refactor: KeyExpansion trait

Now is implemented by cipher suite. this makes it easier to extract another secret for auth tag shortening

Author: Tobias Waurick

src/crypto/aead.rs

@@ -39,7 +39,8 @@ mod test {
             crypto::{
                 aead::AeadEncrypt,
                 cipher_suite::{CipherSuite, CipherSuiteVariant},
-                key_expansion::{ExpandAsSecret, KeyMaterial},
+                key_expansion::KeyExpansion,
+                secret::Secret,
             },
             header::{Header, HeaderFields},
         };
@@ -52,9 +53,7 @@ mod test {
             thread_rng().fill(data.as_mut_slice());
             let header = Header::default();
             let cipher_suite = CipherSuite::from(CipherSuiteVariant::AesGcm256Sha512);
-            let secret = KeyMaterial(KEY_MATERIAL.as_bytes())
-                .expand_as_secret(&cipher_suite)
-                .unwrap();
+            let secret = Secret::expand_from(&cipher_suite, KEY_MATERIAL.as_bytes()).unwrap();
 
             let _tag = cipher_suite
                 .encrypt(

src/crypto/key_expansion.rs

@@ -4,11 +4,10 @@
 use super::{cipher_suite::CipherSuite, secret::Secret};
 use crate::error::Result;
 
-#[derive(Debug, Default, Clone, Copy)]
-pub struct KeyMaterial<'a>(pub &'a [u8]);
-
-pub trait ExpandAsSecret {
-    fn expand_as_secret(&self, cipher_suite: &CipherSuite) -> Result<Secret>;
+pub trait KeyExpansion {
+    fn expand_from<T>(cipher_suite: &CipherSuite, key_material: T) -> Result<Secret>
+    where
+        T: AsRef<[u8]>;
 }
 
 pub const SFRAME_HKDF_SALT: &[u8] = "SFrame10".as_bytes();
@@ -17,23 +16,19 @@ pub const SFRAME_HDKF_SALT_EXPAND_INFO: &[u8] = "salt".as_bytes();
 
 #[cfg(test)]
 mod test {
+    use crate::crypto::cipher_suite::CipherSuite;
+    use crate::crypto::secret::Secret;
     use crate::test_vectors::get_test_vector;
 
-    use crate::{
-        crypto::{
-            cipher_suite::{CipherSuite, CipherSuiteVariant},
-            key_expansion::KeyMaterial,
-        },
-        util::test::assert_bytes_eq,
-    };
+    use crate::{crypto::cipher_suite::CipherSuiteVariant, util::test::assert_bytes_eq};
 
-    use super::ExpandAsSecret;
+    use super::KeyExpansion;
 
     fn derive_correct_keys(variant: CipherSuiteVariant) {
         let test_vector = get_test_vector(&variant.to_string());
-        let secret = KeyMaterial(&test_vector.key_material)
-            .expand_as_secret(&CipherSuite::from(variant))
-            .unwrap();
+        let secret =
+            Secret::expand_from(&CipherSuite::from(variant), &test_vector.key_material).unwrap();
+
         assert_bytes_eq(&secret.key, &test_vector.key);
         assert_bytes_eq(&secret.salt, &test_vector.salt);
     }

src/crypto/openssl/key_expansion.rs

@@ -5,26 +5,29 @@ use crate::{
     crypto::{
         cipher_suite::{CipherSuite, CipherSuiteVariant},
         key_expansion::{
-            ExpandAsSecret, KeyMaterial, SFRAME_HDKF_SALT_EXPAND_INFO, SFRAME_HKDF_KEY_EXPAND_INFO,
+            KeyExpansion, SFRAME_HDKF_SALT_EXPAND_INFO, SFRAME_HKDF_KEY_EXPAND_INFO,
             SFRAME_HKDF_SALT,
         },
         secret::Secret,
     },
     error::{Result, SframeError},
 };
 
-impl ExpandAsSecret for KeyMaterial<'_> {
-    fn expand_as_secret(&self, cipher_suite: &CipherSuite) -> Result<Secret> {
+impl KeyExpansion for Secret {
+    fn expand_from<T>(cipher_suite: &CipherSuite, key_material: T) -> Result<Secret>
+    where
+        T: AsRef<[u8]>,
+    {
         let try_expand = || {
-            let prk = extract_prk(cipher_suite, self.0)?;
+            let prk = extract_prk(&cipher_suite, key_material.as_ref())?;
             let key = expand_key(
-                cipher_suite,
+                &cipher_suite,
                 &prk,
                 SFRAME_HKDF_KEY_EXPAND_INFO,
                 cipher_suite.key_len,
             )?;
             let salt = expand_key(
-                cipher_suite,
+                &cipher_suite,
                 &prk,
                 SFRAME_HDKF_SALT_EXPAND_INFO,
                 cipher_suite.nonce_len,

src/crypto/ring/key_expansion.rs

@@ -5,18 +5,21 @@ use crate::{
     crypto::{
         cipher_suite::{CipherSuite, CipherSuiteVariant},
         key_expansion::{
-            ExpandAsSecret, KeyMaterial, SFRAME_HDKF_SALT_EXPAND_INFO, SFRAME_HKDF_KEY_EXPAND_INFO,
+            KeyExpansion, SFRAME_HDKF_SALT_EXPAND_INFO, SFRAME_HKDF_KEY_EXPAND_INFO,
             SFRAME_HKDF_SALT,
         },
         secret::Secret,
     },
     error::{Result, SframeError},
 };
 
