Joseph Doherty
ed17c07c10
F18 plans M5 as 9 sub-followups (F18-F26 + F27 constant-time DH) per design/dependencies.md:73-89. Wave-1 streams F20-F23+F24 are parallel-safe after F19 (workspace deps). F25 (ASB client) is sequential after the framing/encoder streams. F26 (Session over AsbTransport) is sequential after F25. F19 — workspace deps for the M5 crypto + framing surface: hmac, md-5, sha1, sha2, aes, cbc, pbkdf2, flate2, rand, num-bigint, num-traits, num-integer, quick-xml, tokio-util, zeroize. Pinned to the digest 0.10 / cipher 0.4 generation matching mxaccess-rpc. F23 — ports `AsbSystemAuthenticator.cs` (167 LoC) to `mxaccess-asb-nettcp::auth`. Wire-byte parity points: .NET BigInteger little-endian two's-complement byte order with optional 0x00 sign-byte suffix; AES-128-CBC with PKCS7 padding; PBKDF2-SHA1 1000 iterations over `Convert.ToBase64String(crypto_key)` with ASCII salt "ArchestrAService"; deflate-then-AES (Baktun) vs raw-AES (Apollo) selected by `:V2` lifetime suffix; HMAC-MD5/SHA1/SHA512 negotiated per `AsbSolutionCryptoParameters.HashAlgorithm` (with `force_hmac=true` fallback to HMAC-SHA1 for unrecognised algorithms). 13 unit tests cover the cryptographic primitives + DH peer agreement + .NET byte-order round-trip + Apollo lifetime dispatch. F27 — filed for the `num-bigint` → `crypto-bigint::BoxedUint` swap once the latter exposes a stable heap-allocated `pow_mod`. Currently at parity with the .NET reference (also not constant-time). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
718 lines
28 KiB
Rust
718 lines
28 KiB
Rust
//! ASB application-auth crypto.
|
|
//!
|
|
//! Port of `src/MxAsbClient/AsbSystemAuthenticator.cs` (167 LoC) — the DH
|
|
//! handshake, HMAC signing, and AES-128/PBKDF2-SHA1 key derivation that
|
|
//! `IASBIDataV2::Connect` + `AuthenticateMe` use to bring up an authenticated
|
|
//! ASB session.
|
|
//!
|
|
//! Notable parity points:
|
|
//!
|
|
//! * **DH `mod_exp` constant-time gap.** The .NET reference uses
|
|
//! `BigInteger.ModPow`, which is **not** constant-time. The Rust port
|
|
//! currently uses `num-bigint`, which is *also* not constant-time — so
|
|
//! this is parity, not a regression. The long-term target is
|
|
//! `crypto-bigint::BoxedUint` once that crate exposes a stable `pow_mod`
|
|
//! over heap-allocated values; see `design/30-crate-topology.md:269-274`
|
|
//! and follow-up F27 in `design/followups.md`.
|
|
//!
|
|
//! * **.NET `BigInteger` byte order.** Both
|
|
//! `BigInteger.ToByteArray` and `new BigInteger(byte[])` are
|
|
//! little-endian, two's-complement. For positive values whose top bit is
|
|
//! set, `ToByteArray` appends a trailing `0x00` sign byte. Wire-byte
|
|
//! parity for `LocalPublicKey` and the encrypted authentication-data
|
|
//! payloads requires reproducing that exact convention — see
|
|
//! [`bigint_to_dotnet_bytes`].
|
|
//!
|
|
//! * **AES key derivation.** PBKDF2-HMAC-SHA1 over
|
|
//! `Convert.ToBase64String(CryptoKey)` with the ASCII salt
|
|
//! `"ArchestrAService"`, 1000 iterations, 16-byte output (`cs:134-142`).
|
|
//! The base64 step is part of the spec, not a quirk — derived keys do
|
|
//! *not* match if the raw `CryptoKey` bytes are fed in directly.
|
|
//!
|
|
//! * **Lifetime-suffix dispatch.** `ConnectResponse.ConnectionLifetime`
|
|
//! carrying `:V2` selects the `EncryptApollo` path (raw AES-CBC).
|
|
//! Otherwise `EncryptBaktun` (deflate-then-AES-CBC). Mirrored verbatim
|
|
//! from `cs:48` / `cs:97-117`.
