feat: Aes ctr mode ciphers for openssl

I added the necessary key expansion and crypto methods stated in the draft. They can be verified working with the provided test vectors.

Author: Tobias Waurick

README.md

@@ -13,15 +13,16 @@ It is in it's current form a subset of the specification.
 There is an alternative implementation under [goto-opensource/secure-frame-ts](https://github.com/goto-opensource/secure-frame-ts)
 
 ## Differences from the sframe draft
-* Aes-CTR is not implemented
 * ratcheting is not implemented
 * keyIds are used as senderIds
+* no metadata authentication 
 
 ## Supported crypto libraries
 Currently two crypto libraries are supported:
 - [ring](https://crates.io/crates/ring) 
     - is enabled per default with the feature `ring`
     - supports compilation to Wasm32
+    - Aes-CTR mode ciphers are not supported
 - [openssl](https://crates.io/crates/openssl)
     - is enabled with the feature `openssl`
         - To build e.g. use `cargo build --features openssl --no-default-features`

src/crypto/aead.rs

@@ -66,7 +66,9 @@ mod test {
         }
 
         mod test_vectors {
-            use crate::test_vectors::get_test_vector;
+
+            use crate::crypto::key_expansion::KeyExpansion;
+            use crate::test_vectors::{get_test_vector, TestVector};
 
             use crate::{
                 crypto::{
@@ -82,10 +84,7 @@ mod test {
                 let test_vector = get_test_vector(&variant.to_string());
                 let cipher_suite = CipherSuite::from(variant);
 
-                let secret = Secret {
-                    key: test_vector.key.clone(),
-                    salt: test_vector.salt.clone(),
-                };
+                let secret = prepare_secret(&cipher_suite, test_vector);
 
                 for enc in &test_vector.encryptions {
                     let mut data = test_vector.plain_text.clone();
@@ -111,10 +110,7 @@ mod test {
                 let test_vector = get_test_vector(&variant.to_string());
                 let cipher_suite = CipherSuite::from(variant);
 
-                let secret = Secret {
-                    key: test_vector.key.clone(),
-                    salt: test_vector.salt.clone(),
-                };
+                let secret = prepare_secret(&cipher_suite, test_vector);
 
                 for enc in &test_vector.encryptions {
                     let header = Header::with_frame_count(
@@ -132,6 +128,14 @@ mod test {
                 }
             }
 
+            fn prepare_secret(cipher_suite: &CipherSuite, test_vector: &TestVector) -> Secret {
+                if cipher_suite.is_ctr_mode() {
+                    Secret::expand_from(cipher_suite, &test_vector.key_material).unwrap()
+                } else {
+                    Secret::from_test_vector(test_vector)
+                }
+            }
+
             #[test]
             fn encrypt_test_vector_aes_gcm_128_sha256() {
                 encrypt_test_vector(CipherSuiteVariant::AesGcm128Sha256);
@@ -151,6 +155,33 @@ mod test {
             fn should_decrypt_test_vectors_aes_gcm_256_sha512() {
                 decrypt_test_vector(CipherSuiteVariant::AesGcm256Sha512);
             }
+
+            #[cfg(not(feature = "ring"))]
+            mod aes_ctr {
+                use crate::CipherSuiteVariant;
+
+                use super::{decrypt_test_vector, encrypt_test_vector};
+
+                #[test]
+                fn should_encrypt_test_vectors_aes_ctr_64_hmac_sha256_64() {
+                    encrypt_test_vector(CipherSuiteVariant::AesCtr128HmacSha256_64);
+                }
+
+                #[test]
+                fn should_decrypt_test_vectors_aes_ctr_64_hmac_sha256_64() {
+                    decrypt_test_vector(CipherSuiteVariant::AesCtr128HmacSha256_64);
+                }
+
+                #[test]
+                fn should_encrypt_test_vectors_aes_ctr_64_hmac_sha256_32() {
+                    encrypt_test_vector(CipherSuiteVariant::AesCtr128HmacSha256_32);
+                }
+
+                #[test]
+                fn should_decrypt_test_vectors_aes_ctr_64_hmac_sha256_32() {
+                    decrypt_test_vector(CipherSuiteVariant::AesCtr128HmacSha256_32);
+                }
+            }
         }
     }
 }

