bytes());
    aad.push(part);
    // be16(1) || total
    aad.extend_from_slice(&1u16.to_be_bytes());
    aad.push(total);
    aad
}

/// Generate a fresh 8-byte random message ID.
pub fn fresh_msgid() -> MsgId {
    let mut id = [0u8; 8];
    rand::fill(&mut id);
    id
}

#[cfg(test)]
mod tests {
    use super::*;

    fn sample_chunk() -> WireChunk {
        WireChunk {
            msgid: [0xab; 8],
            ts: 1_712_000_000,
            part: 1,
            total: 1,
            nonce: [0x42; 24],
            ciphertext: vec![0xde, 0xad, 0xbe, 0xef],
        }
    }

    #[test]
    fn encode_starts_with_prefix() {
        let enc = sample_chunk().encode().unwrap();
        assert!(enc.starts_with(WIRE_PREFIX));
    }

    #[test]
    fn encode_roundtrip() {
        let c = sample_chunk();
        let enc = c.encode().unwrap();
        let parsed = WireChunk::parse(&enc).unwrap().unwrap();
        assert_eq!(parsed, c);
    }

    #[test]
    fn parse_cleartext_returns_none() {
        assert_eq!(WireChunk::parse("hello world").unwrap(), None);
        assert_eq!(WireChunk::parse("").unwrap(), None);
    }

    #[test]
    fn parse_rejects_invalid_part_total() {
        let mut c = sample_chunk();
        c.total = 0;
        assert!(c.encode().is_err());
        c.total = 17;
        assert!(c.encode().is_err());
        c.total = 3;
        c.part = 4;
        assert!(c.encode().is_err());
    }

    #[test]
    fn parse_rejects_bad_nonce_length() {
        let bad = "+RPE2E01 abababababababab 1712000000 1/1 YWJj:ZGVm";
        // "YWJj" decodes to 3 bytes, not 24
        assert!(WireChunk::parse(bad).is_err());
    }

    #[test]
    fn build_aad_is_deterministic() {
        let a = build_aad("#chan", [1; 8], 100, 1, 3);
        let b = build_aad("#chan", [1; 8], 100, 1, 3);
        assert_eq!(a, b);
    }

    #[test]
    fn build_aad_sensitive_to_every_field() {
        let base = build_aad("#chan", [1; 8], 100, 1, 3);
        assert_ne!(base, build_aad("#other", [1; 8], 100, 1, 3));
        assert_ne!(base, build_aad("#chan", [2; 8], 100, 1, 3));
        assert_ne!(base, build_aad("#chan", [1; 8], 101, 1, 3));
        assert_ne!(base, build_aad("#chan", [1; 8], 100, 2, 3));
        assert_ne!(base, build_aad("#chan", [1; 8], 100, 1, 4));
    }

    /// Golden AAD byte sequence for `build_aad("#chan", [1;8], 100, 1, 3)`.
    ///
    /// This is load-bearing for cross-client interop โ€” the weechat
    /// `scripts/weechat/rpe2e.py::build_aad` must produce the exact same
    /// bytes for the same inputs. If you change this vector, update the
    /// Python script in lockstep.
    ///
    /// Reproducible in Python:
    ///
    /// ```python
    /// import struct
    /// PROTO = b"RPE2E01"
    /// chan = b"#chan"; msgid = b"\x01"*8; ts = 100; part = 1; total = 3
    /// out = PROTO
    /// out += struct.pack(">H", len(chan)) + chan
    /// out += struct.pack(">H", 8) + msgid
    /// out += struct.pack(">H", 8) + struct.pack(">q", ts)
    /// out += struct.pack(">H", 1) + bytes([part])
    /// out += struct.pack(">H", 1) + bytes([total])
    /// assert len(out) == 40
    /// ```
    #[test]
    fn build_aad_golden_vector() {
        let got = build_aad("#chan", [1u8; 8], 100, 1, 3);
        let expected: Vec<u8> = vec![
            // PROTO = "RPE2E01"
            0x52, 0x50, 0x45, 0x32, 0x45, 0x30, 0x31, // be16(5) || "#chan"
            0x00, 0x05, 0x23, 0x63, 0x68, 0x61, 0x6e, // be16(8) || msgid (8x 0x01)
            0x00, 0x08, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
            // be16(8) || ts=100 be64
            0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x64,
            // be16(1) || part=1
            0x00, 0x01, 0x01, // be16(1) || total=3
            0x00, 0x01, 0x03,
        ];
        assert_eq!(got.len(), 40, "AAD length mismatch");
        assert_eq!(got, expected, "AAD golden byte sequence mismatch");
    }

    /// Colon-in-channel attack: with the old `:`-joined format, a channel
    /// containing `:` could shift later AAD fields. The length-prefixed
    /// layout must keep `"#a:b"` distinct from any other arrangement that
    /// happens to concatenate the same bytes.
    #[test]
    fn build_aad_length_prefix_rejects_colon_ambiguity() {
        let a = build_aad("#a:b", [1; 8], 100, 1, 3);
        let b = build_aad("#a", [1; 8], 100, 1, 3);
        assert_ne!(a, b);
        // `#a` has len 2 whose be16 is 0x00 0x02 โ€” never equal to the bytes
        // of `#a:b` under a length-prefixed layout.
        assert_ne!(a.len(), b.len());
    }

    #[test]
    fn fresh_msgid_is_random_ish() {
        let a = fresh_msgid();
        let b = fresh_msgid();
        assert_ne!(a, b);
    }
}