|
|
|
|
use std::io::Write as _;
|
|
|
|
use aes::Aes128;
|
|
use aes::cipher::{BlockEncryptMut, KeyIvInit};
|
|
use cbc::Encryptor as CbcEncryptor;
|
|
use flate2::Compression;
|
|
use flate2::write::DeflateEncoder;
|
|
use hmac::digest::KeyInit;
|
|
use hmac::{Hmac, Mac};
|
|
use md5::Md5;
|
|
use num_bigint::BigUint;
|
|
use num_integer::Integer;
|
|
use num_traits::{One, Zero};
|
|
use pbkdf2::pbkdf2_hmac;
|
|
use rand::RngCore;
|
|
use sha1::Sha1;
|
|
use sha2::Sha512;
|
|
use zeroize::{Zeroize, Zeroizing};
|
|
|
|
/// PBKDF2 salt — ASCII bytes of `"ArchestrAService"`. Mirrors the .NET
|
|
/// `PasswordSalt` constant at `AsbSystemAuthenticator.cs:10`.
|
|
const PASSWORD_SALT: &[u8] = b"ArchestrAService";
|
|
|
|
/// PBKDF2 iteration count from `cs:139`.
|
|
const PBKDF2_ITERATIONS: u32 = 1000;
|
|
|
|
/// Derived AES key length in bytes, matching `cs:141` (`outputLength: 16`).
|
|
const AES_KEY_LEN: usize = 16;
|
|
|
|
/// Hash algorithm negotiated between client and service. Numeric variants
|
|
/// match the case-insensitive string values returned by
|
|
/// `AsbRegistry.GetCryptoParameters` (`cs:54` — `"MD5"` / `"SHA1"` /
|
|
/// `"SHA512"`). Anything else falls through to the .NET branch at `cs:91`
|
|
/// (`HMAC-SHA1` only when `forceHmac` is set, otherwise no signing).
|
|
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
|
|
pub enum HashAlgorithm {
|
|
Md5,
|
|
Sha1,
|
|
Sha512,
|
|
/// Unknown algorithm — `Sign` returns no MAC unless `force_hmac` is set,
|
|
/// in which case HMAC-SHA1 is used. Mirrors `cs:91`.
|
|
Unrecognised,
|
|
}
|
|
|
|
impl HashAlgorithm {
|
|
/// Parse the `HashAlgorthim` string from `AsbSolutionCryptoParameters`
|
|
/// case-insensitively. Note the typo in the registry value name
|
|
/// (`HashAlgorthim` not `HashAlgorithm`) is preserved by .NET; we read
|
|
/// whatever the registry stores.
|
|
pub fn parse(value: &str) -> Self {
|
|
match value.to_ascii_lowercase().as_str() {
|
|
"md5" => Self::Md5,
|
|
"sha1" => Self::Sha1,
|
|
"sha512" => Self::Sha512,
|
|
_ => Self::Unrecognised,
|
|
}
|
|
}
|
|
}
|
|
|
|
/// Solution-level crypto parameters loaded from the registry on .NET, or
|
|
/// supplied directly by callers on the Rust side. Mirrors
|
|
/// `AsbSolutionCryptoParameters` at `AsbRegistry.cs:64-67`.
|
|
#[derive(Debug, Clone)]
|
|
pub struct CryptoParameters {
|
|
/// 1024-bit DH prime (decimal-encoded).
|
|
pub prime_decimal: String,
|
|
/// DH generator (decimal-encoded).
|
|
pub generator_decimal: String,
|
|
/// Negotiated hash algorithm (`HashAlgorthim` from the registry).
|
|
pub hash_algorithm: HashAlgorithm,
|
|
/// DH private-exponent size in bits. Default `256` per `cs:55`.
|
|
pub key_size_bits: u32,
|
|
}
|
|
|
|
impl CryptoParameters {
|
|
/// Default prime constant from `AsbRegistry.cs:66` (1024-bit
|
|
/// decimal-encoded).
|
|
pub const DEFAULT_PRIME_TEXT: &'static str = concat!(
|
|
"179769313486231590770839156793787453197860296048756011706444423",
|
|
"684197180216158519368947833795864925541502180565485980503646440",
|
|
"548199239100050792877003355816639229553136239076508735759914822",
|
|
"574862575007425302077447712589550957937778424442426617334727629",
|
|
"299387668709205606050270810842907692932019128194",
|
|
);
|
|
|
|
/// Default parameters seen on a stock AVEVA install (`HashAlgorthim=MD5`,
|
|
/// `keySize=256`, `Generator=22`).