src/crypto/cipher_suite.rs

@@ -8,9 +8,12 @@
 #[cfg_attr(test, derive(strum_macros::Display))]
 pub enum CipherSuiteVariant {
     // /// counter mode is [not implemented in ring](https://github.com/briansmith/ring/issues/656)
-    // AesCtr128HmacSha256_80,
-    // AesCtr128HmacSha256_64,
-    // AesCtr128HmacSha256_32,
+    #[cfg(not(feature = "ring"))]
+    AesCtr128HmacSha256_80,
+    #[cfg(not(feature = "ring"))]
+    AesCtr128HmacSha256_64,
+    #[cfg(not(feature = "ring"))]
+    AesCtr128HmacSha256_32,
     /// encryption: AES GCM 128, key expansion: HKDF with SHA256
     AesGcm128Sha256,
     /// encryption: AES GCM 256, key expansion: HKDF with SHA512
@@ -29,9 +32,31 @@ pub struct CipherSuite {
 impl From<CipherSuiteVariant> for CipherSuite {
     fn from(variant: CipherSuiteVariant) -> Self {
         match variant {
-            // CipherSuiteVariant::AesCtr128HmacSha256_80 => unimplemented!(),
-            // CipherSuiteVariant::AesCtr128HmacSha256_64 => unimplemented!(),
-            // CipherSuiteVariant::AesCtr128HmacSha256_32 => unimplemented!(),
+            #[cfg(not(feature = "ring"))]
+            CipherSuiteVariant::AesCtr128HmacSha256_80 => CipherSuite {
+                variant,
+                hash_len: 32,
+                key_len: 16,
+                nonce_len: 12,
+                auth_tag_len: 10,
+            },
+
+            #[cfg(not(feature = "ring"))]
+            CipherSuiteVariant::AesCtr128HmacSha256_64 => CipherSuite {
+                variant,
+                hash_len: 32,
+                key_len: 16,
+                nonce_len: 12,
+                auth_tag_len: 8,
+            },
+            #[cfg(not(feature = "ring"))]
+            CipherSuiteVariant::AesCtr128HmacSha256_32 => CipherSuite {
+                variant,
+                hash_len: 32,
+                key_len: 16,
+                nonce_len: 12,
+                auth_tag_len: 4,
+            },
             CipherSuiteVariant::AesGcm128Sha256 => CipherSuite {
                 variant,
                 hash_len: 32,
@@ -49,3 +74,16 @@ impl From<CipherSuiteVariant> for CipherSuite {
         }
     }
 }
+
+impl CipherSuite {
+    #[allow(dead_code)]
+    pub(crate) fn is_ctr_mode(&self) -> bool {
+        match self.variant {
+            #[cfg(not(feature = "ring"))]
+            CipherSuiteVariant::AesCtr128HmacSha256_80
+            | CipherSuiteVariant::AesCtr128HmacSha256_64
+            | CipherSuiteVariant::AesCtr128HmacSha256_32 => true,
+            CipherSuiteVariant::AesGcm128Sha256 | CipherSuiteVariant::AesGcm256Sha512 => false,
+        }
+    }
+}

src/crypto/key_expansion.rs

@@ -14,6 +14,13 @@ pub const SFRAME_HKDF_SALT: &[u8] = "SFrame10".as_bytes();
 pub const SFRAME_HKDF_KEY_EXPAND_INFO: &[u8] = "key".as_bytes();
 pub const SFRAME_HDKF_SALT_EXPAND_INFO: &[u8] = "salt".as_bytes();
 
+#[cfg(not(feature = "ring"))]
+pub const SFRAME_HKDF_SUB_SALT: &[u8] = "SFrame10 AES CTR AEAD".as_bytes();
+#[cfg(not(feature = "ring"))]
+pub const SFRAME_HKDF_SUB_ENC_EXPAND_INFO: &[u8] = "enc".as_bytes();
+#[cfg(not(feature = "ring"))]
+pub const SFRAME_HDKF_SUB_AUTH_EXPAND_INFO: &[u8] = "auth".as_bytes();
+
 #[cfg(test)]
 mod test {
     use crate::crypto::cipher_suite::CipherSuite;
@@ -24,7 +31,7 @@ mod test {
 
     use super::KeyExpansion;
 
-    fn derive_correct_keys(variant: CipherSuiteVariant) {
+    fn derive_correct_base_keys(variant: CipherSuiteVariant) {
         let test_vector = get_test_vector(&variant.to_string());
         let secret =
             Secret::expand_from(&CipherSuite::from(variant), &test_vector.key_material).unwrap();
@@ -35,11 +42,43 @@ mod test {
 
     #[test]
     fn derive_correct_keys_aes_gcm_128_sha256() {
-        derive_correct_keys(CipherSuiteVariant::AesGcm128Sha256);
+        derive_correct_base_keys(CipherSuiteVariant::AesGcm128Sha256);
     }
 
     #[test]
     fn derive_correct_keys_aes_gcm_256_sha512() {
-        derive_correct_keys(CipherSuiteVariant::AesGcm256Sha512);
+        derive_correct_base_keys(CipherSuiteVariant::AesGcm256Sha512);
+    }
+
+    #[cfg(not(feature = "ring"))]
+    mod aes_ctr {
+        use super::*;
+
+        fn derive_correct_sub_keys(variant: CipherSuiteVariant) {
+            let test_vector = get_test_vector(&variant.to_string());
+            let cipher_suite = CipherSuite::from(variant);
+            let secret = Secret::expand_from(&cipher_suite, &test_vector.key_material).unwrap();
+
+            assert_bytes_eq(&secret.salt, &test_vector.salt);
+            // the subkeys stored in secret.key and secret.auth are not included in the test vectors
+            assert_eq!(secret.auth.unwrap().len(), cipher_suite.hash_len);
+            assert_eq!(secret.key.len(), cipher_suite.key_len);
+        }
+
+        #[test]
+        fn derive_correct_keys_aes_ctr_128_hmac_sha256_64() {
+            derive_correct_sub_keys(CipherSuiteVariant::AesCtr128HmacSha256_64);
+        }
+
+        #[test]
+        fn derive_correct_keys_aes_ctr_128_hmac_sha256_32() {
+            derive_correct_sub_keys(CipherSuiteVariant::AesCtr128HmacSha256_32);
+        }
+
+        // AesCtr128HmacSha256_80 is not available in the test vectors
+        // #[test]
+        // fn derive_correct_keys_aes_ctr_128_hmac_sha256_80() {
+        //     derive_correct_sub_keys(CipherSuiteVariant::AesCtr128HmacSha256_80);
+        // }
     }
 }