Support non-standard AEAD ciphers with feature v1-aead-extra

- Enable new ciphers with v1-aead-extra
- Support xchacha20-ietf-poly1305 with libsodium

fixes #8

Author: zonyitoo

Cargo.toml

@@ -1,26 +1,28 @@
 [package]
 name = "shadowsocks-crypto"
-version = "0.2.0"
+version = "0.3.0"
 authors = ["luozijun <[email protected]>"]
 edition = "2018"
 license = "MIT"
-keywords      = [ "Cryptography" ]
-description   = "Shadowsocks Crypto"
-repository    = "https://github.com/shadowsocks/shadowsocks-crypto"
+keywords = ["Cryptography"]
+description = "Shadowsocks Crypto"
+repository = "https://github.com/shadowsocks/shadowsocks-crypto"
 documentation = "https://docs.rs/shadowsocks-crypto"
 # See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
 
 
 [dependencies]
-rand    = "0.8"
+rand = "0.8"
 crypto2 = "0.1"
+libsodium-sys = { version = "0.2", optional = true }
+libc = { version = "0.2", optional = true }
 
 
 [target.'cfg(any(target_arch = "x86", target_arch = "x86_64"))'.dependencies]
-ring   = { version  = "0.16", optional = true  }
+ring = { version  = "0.16", optional = true  }
 
 [target.'cfg(any(target_arch = "arm", target_arch = "aarch64"))'.dependencies]
-ring   = { version  = "0.16", optional = true  }
+ring = { version  = "0.16", optional = true  }
 
 
 [dev-dependencies]
@@ -36,7 +38,8 @@ default = [
 std = [
     "crypto2/std",
 ]
-nightly = [ ]
-v1 = [ ]
-v1-stream = [ "v1" ]
-v1-aead = [ "v1" ]
+nightly = []
+v1 = []
+v1-stream = ["v1"]
+v1-aead = ["v1"]
+v1-aead-extra = ["v1-aead", "libsodium-sys", "libc"]

src/v1/aeadcipher.rs renamed to src/v1/aeadcipher/mod.rs

@@ -22,8 +22,13 @@ pub use crypto2::aeadcipher::{Aes128Gcm, Aes256Gcm, Chacha20Poly1305};
     ),
     feature = "ring"
 ))]
-pub use super::ring::{Aes128Gcm, Aes256Gcm, Chacha20Poly1305};
-use super::CipherKind;
+pub use crate::v1::ring::{Aes128Gcm, Aes256Gcm, Chacha20Poly1305};
+use crate::v1::CipherKind;
+
+#[cfg(feature = "v1-aead-extra")]
+mod sodium;
+#[cfg(feature = "v1-aead-extra")]
+pub use self::sodium::XChacha20Poly1305;
 
 trait AeadCipherExt {
     fn ac_kind(&self) -> CipherKind;
@@ -74,6 +79,7 @@ macro_rules! impl_aead_cipher {
     };
 }
 
+#[cfg(feature = "v1-aead-extra")]
 macro_rules! impl_siv_cmac_cipher {
     ($name:tt, $kind:tt) => {
         impl AeadCipherExt for $name {
@@ -119,34 +125,54 @@ macro_rules! impl_siv_cmac_cipher {
     };
 }
 
+#[cfg(feature = "v1-aead-extra")]
 impl_aead_cipher!(Aes128Ccm, AES_128_CCM);
+#[cfg(feature = "v1-aead-extra")]
 impl_aead_cipher!(Aes256Ccm, AES_256_CCM);
+
 impl_aead_cipher!(Aes128Gcm, AES_128_GCM);
 impl_aead_cipher!(Aes256Gcm, AES_256_GCM);
 
+#[cfg(feature = "v1-aead-extra")]
 impl_aead_cipher!(Aes128GcmSiv, AES_128_GCM_SIV);
+#[cfg(feature = "v1-aead-extra")]
 impl_aead_cipher!(Aes256GcmSiv, AES_256_GCM_SIV);
 
+#[cfg(feature = "v1-aead-extra")]
 impl_aead_cipher!(Aes128OcbTag128, AES_128_OCB_TAGLEN128);
+#[cfg(feature = "v1-aead-extra")]
 impl_aead_cipher!(Aes192OcbTag128, AES_192_OCB_TAGLEN128);
+#[cfg(feature = "v1-aead-extra")]
 impl_aead_cipher!(Aes256OcbTag128, AES_256_OCB_TAGLEN128);
 
 impl_aead_cipher!(Chacha20Poly1305, CHACHA20_POLY1305);
 