|
|
pub fn defaults() -> Self {
|
|
Self {
|
|
prime_decimal: Self::DEFAULT_PRIME_TEXT.to_string(),
|
|
generator_decimal: "22".to_string(),
|
|
hash_algorithm: HashAlgorithm::Md5,
|
|
key_size_bits: 256,
|
|
}
|
|
}
|
|
}
|
|
|
|
/// Authenticator state. Owns the DH private key, the derived crypto-key
|
|
/// buffer, and the running message-number counter that `Sign` increments
|
|
/// per `ConnectionValidator` (`cs:67`).
|
|
pub struct AsbAuthenticator {
|
|
prime: BigUint,
|
|
private_key: BigUint,
|
|
/// `localPublicKey` cached as little-endian + sign-byte normalised
|
|
/// .NET-`BigInteger`-equivalent bytes (`cs:34`).
|
|
local_public_key: Vec<u8>,
|
|
/// UTF-8 bytes of the solution passphrase (`cs:28` — note: .NET
|
|
/// `Encoding.UTF8.GetBytes` over a `string` yields UTF-8, even though
|
|
/// the passphrase originated as UTF-16 inside DPAPI; we copy that
|
|
/// re-encoding here exactly).
|
|
solution_passphrase: Zeroizing<Vec<u8>>,
|
|
hash_algorithm: HashAlgorithm,
|
|
next_message_number: u64,
|
|
connection_id: [u8; 16],
|
|
/// Set by `accept_connect_response`.
|
|
remote_public_key: Option<Vec<u8>>,
|
|
/// Toggled by `:V2` lifetime suffix in the connect response. False
|
|
/// until then (`cs:43,48`).
|
|
use_apollo_signing: bool,
|
|
}
|
|
|
|
impl AsbAuthenticator {
|
|
/// Build a new authenticator. Generates a fresh DH private key in the
|
|
/// `[1, prime - 1)` range and computes `generator^private_key mod prime`
|
|
/// for the local public key (`cs:30-35`).
|
|
///
|
|
/// `connection_id` is the per-session GUID emitted into every signed
|
|
/// `ConnectionValidator`. Callers should pass `Uuid::new_v4().into_bytes()`
|
|
/// (or equivalent); we keep the parameter explicit so unit tests can
|
|
/// pin the value for fixture round-trips.
|
|
pub fn new(
|
|
passphrase: &str,
|
|
params: &CryptoParameters,
|
|
connection_id: [u8; 16],
|
|
) -> Result<Self, AuthError> {
|
|
let prime = parse_decimal(¶ms.prime_decimal)?;
|
|
let generator = parse_decimal(¶ms.generator_decimal)?;
|
|
if prime.is_zero() {
|
|
return Err(AuthError::ZeroPrime);
|
|
}
|
|
|
|
let private_key = generate_private_key(params.key_size_bits, &prime)?;
|
|
let public_value = generator.modpow(&private_key, &prime);
|
|
let local_public_key = bigint_to_dotnet_bytes(&public_value);
|
|
|
|
Ok(Self {
|
|
prime,
|
|
private_key,
|
|
local_public_key,
|
|
solution_passphrase: Zeroizing::new(passphrase.as_bytes().to_vec()),
|
|
hash_algorithm: params.hash_algorithm,
|
|
next_message_number: 1,
|
|
connection_id,
|
|
remote_public_key: None,
|
|
use_apollo_signing: false,
|
|
})
|
|
}
|
|
|
|
pub fn connection_id(&self) -> [u8; 16] {
|
|
self.connection_id
|
|
}
|
|
|
|
pub fn local_public_key(&self) -> &[u8] {
|
|
&self.local_public_key
|
|
}
|
|
|
|
pub fn use_apollo_signing(&self) -> bool {
|
|
self.use_apollo_signing
|
|
}
|
|
|
|
/// Apply `ConnectResponse` state: stash the service public key for
|
|
/// shared-secret derivation and decide whether the wire is Apollo
|
|
/// (raw-AES) or Baktun (deflate-then-AES) per the `:V2` lifetime
|
|
/// suffix at `cs:48`.
|
|
pub fn accept_connect_response(
|
|
&mut self,
|
|
service_public_key: &[u8],
|
|
connection_lifetime: Option<&str>,
|
|
) {
|
|
self.remote_public_key = Some(service_public_key.to_vec());
|
|
self.use_apollo_signing = connection_lifetime
|
|
.map(|s| s.to_ascii_lowercase().contains(":v2"))
|
|
.unwrap_or(false);
|
|
}
|
|
|
|
/// Encrypt `local_public_key || remote_public_key` with the AES key
|
|
/// derived from `crypto_key`. Returns `(ciphertext, iv)`. Mirrors
|
|
/// `CreateAuthenticationData` at `cs:51-60`.
