Skip to content

Commit 1091c9e

Browse files
author
Tobias Waurick
committed
feat: openssl aead implemenation
1 parent bac7f8f commit 1091c9e

File tree

2 files changed

+82
-9
lines changed

2 files changed

+82
-9
lines changed

src/crypto/openssl/aead.rs

Lines changed: 77 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -15,15 +15,29 @@ use crate::{
1515
error::SframeError,
1616
};
1717

18+
const NONCE_LEN: usize = 12;
19+
1820
pub struct Tag(Vec<u8>);
21+
22+
impl Tag {
23+
fn new(len: usize) -> Self {
24+
Tag(vec![0; len])
25+
}
26+
}
27+
1928
impl AsRef<[u8]> for Tag {
2029
fn as_ref(&self) -> &[u8] {
21-
self.0.as_ref()
30+
&self.0
31+
}
32+
}
33+
34+
impl AsMut<[u8]> for Tag {
35+
fn as_mut(&mut self) -> &mut [u8] {
36+
&mut self.0
2237
}
2338
}
2439

2540
impl AeadEncrypt for CipherSuite {
26-
// TODO
2741
type AuthTag = Tag;
2842
fn encrypt<IoBuffer, Aad>(
2943
&self,
@@ -36,7 +50,29 @@ impl AeadEncrypt for CipherSuite {
3650
IoBuffer: AsMut<[u8]> + ?Sized,
3751
Aad: AsRef<[u8]> + ?Sized,
3852
{
39-
todo!()
53+
let io_buffer = io_buffer.as_mut();
54+
55+
let cipher = self.variant.into();
56+
let nonce = secret.create_nonce::<NONCE_LEN>(&frame_count);
57+
let mut tag = Tag::new(self.auth_tag_len);
58+
59+
let out = openssl::symm::encrypt_aead(
60+
cipher,
61+
&secret.key,
62+
Some(&nonce),
63+
aad_buffer.as_ref(),
64+
io_buffer,
65+
tag.as_mut(),
66+
)
67+
.map_err(|_| SframeError::EncryptionFailure)?;
68+
69+
debug_assert!(
70+
out.len() == io_buffer.len(),
71+
"For a symmetric encryption it is given that the output has the same length as the input"
72+
);
73+
io_buffer.copy_from_slice(&out[..io_buffer.len()]);
74+
75+
Ok(tag)
4076
}
4177
}
4278

@@ -52,6 +88,43 @@ impl AeadDecrypt for CipherSuite {
5288
IoBuffer: AsMut<[u8]> + ?Sized,
5389
Aad: AsRef<[u8]> + ?Sized,
5490
{
55-
todo!()
91+
let io_buffer = io_buffer.as_mut();
92+
if io_buffer.len() < self.auth_tag_len {
93+
return Err(SframeError::DecryptionFailure);
94+
}
95+
96+
let cipher = self.variant.into();
97+
let nonce = secret.create_nonce::<NONCE_LEN>(&frame_count);
98+
99+
let encrypted_len = io_buffer.len() - self.auth_tag_len;
100+
let encrypted_data = &io_buffer[..encrypted_len];
101+
let tag = &io_buffer[encrypted_len..];
102+
103+
let out = openssl::symm::decrypt_aead(
104+
cipher,
105+
&secret.key,
106+
Some(&nonce),
107+
aad_buffer.as_ref(),
108+
encrypted_data,
109+
tag,
110+
)
111+
.map_err(|_| SframeError::EncryptionFailure)?;
112+
113+
debug_assert!(
114+
out.len() == encrypted_len,
115+
"For a symmetric encryption it is given that the output has the same length as the input"
116+
);
117+
io_buffer[..encrypted_len].copy_from_slice(&out);
118+
119+
Ok(&mut io_buffer[..encrypted_len])
120+
}
121+
}
122+
123+
impl From<CipherSuiteVariant> for openssl::symm::Cipher {
124+
fn from(variant: CipherSuiteVariant) -> Self {
125+
match variant {
126+
CipherSuiteVariant::AesGcm128Sha256 => openssl::symm::Cipher::aes_128_gcm(),
127+
CipherSuiteVariant::AesGcm256Sha512 => openssl::symm::Cipher::aes_256_gcm(),
128+
}
56129
}
57130
}

src/crypto/openssl/key_expansion.rs

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -62,7 +62,7 @@ fn expand_key(
6262
let mut ctx = init_openssl_ctx(cipher_suite)?;
6363

6464
ctx.set_hkdf_mode(openssl::pkey_ctx::HkdfMode::EXPAND_ONLY)?;
65-
ctx.set_hkdf_key(&prk)?;
65+
ctx.set_hkdf_key(prk)?;
6666
ctx.add_hkdf_info(info)?;
6767

6868
let mut key = vec![0; key_len];
@@ -77,15 +77,15 @@ fn init_openssl_ctx(
7777
let mut ctx = openssl::pkey_ctx::PkeyCtx::new_id(openssl::pkey::Id::HKDF)?;
7878
ctx.derive_init()?;
7979

80-
let digest = cipher_suite.into();
80+
let digest = cipher_suite.variant.into();
8181
ctx.set_hkdf_md(digest)?;
8282

8383
Ok(ctx)
8484
}
8585

86-
impl Into<&'static openssl::md::MdRef> for &CipherSuite {
87-
fn into(self) -> &'static openssl::md::MdRef {
88-
match self.variant {
86+
impl From<CipherSuiteVariant> for &'static openssl::md::MdRef {
87+
fn from(variant: CipherSuiteVariant) -> Self {
88+
match variant {
8989
CipherSuiteVariant::AesGcm128Sha256 => openssl::md::Md::sha256(),
9090
CipherSuiteVariant::AesGcm256Sha512 => openssl::md::Md::sha512(),
9191
}

0 commit comments

Comments
 (0)