+#[cfg(feature = "v1-aead-extra")]
 impl_siv_cmac_cipher!(AesSivCmac256, AES_SIV_CMAC_256);
+#[cfg(feature = "v1-aead-extra")]
 impl_siv_cmac_cipher!(AesSivCmac384, AES_SIV_CMAC_384);
+#[cfg(feature = "v1-aead-extra")]
 impl_siv_cmac_cipher!(AesSivCmac512, AES_SIV_CMAC_512);
 
+#[cfg(feature = "v1-aead-extra")]
+impl_aead_cipher!(XChacha20Poly1305, XCHACHA20_POLY1305);
+
 macro_rules! aead_cipher_variant {
-    ($($name:ident @ $kind:ident,)+) => {
+    ($($(#[cfg($i_meta:meta)])? $name:ident @ $kind:ident,)+) => {
         enum AeadCipherInner {
-            $($name($name),)+
+            $(
+                $(#[cfg($i_meta)])?
+                $name($name),
+            )+
         }
 
         impl AeadCipherInner {
             fn new(kind: CipherKind, key: &[u8]) -> Self {
                 match kind {
-                    $(CipherKind::$kind => AeadCipherInner::$name($name::new(key)),)+
+                    $(
+                        $(#[cfg($i_meta)])?
+                        CipherKind::$kind => AeadCipherInner::$name($name::new(key)),
+                    )+
                     _ => unreachable!("unrecognized AEAD cipher kind {:?}", kind),
                 }
             }
@@ -155,72 +181,98 @@ macro_rules! aead_cipher_variant {
         impl AeadCipherExt for AeadCipherInner {
             fn ac_kind(&self) -> CipherKind {
                 match *self {
-                    $(AeadCipherInner::$name(ref c) => c.ac_kind(),)+
+                    $(
+                        $(#[cfg($i_meta)])?
+                        AeadCipherInner::$name(ref c) => c.ac_kind(),
+                    )+
                 }
             }
 
             fn ac_key_len(&self) -> usize {
                 match *self {
-                    $(AeadCipherInner::$name(ref c) => c.ac_key_len(),)+
+                    $(
+                        $(#[cfg($i_meta)])?
+                        AeadCipherInner::$name(ref c) => c.ac_key_len(),
+                    )+
                 }
             }
             fn ac_block_len(&self) -> usize {
                 match *self {
-                    $(AeadCipherInner::$name(ref c) => c.ac_block_len(),)+
+                    $(
+                        $(#[cfg($i_meta)])?
+                        AeadCipherInner::$name(ref c) => c.ac_block_len(),
+                    )+
                 }
             }
 
             fn ac_tag_len(&self) -> usize {
                 match *self {
-                    $(AeadCipherInner::$name(ref c) => c.ac_tag_len(),)+
+                    $(
+                        $(#[cfg($i_meta)])?
+                        AeadCipherInner::$name(ref c) => c.ac_tag_len(),
+                    )+
                 }
             }
 
             fn ac_n_min(&self) -> usize {
                 match *self {
-                    $(AeadCipherInner::$name(ref c) => c.ac_n_min(),)+
+                    $(
+                        $(#[cfg($i_meta)])?
+                        AeadCipherInner::$name(ref c) => c.ac_n_min(),
+                    )+
                 }
             }
             fn ac_n_max(&self) -> usize {
                 match *self {
-                    $(AeadCipherInner::$name(ref c) => c.ac_n_max(),)+
+                    $(
+                        $(#[cfg($i_meta)])?
+                        AeadCipherInner::$name(ref c) => c.ac_n_max(),
+                    )+
                 }
             }
 
             fn ac_encrypt_slice(&self, nonce: &[u8], plaintext_in_ciphertext_out: &mut [u8]) {
                 match *self {
-                    $(AeadCipherInner::$name(ref c) => c.ac_encrypt_slice(nonce, plaintext_in_ciphertext_out),)+
+                    $(
+                        $(#[cfg($i_meta)])?
+                        AeadCipherInner::$name(ref c) => c.ac_encrypt_slice(nonce, plaintext_in_ciphertext_out),
+                    )+
                 }
             }
 
             fn ac_decrypt_slice(&self, nonce: &[u8], plaintext_in_ciphertext_out: &mut [u8]) -> bool {
                 match *self {
-                    $(AeadCipherInner::$name(ref c) => c.ac_decrypt_slice(nonce, plaintext_in_ciphertext_out),)+
+                    $(
+                        $(#[cfg($i_meta)])?
+                        AeadCipherInner::$name(ref c) => c.ac_decrypt_slice(nonce, plaintext_in_ciphertext_out),
+                    )+
                 }
             }
         }
     };
 }
 
 aead_cipher_variant! {
-    Aes128Ccm @ AES_128_CCM,
-    Aes256Ccm @ AES_256_CCM,
+    #[cfg(feature = "v1-aead-extra")] Aes128Ccm @ AES_128_CCM,
+    #[cfg(feature = "v1-aead-extra")] Aes256Ccm @ AES_256_CCM,
 