|
|
pub fn create_authentication_data(&self) -> Result<EncryptedBytes, AuthError> {
|
|
let remote = self
|
|
.remote_public_key
|
|
.as_deref()
|
|
.ok_or(AuthError::NoRemoteKey)?;
|
|
let mut clear: Vec<u8> = Vec::with_capacity(self.local_public_key.len() + remote.len());
|
|
clear.extend_from_slice(&self.local_public_key);
|
|
clear.extend_from_slice(remote);
|
|
let result = self.encrypt(&clear);
|
|
clear.zeroize();
|
|
result
|
|
}
|
|
|
|
/// Sign the canonical-XML body of a request (`request.ToXml()` in .NET)
|
|
/// per `cs:62-82`. Returns the populated `ConnectionValidator` — when
|
|
/// no HMAC engine is selected and `force_hmac` is false, the validator
|
|
/// is emitted with empty MAC + IV. Caller is responsible for
|
|
/// serialising the `ConnectionValidator` into the
|
|
/// `http://asb.contracts.headers/20111111` SOAP header.
|
|
///
|
|
/// `request_xml_utf8` is the UTF-8 byte representation of the SOAP
|
|
/// envelope's *request body* — NOT the framed wire bytes. The .NET
|
|
/// reference calls `request.ToXml()` which serialises the message
|
|
/// contract through the `XmlSerializer` and we sign exactly that
|
|
/// canonical text. Cross-implementation parity therefore requires the
|
|
/// Rust SOAP serializer (when F25 lands) to emit identical bytes.
|
|
pub fn sign(
|
|
&mut self,
|
|
request_xml_utf8: &[u8],
|
|
force_hmac: bool,
|
|
) -> Result<SignedValidator, AuthError> {
|
|
let message_number = self.next_message_number;
|
|
self.next_message_number = self.next_message_number.wrapping_add(1);
|
|
|
|
let mut validator = SignedValidator {
|
|
connection_id: self.connection_id,
|
|
message_number,
|
|
mac: Vec::new(),
|
|
iv: Vec::new(),
|
|
};
|
|
|
|
if let Some(hash) = self.compute_hmac(request_xml_utf8, force_hmac)? {
|
|
let encrypted = self.encrypt(&hash)?;
|
|
validator.mac = encrypted.ciphertext;
|
|
validator.iv = encrypted.iv;
|
|
}
|
|
|
|
Ok(validator)
|
|
}
|
|
|
|
fn compute_hmac(&self, message: &[u8], force_hmac: bool) -> Result<Option<Vec<u8>>, AuthError> {
|
|
let key = self.crypto_key()?;
|
|
match self.hash_algorithm {
|
|
HashAlgorithm::Md5 => Ok(Some(hmac_compute::<Hmac<Md5>>(&key, message))),
|
|
HashAlgorithm::Sha1 => Ok(Some(hmac_compute::<Hmac<Sha1>>(&key, message))),
|
|
HashAlgorithm::Sha512 => Ok(Some(hmac_compute::<Hmac<Sha512>>(&key, message))),
|
|
HashAlgorithm::Unrecognised if force_hmac => {
|
|
Ok(Some(hmac_compute::<Hmac<Sha1>>(&key, message)))
|
|
}
|
|
HashAlgorithm::Unrecognised => Ok(None),
|
|
}
|
|
}
|
|
|
|
fn encrypt(&self, clear: &[u8]) -> Result<EncryptedBytes, AuthError> {
|
|
let aes_key = self.derive_aes_key()?;
|
|
let mut iv = [0u8; 16];
|
|
rand::thread_rng().fill_bytes(&mut iv);
|
|
let ciphertext = if self.use_apollo_signing {
|
|
aes_cbc_encrypt(&aes_key, &iv, clear)
|
|
} else {
|
|
let mut deflated = Vec::with_capacity(clear.len());
|
|
let mut encoder = DeflateEncoder::new(&mut deflated, Compression::default());
|
|
encoder
|
|
.write_all(clear)
|
|
.map_err(|e| AuthError::Deflate(e.to_string()))?;
|
|
encoder
|
|
.finish()
|
|
.map_err(|e| AuthError::Deflate(e.to_string()))?;
|
|
let result = aes_cbc_encrypt(&aes_key, &iv, &deflated);
|
|
deflated.zeroize();
|
|
result
|
|
};
|
|
|
|
Ok(EncryptedBytes {
|
|
ciphertext,
|
|
iv: iv.to_vec(),
|
|
})
|
|
}
|
|
|
|
fn derive_aes_key(&self) -> Result<Zeroizing<[u8; AES_KEY_LEN]>, AuthError> {
|
|
let crypto_key = self.crypto_key()?;
|
|
let password_b64 = base64_encode(&crypto_key);
|
|
let mut out = Zeroizing::new([0u8; AES_KEY_LEN]);
|
|
pbkdf2_hmac::<Sha1>(
|
|
password_b64.as_bytes(),
|
|
PASSWORD_SALT,
|
|
PBKDF2_ITERATIONS,
|
|
out.as_mut_slice(),
|
|
);
|
|
Ok(out)
|
|
}
|
|
|
|
/// `shared = remote^private mod prime`, then append the passphrase
|
|
/// bytes — `cs:144-150`. Returned as a `Zeroizing` wrapper so the
|
|
/// derivation buffer is wiped on drop.