-impl ExpandAsSecret for KeyMaterial<'_> {
-    fn expand_as_secret(&self, cipher_suite: &CipherSuite) -> Result<Secret> {
-        let algorithm = cipher_suite.into();
-        let prk = ring::hkdf::Salt::new(algorithm, SFRAME_HKDF_SALT).extract(self.0);
+impl KeyExpansion for Secret {
+    fn expand_from<T>(cipher_suite: &CipherSuite, key_material: T) -> Result<Secret>
+    where
+        T: AsRef<[u8]>,
+    {
+        let algorithm = cipher_suite.variant.into();
+        let prk = ring::hkdf::Salt::new(algorithm, SFRAME_HKDF_SALT).extract(key_material.as_ref());
 
         let key = expand_key(&prk, SFRAME_HKDF_KEY_EXPAND_INFO, cipher_suite.key_len)?;
         let salt = expand_key(&prk, SFRAME_HDKF_SALT_EXPAND_INFO, cipher_suite.nonce_len)?;
@@ -33,9 +36,9 @@ impl ring::hkdf::KeyType for OkmKeyLength {
     }
 }
 
-impl From<&CipherSuite> for ring::hkdf::Algorithm {
-    fn from(cipher_suite: &CipherSuite) -> Self {
-        match cipher_suite.variant {
+impl From<CipherSuiteVariant> for ring::hkdf::Algorithm {
+    fn from(variant: CipherSuiteVariant) -> Self {
+        match variant {
             CipherSuiteVariant::AesGcm128Sha256 => ring::hkdf::HKDF_SHA256,
             CipherSuiteVariant::AesGcm256Sha512 => ring::hkdf::HKDF_SHA512,
         }

src/crypto/secret.rs

@@ -27,25 +27,24 @@ impl Secret {
 
 #[cfg(test)]
 mod test {
-    use crate::crypto::key_expansion::ExpandAsSecret;
+    use crate::crypto::cipher_suite::CipherSuite;
+    use crate::crypto::key_expansion::KeyExpansion;
     use crate::test_vectors::get_test_vector;
 
     use crate::{
-        crypto::{cipher_suite::CipherSuiteVariant, key_expansion::KeyMaterial},
-        header::FrameCount,
-        util::test::assert_bytes_eq,
+        crypto::cipher_suite::CipherSuiteVariant, header::FrameCount, util::test::assert_bytes_eq,
     };
 
+    use super::Secret;
+
     const NONCE_LEN: usize = 12;
 
-    fn test_nonce(cipher_suite_variant: CipherSuiteVariant) {
-        let tv = get_test_vector(&cipher_suite_variant.to_string());
-        let cipher_suite = cipher_suite_variant.into();
+    fn test_nonce(variant: CipherSuiteVariant) {
+        let tv = get_test_vector(&variant.to_string());
 
         for enc in &tv.encryptions {
-            let secret = KeyMaterial(&tv.key_material)
-                .expand_as_secret(&cipher_suite)
-                .unwrap();
+            let secret =
+                Secret::expand_from(&CipherSuite::from(variant), &tv.key_material).unwrap();
             let nonce: [u8; NONCE_LEN] = secret.create_nonce(&FrameCount::from(enc.frame_count));
             assert_bytes_eq(&nonce, &enc.nonce);
         }

src/receiver.rs

@@ -7,7 +7,7 @@ use crate::{
     crypto::{
         aead::AeadDecrypt,
         cipher_suite::{CipherSuite, CipherSuiteVariant},
-        key_expansion::{ExpandAsSecret, KeyMaterial},
+        key_expansion::KeyExpansion,
         secret::Secret,
     },
     error::{Result, SframeError},
@@ -109,7 +109,7 @@ impl Receiver {
     {
         self.secrets.insert(
             key_id.into(),
-            KeyMaterial(key_material.as_ref()).expand_as_secret(&self.options.cipher_suite)?,
+            Secret::expand_from(&self.options.cipher_suite, key_material)?,
         );
         Ok(())
     }

src/sender.rs

@@ -5,7 +5,7 @@ use crate::{
     crypto::{
         aead::AeadEncrypt,
         cipher_suite::{CipherSuite, CipherSuiteVariant},
-        key_expansion::{ExpandAsSecret, KeyMaterial},
+        key_expansion::KeyExpansion,
         secret::Secret,
     },
     error::{Result, SframeError},
@@ -108,8 +108,7 @@ impl Sender {
     where
         KeyMaterial: AsRef<[u8]> + ?Sized,
     {
-        self.secret =
-            Some(KeyMaterial(key_material.as_ref()).expand_as_secret(&self.cipher_suite)?);
+        self.secret = Some(Secret::expand_from(&self.cipher_suite, key_material)?);
         Ok(())
     }
 }