-    Aes128OcbTag128 @ AES_128_OCB_TAGLEN128,
-    Aes192OcbTag128 @ AES_192_OCB_TAGLEN128,
-    Aes256OcbTag128 @ AES_256_OCB_TAGLEN128,
+    #[cfg(feature = "v1-aead-extra")] Aes128OcbTag128 @ AES_128_OCB_TAGLEN128,
+    #[cfg(feature = "v1-aead-extra")] Aes192OcbTag128 @ AES_192_OCB_TAGLEN128,
+    #[cfg(feature = "v1-aead-extra")] Aes256OcbTag128 @ AES_256_OCB_TAGLEN128,
 
     Aes128Gcm @ AES_128_GCM,
     Aes256Gcm @ AES_256_GCM,
 
-    AesSivCmac256 @ AES_SIV_CMAC_256,
-    AesSivCmac384 @ AES_SIV_CMAC_384,
-    AesSivCmac512 @ AES_SIV_CMAC_512,
+    #[cfg(feature = "v1-aead-extra")] AesSivCmac256 @ AES_SIV_CMAC_256,
+    #[cfg(feature = "v1-aead-extra")] AesSivCmac384 @ AES_SIV_CMAC_384,
+    #[cfg(feature = "v1-aead-extra")] AesSivCmac512 @ AES_SIV_CMAC_512,
 
-    Aes128GcmSiv @ AES_128_GCM_SIV,
-    Aes256GcmSiv @ AES_256_GCM_SIV,
+    #[cfg(feature = "v1-aead-extra")] Aes128GcmSiv @ AES_128_GCM_SIV,
+    #[cfg(feature = "v1-aead-extra")] Aes256GcmSiv @ AES_256_GCM_SIV,
 
     Chacha20Poly1305 @ CHACHA20_POLY1305,
+
+    #[cfg(feature = "v1-aead-extra")] XChacha20Poly1305 @ XCHACHA20_POLY1305,
 }
 