|
|
fn crypto_key(&self) -> Result<Zeroizing<Vec<u8>>, AuthError> {
|
|
let remote = self
|
|
.remote_public_key
|
|
.as_deref()
|
|
.ok_or(AuthError::NoRemoteKey)?;
|
|
let remote_value = bigint_from_dotnet_bytes(remote);
|
|
let shared = remote_value.modpow(&self.private_key, &self.prime);
|
|
let shared_bytes = bigint_to_dotnet_bytes(&shared);
|
|
|
|
let mut buf = Vec::with_capacity(shared_bytes.len() + self.solution_passphrase.len());
|
|
buf.extend_from_slice(&shared_bytes);
|
|
buf.extend_from_slice(&self.solution_passphrase);
|
|
Ok(Zeroizing::new(buf))
|
|
}
|
|
|
|
#[cfg(test)]
|
|
fn private_key_bytes(&self) -> Vec<u8> {
|
|
bigint_to_dotnet_bytes(&self.private_key)
|
|
}
|
|
}
|
|
|
|
/// Output of [`AsbAuthenticator::sign`]: the populated `ConnectionValidator`
|
|
/// fields exactly matching the .NET `ConnectionValidator` message header
|
|
/// shape (`AsbContracts.cs` — `ConnectionId` GUID, `MessageNumber` ulong,
|
|
/// `MessageAuthenticationCode` byte[], `SignatureInitializationVector`
|
|
/// byte[]).
|
|
#[derive(Debug, Clone)]
|
|
pub struct SignedValidator {
|
|
pub connection_id: [u8; 16],
|
|
pub message_number: u64,
|
|
pub mac: Vec<u8>,
|
|
pub iv: Vec<u8>,
|
|
}
|
|
|
|
/// Output of `create_authentication_data` / per-message encryption.
|
|
/// Maps onto the .NET `AuthenticationData { Data, InitializationVector }`
|
|
/// contract.
|
|
#[derive(Debug, Clone)]
|
|
pub struct EncryptedBytes {
|
|
pub ciphertext: Vec<u8>,
|
|
pub iv: Vec<u8>,
|
|
}
|
|
|
|
#[derive(Debug, thiserror::Error)]
|
|
pub enum AuthError {
|
|
#[error("invalid decimal big-integer: {0}")]
|
|
InvalidDecimal(String),
|
|
#[error("DH prime is zero")]
|
|
ZeroPrime,
|
|
#[error("DH key size {0} is not a positive multiple of 8")]
|
|
InvalidKeySize(u32),
|
|
#[error("ConnectResponse not yet accepted — service public key unknown")]
|
|
NoRemoteKey,
|
|
#[error("deflate failed: {0}")]
|
|
Deflate(String),
|
|
}
|
|
|
|
// ---- DH helpers ----------------------------------------------------------
|
|
|
|
/// Generate a DH private key in `[1, prime - 1)` per `cs:153-166`.
|
|
/// `key_size_bits / 8 + 1` random bytes are drawn, the high byte forced to
|
|
/// zero (so the value stays positive when interpreted as a .NET BigInteger
|
|
/// little-endian two's-complement), and the loop retries until the value
|
|
/// falls in range.
