Skip to main content

rns_core/link/
crypto.rs

1use alloc::vec::Vec;
2
3use rns_crypto::token::Token;
4use rns_crypto::Rng;
5
6use super::types::LinkError;
7
8/// Create a Token from a derived session key.
9///
10/// 32 bytes → AES-128-CBC, 64 bytes → AES-256-CBC.
11pub fn create_session_token(derived_key: &[u8]) -> Result<Token, LinkError> {
12    Token::new(derived_key).map_err(|_| LinkError::CryptoError)
13}
14
15/// Encrypt plaintext for link transmission.
16pub fn link_encrypt(token: &Token, plaintext: &[u8], rng: &mut dyn Rng) -> Vec<u8> {
17    token.encrypt(plaintext, rng)
18}
19
20/// Decrypt ciphertext received on link.
21pub fn link_decrypt(token: &Token, ciphertext: &[u8]) -> Result<Vec<u8>, LinkError> {
22    token
23        .decrypt(ciphertext)
24        .map_err(|_| LinkError::CryptoError)
25}
26
27#[cfg(test)]
28mod tests {
29    use super::*;
30    use rns_crypto::FixedRng;
31
32    #[test]
33    fn test_encrypt_decrypt_roundtrip_aes128() {
34        let key = [0x42u8; 32];
35        let token = create_session_token(&key).unwrap();
36        let mut rng = FixedRng::new(&[0xAA; 16]);
37        let plaintext = b"Hello, Link!";
38        let encrypted = link_encrypt(&token, plaintext, &mut rng);
39        let decrypted = link_decrypt(&token, &encrypted).unwrap();
40        assert_eq!(decrypted, plaintext);
41    }
42
43    #[test]
44    fn test_encrypt_decrypt_roundtrip_aes256() {
45        let key = [0x42u8; 64];
46        let token = create_session_token(&key).unwrap();
47        let mut rng = FixedRng::new(&[0xBB; 16]);
48        let plaintext = b"Hello, Link AES-256!";
49        let encrypted = link_encrypt(&token, plaintext, &mut rng);
50        let decrypted = link_decrypt(&token, &encrypted).unwrap();
51        assert_eq!(decrypted, plaintext);
52    }
53
54    #[test]
55    fn test_wrong_key_fails() {
56        let key1 = [0x42u8; 64];
57        let key2 = [0x43u8; 64];
58        let token1 = create_session_token(&key1).unwrap();
59        let token2 = create_session_token(&key2).unwrap();
60        let mut rng = FixedRng::new(&[0xCC; 16]);
61        let encrypted = link_encrypt(&token1, b"secret", &mut rng);
62        assert!(link_decrypt(&token2, &encrypted).is_err());
63    }
64
65    #[test]
66    fn test_invalid_key_length() {
67        let key = [0u8; 48];
68        assert!(create_session_token(&key).is_err());
69    }
70
71    #[test]
72    fn test_mode_detection() {
73        // 32-byte key → AES-128
74        assert!(create_session_token(&[0u8; 32]).is_ok());
75        // 64-byte key → AES-256
76        assert!(create_session_token(&[0u8; 64]).is_ok());
77    }
78}