 pub struct AeadCipher {

src/v1/aeadcipher/sodium.rs

@@ -0,0 +1,145 @@
+//! `libsodium` provided ciphers
+
+use core::convert::TryInto;
+use core::ptr;
+
+use libsodium_sys::{
+    crypto_aead_xchacha20poly1305_ietf_ABYTES, crypto_aead_xchacha20poly1305_ietf_KEYBYTES,
+    crypto_aead_xchacha20poly1305_ietf_NPUBBYTES, crypto_aead_xchacha20poly1305_ietf_decrypt,
+    crypto_aead_xchacha20poly1305_ietf_decrypt_detached,
+    crypto_aead_xchacha20poly1305_ietf_encrypt,
+    crypto_aead_xchacha20poly1305_ietf_encrypt_detached,
+};
+
+use crypto2::streamcipher::Chacha20;
+
+pub struct XChacha20Poly1305 {
+    ek: [u8; Self::KEY_LEN],
+}
+
+impl XChacha20Poly1305 {
+    pub const KEY_LEN: usize = crypto_aead_xchacha20poly1305_ietf_KEYBYTES as usize;
+    pub const NONCE_LEN: usize = crypto_aead_xchacha20poly1305_ietf_NPUBBYTES as usize;
+    pub const TAG_LEN: usize = crypto_aead_xchacha20poly1305_ietf_ABYTES as usize;
+    pub const N_MIN: usize = Self::NONCE_LEN;
+    pub const N_MAX: usize = Self::NONCE_LEN;
+    pub const BLOCK_LEN: usize = Chacha20::BLOCK_LEN;
+
+    pub fn new(key: &[u8]) -> Self {
+        XChacha20Poly1305 {
+            ek: key
+                .try_into()
+                .expect("key.len() != XChacha20Poly1305::KEY_LEN"),
+        }
+    }
+
+    pub fn encrypt_slice(&self, nonce: &[u8], aad: &[u8], aead_pkt: &mut [u8]) {
+        debug_assert_eq!(nonce.len(), Self::NONCE_LEN);
+        debug_assert!(aead_pkt.len() >= Self::TAG_LEN);
+
+        unsafe {
+            let mut clen: libc::c_ulonglong = 0;
+            let ret = crypto_aead_xchacha20poly1305_ietf_encrypt(
+                aead_pkt.as_mut_ptr() as *mut _,
+                &mut clen,
+                aead_pkt.as_ptr() as *const _,
+                (aead_pkt.len() - Self::TAG_LEN) as libc::c_ulonglong,
+                aad.as_ptr() as *const _,
+                aad.len() as libc::c_ulonglong,
+                ptr::null(),
+                nonce.as_ptr() as *const _,
+                self.ek.as_ptr() as *const _,
+            );
+            if ret == 0 || clen != aead_pkt.len() as libc::c_ulonglong {
+                panic!(
+                    "crypto_aead_xchacha20poly1305_ietf_encrypt ret={} clen={}",
+                    ret, clen
+                );
+            }
+        }
+    }
+
+    pub fn decrypt_slice(&self, nonce: &[u8], aad: &[u8], aead_pkt: &mut [u8]) -> bool {
+        debug_assert_eq!(nonce.len(), Self::NONCE_LEN);
+        debug_assert!(aead_pkt.len() >= Self::TAG_LEN);
+
+        unsafe {
+            let mut mlen: libc::c_ulonglong = 0;
+            let ret = crypto_aead_xchacha20poly1305_ietf_decrypt(
+                aead_pkt.as_mut_ptr() as *mut _,
+                &mut mlen,
+                ptr::null_mut(),
+                aead_pkt.as_ptr() as *mut _,
+                aead_pkt.len() as libc::c_ulonglong,
+                aad.as_ptr() as *const _,
+                aad.len() as libc::c_ulonglong,
+                nonce.as_ptr() as *const _,
+                self.ek.as_ptr(),
+            );
+
+            ret == 0 && mlen == (aead_pkt.len() - Self::TAG_LEN) as libc::c_ulonglong
+        }
+    }
+
+    #[allow(dead_code)]
+    pub fn encrypt_slice_detached(
+        &self,
+        nonce: &[u8],
+        aad: &[u8],
+        plaintext_in_ciphertext_out: &mut [u8],
+        tag_out: &mut [u8],
+    ) {
+        debug_assert_eq!(nonce.len(), Self::NONCE_LEN);
+        debug_assert_eq!(tag_out.len(), Self::TAG_LEN);
+
+        unsafe {
+            let mut maclen: libc::c_ulonglong = 0;
+            let ret = crypto_aead_xchacha20poly1305_ietf_encrypt_detached(
+                plaintext_in_ciphertext_out.as_mut_ptr() as *mut _,
+                tag_out.as_mut_ptr() as *mut _,
+                &mut maclen,
+                plaintext_in_ciphertext_out.as_mut_ptr() as *mut _,
+                plaintext_in_ciphertext_out.len() as libc::c_ulonglong,
+                aad.as_ptr() as *const _,
+                aad.len() as libc::c_ulonglong,
+                ptr::null(),
+                nonce.as_ptr() as *const _,
+                self.ek.as_ptr() as *const _,
+            );
+            if ret == 0 || maclen != tag_out.len() as libc::c_ulonglong {
+                panic!(
+                    "crypto_aead_xchacha20poly1305_ietf_encrypt_detached ret={} maclen={}",
+                    ret, maclen
+                );
+            }
+        }
+    }
+
+    #[allow(dead_code)]
+    pub fn decrypt_slice_detached(
+        &self,
+        nonce: &[u8],
+        aad: &[u8],
+        ciphertext_in_plaintext_out: &mut [u8],
+        tag_in: &[u8],
+    ) -> bool {
+        debug_assert_eq!(nonce.len(), Self::NONCE_LEN);
+        debug_assert_eq!(tag_in.len(), Self::TAG_LEN);
+
+        unsafe {
+            let ret = crypto_aead_xchacha20poly1305_ietf_decrypt_detached(
+                ciphertext_in_plaintext_out.as_mut_ptr() as *mut _,
+                ptr::null_mut(),
+                ciphertext_in_plaintext_out.as_ptr() as *const _,
+                ciphertext_in_plaintext_out.len() as libc::c_ulonglong,
+                tag_in.as_ptr() as *const _,
+                aad.as_ptr() as *const _,
+                aad.len() as libc::c_ulonglong,
+                nonce.as_ptr() as *const _,
+                self.ek.as_ptr() as *const _,
+            );
+
+            ret == 0
+        }
+    }
+}