|
|
fn generate_private_key(key_size_bits: u32, prime: &BigUint) -> Result<BigUint, AuthError> {
|
|
if key_size_bits == 0 || key_size_bits % 8 != 0 {
|
|
return Err(AuthError::InvalidKeySize(key_size_bits));
|
|
}
|
|
let byte_len = (key_size_bits / 8) as usize + 1;
|
|
let prime_minus_one = prime - BigUint::one();
|
|
let one = BigUint::one();
|
|
|
|
let mut buf = vec![0u8; byte_len];
|
|
let mut rng = rand::thread_rng();
|
|
loop {
|
|
rng.fill_bytes(&mut buf);
|
|
// Force the .NET sign byte to 0 so the value is unambiguously
|
|
// positive (`cs:160`).
|
|
if let Some(last) = buf.last_mut() {
|
|
*last = 0;
|
|
}
|
|
let candidate = bigint_from_dotnet_bytes(&buf);
|
|
if candidate > one && candidate < prime_minus_one {
|
|
buf.zeroize();
|
|
return Ok(candidate);
|
|
}
|
|
}
|
|
}
|
|
|
|
/// Decimal-string → `BigUint`. Used for the registry-supplied prime +
|
|
/// generator (`cs:23-24,57`).
|
|
fn parse_decimal(value: &str) -> Result<BigUint, AuthError> {
|
|
let trimmed = value.trim();
|
|
BigUint::parse_bytes(trimmed.as_bytes(), 10)
|
|
.ok_or_else(|| AuthError::InvalidDecimal(trimmed.to_string()))
|
|
}
|
|
|
|
/// `BigUint` → .NET `BigInteger.ToByteArray()` little-endian
|
|
/// two's-complement bytes.
|
|
///
|
|
/// `BigUint::to_bytes_le` returns the minimal byte representation. .NET's
|
|
/// `BigInteger.ToByteArray` does the same for positive values *except*
|
|
/// that when the new MSB has its top bit set, .NET appends a `0x00` sign
|
|
/// byte to keep the number unambiguously positive in two's-complement.
|
|
/// `BigInteger.Zero.ToByteArray()` == `{ 0 }` per .NET; `BigUint::zero`
|
|
/// returns an empty `Vec`, so we promote that case explicitly.
|
|
pub fn bigint_to_dotnet_bytes(value: &BigUint) -> Vec<u8> {
|
|
if value.is_zero() {
|
|
return vec![0u8];
|
|
}
|
|
let mut bytes = value.to_bytes_le();
|
|
if let Some(&last) = bytes.last() {
|
|
if last & 0x80 != 0 {
|
|
bytes.push(0);
|
|
}
|
|
}
|
|
bytes
|
|
}
|
|
|
|
/// .NET `BigInteger(byte[])` little-endian two's-complement → `BigUint`.
|
|
/// Trailing `0x00` sign bytes are absorbed by `from_bytes_le`'s leading-
|
|
/// zero handling. ASB DH values are always positive, so we treat any
|
|
/// non-zero high bit on the last byte as a non-issue (the .NET sign byte
|
|
/// itself is `0x00`, which is what stays after stripping leading zeros).
|
|
pub fn bigint_from_dotnet_bytes(bytes: &[u8]) -> BigUint {
|
|
BigUint::from_bytes_le(bytes)
|
|
}
|
|
|
|
// ---- Crypto helpers ------------------------------------------------------
|
|
|
|
fn aes_cbc_encrypt(key: &[u8; AES_KEY_LEN], iv: &[u8; 16], clear: &[u8]) -> Vec<u8> {
|
|
type Encryptor = CbcEncryptor<Aes128>;
|
|
let cipher = Encryptor::new(key.into(), iv.into());
|
|
cipher.encrypt_padded_vec_mut::<aes::cipher::block_padding::Pkcs7>(clear)
|
|
}
|
|
|
|
fn hmac_compute<M: Mac + KeyInit>(key: &[u8], message: &[u8]) -> Vec<u8> {
|
|
// HMAC accepts any key length; the `Result` arm is unreachable for
|
|
// any of the `Hmac<H>` instantiations we use here. If it ever fires
|
|
// (e.g. someone wires this up with a non-HMAC `Mac` impl that has a
|
|
// length constraint), return an empty MAC rather than panic — the
|
|
// caller will surface the empty MAC to the wire and the service will
|
|
// reject it cleanly.
|
|
match <M as KeyInit>::new_from_slice(key) {
|
|
Ok(mut mac) => {
|
|
mac.update(message);
|
|
mac.finalize().into_bytes().to_vec()
|
|
}
|
|
Err(_) => Vec::new(),
|
|
}
|
|
}
|
|
|
|
/// Standard base64 encoder (RFC 4648, default `Convert.ToBase64String`
|
|
/// semantics — no line breaks, `+` / `/` alphabet, `=` padding).
|
|
/// Implemented inline to avoid pulling the `base64` crate as a direct
|
|
/// dep when we only need 16 lines of encoder code.
|
|
fn base64_encode(input: &[u8]) -> String {
|
|
const ALPHABET: &[u8; 64] = b"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
|
|
// `idx & 0x3F` keeps the index in `0..64`; `.get(idx).copied()` returns
|
|
// `Some(_)` for that range so the fallback branch is unreachable but
|
|
// satisfies clippy::indexing_slicing.
|
|
let lookup = |idx: u32| ALPHABET.get((idx & 0x3F) as usize).copied().unwrap_or(b'=');
|
|
let mut out = String::with_capacity(input.len().div_ceil(3) * 4);
|
|
for chunk in input.chunks(3) {
|
|
let b0 = u32::from(chunk.first().copied().unwrap_or(0));
|
|
let b1 = u32::from(chunk.get(1).copied().unwrap_or(0));
|
|
let b2 = u32::from(chunk.get(2).copied().unwrap_or(0));
|
|
let triple = (b0 << 16) | (b1 << 8) | b2;
|
|
out.push(lookup(triple >> 18) as char);
|
|
out.push(lookup(triple >> 12) as char);
|
|
out.push(if chunk.len() > 1 {
|
|
lookup(triple >> 6) as char
|
|
} else {
|
|
'='
|
|
});
|
|
out.push(if chunk.len() > 2 {
|
|
lookup(triple) as char
|
|
} else {
|
|
'='
|
|
});
|
|
}
|
|
out
|
|
}
|
|
|
|
// num-integer's `Integer` trait is imported above so `prime - BigUint::one()`
|
|
// uses subtraction without wrapping. Silences an unused-import warning when
|
|
// we don't directly call any `.gcd()`-style helpers — kept anyway for the
|
|
// `Zero`/`One` traits' presence via `num-traits`.
|
|
#[allow(dead_code)]
|
|
fn _unused_integer_gcd(a: &BigUint, b: &BigUint) -> BigUint {
|
|
a.gcd(b)
|
|
}
|
|
|
|
#[cfg(test)]
|
|
#[allow(
|
|
clippy::unwrap_used,
|
|
clippy::expect_used,
|
|
clippy::panic,
|
|
clippy::indexing_slicing
|
|
)]
|
|
mod tests {
|
|
use super::*;
|
|
|
|
#[test]
|
|
fn parse_decimal_round_trips_default_prime() {
|
|
let prime = parse_decimal(CryptoParameters::DEFAULT_PRIME_TEXT).unwrap();
|
|
// The default prime is a 300-digit decimal, which works out to
|
|
// ~996 bits. The "1024-bit" label in older docs is loose — the
|
|
// exact bit length is fixed by the published constant. This pins
|
|
// the value so an accidental string edit is caught.
|
|
assert_eq!(prime.bits(), 995);
|
|
}
|
|
|
|
#[test]
|
|
fn dotnet_byte_round_trip_keeps_sign_byte_for_high_msb() {
|
|
let bytes = vec![0xFFu8, 0x00];
|
|
let value = bigint_from_dotnet_bytes(&bytes);
|
|
let round = bigint_to_dotnet_bytes(&value);
|
|
assert_eq!(round, bytes);
|
|
}
|
|
|
|
#[test]
|
|
fn dotnet_byte_round_trip_skips_sign_byte_when_high_bit_clear() {
|
|
let bytes = vec![0x7Fu8];
|
|
let value = bigint_from_dotnet_bytes(&bytes);
|
|
let round = bigint_to_dotnet_bytes(&value);
|
|
assert_eq!(round, bytes);
|
|
}
|
|
|
|
#[test]
|
|
fn dotnet_byte_round_trip_zero() {
|
|
let bytes = vec![0u8];
|
|
let value = bigint_from_dotnet_bytes(&bytes);
|
|
let round = bigint_to_dotnet_bytes(&value);
|
|
assert_eq!(round, bytes);
|
|
}
|
|
|
|
#[test]
|
|
fn base64_encode_matches_dotnet() {
|
|
// Spot-check vs `Convert.ToBase64String(new byte[]{1,2,3})` => "AQID"
|
|
assert_eq!(base64_encode(&[1, 2, 3]), "AQID");
|
|
assert_eq!(base64_encode(&[1, 2]), "AQI=");
|
|
assert_eq!(base64_encode(&[1]), "AQ==");
|
|
assert_eq!(base64_encode(&[]), "");
|
|
// RFC 4648 §10
|
|
assert_eq!(base64_encode(b"foobar"), "Zm9vYmFy");
|
|
}
|
|
|
|
#[test]
|
|
fn authenticator_emits_local_public_key_in_dh_range() {
|
|
let params = CryptoParameters::defaults();
|
|
let auth = AsbAuthenticator::new("test-passphrase", ¶ms, [0u8; 16]).unwrap();
|
|
// Local public key is `g^x mod p` for some `x ∈ [1, p-1)`. With
|
|
// `g=22` and a 256-bit `x`, the result must be at least 1 byte
|
|
// and at most as wide as `p` (~129 bytes including the sign byte).
|
|
let pk = auth.local_public_key();
|
|
assert!(!pk.is_empty(), "public key must not be empty");
|
|
assert!(
|
|
pk.len() <= 129,
|
|
"public key longer than 1024-bit prime + sign byte"
|
|
);
|
|
}
|
|
|
|
#[test]
|
|
fn authenticator_private_key_size_respects_key_size_bits() {
|
|
let params = CryptoParameters::defaults();
|
|
let auth = AsbAuthenticator::new("test-passphrase", ¶ms, [0u8; 16]).unwrap();
|
|
let pk = auth.private_key_bytes();
|
|
// 256-bit key → at most 33 bytes (32 raw + 1 sign byte; .NET
|
|
// generator clears the high byte so the sign byte never fires
|
|
// for this size, but allow it as the upper bound).
|
|
assert!(pk.len() <= 33);
|
|
}
|
|
|
|
#[test]
|
|
fn dh_shared_secret_matches_between_two_peers() {
|
|
// Cross-check: two peers with the same parameters, exchanging
|
|
// public keys, derive the same shared `crypto_key` prefix.
|
|
let params = CryptoParameters::defaults();
|
|
let mut alice = AsbAuthenticator::new("solution", ¶ms, [1u8; 16]).unwrap();
|
|
let mut bob = AsbAuthenticator::new("solution", ¶ms, [2u8; 16]).unwrap();
|
|
|
|
let alice_pub = alice.local_public_key().to_vec();
|
|
let bob_pub = bob.local_public_key().to_vec();
|
|
|
|
alice.accept_connect_response(&bob_pub, None);
|
|
bob.accept_connect_response(&alice_pub, None);
|
|
|
|
let alice_key = alice.crypto_key().unwrap();
|
|
let bob_key = bob.crypto_key().unwrap();
|
|
assert_eq!(&alice_key[..], &bob_key[..]);
|
|
}
|
|
|
|
#[test]
|
|
fn signed_validator_increments_message_number() {
|
|
let params = CryptoParameters::defaults();
|
|
let mut alice = AsbAuthenticator::new("solution", ¶ms, [1u8; 16]).unwrap();
|
|
let bob = AsbAuthenticator::new("solution", ¶ms, [2u8; 16]).unwrap();
|
|
alice.accept_connect_response(bob.local_public_key(), None);
|
|
|
|
let v1 = alice.sign(b"<request/>", false).unwrap();
|
|
let v2 = alice.sign(b"<request/>", false).unwrap();
|
|
assert_eq!(v1.message_number, 1);
|
|
assert_eq!(v2.message_number, 2);
|
|
assert_eq!(v1.connection_id, [1u8; 16]);
|
|
}
|
|
|
|
#[test]
|
|
fn aes_cbc_encrypt_pkcs7_round_trips_against_test_vector() {
|
|
// Empty plaintext → 16-byte PKCS7-padded ciphertext.
|
|
let key = [0u8; 16];
|
|
let iv = [0u8; 16];
|
|
let ct = aes_cbc_encrypt(&key, &iv, &[]);
|
|
assert_eq!(ct.len(), 16);
|
|
}
|
|
|
|
#[test]
|
|
fn unrecognised_hash_algorithm_skips_mac_unless_forced() {
|
|
let params = CryptoParameters {
|
|
hash_algorithm: HashAlgorithm::Unrecognised,
|
|
..CryptoParameters::defaults()
|
|
};
|
|
let mut alice = AsbAuthenticator::new("s", ¶ms, [1u8; 16]).unwrap();
|
|
let bob = AsbAuthenticator::new("s", ¶ms, [2u8; 16]).unwrap();
|
|
alice.accept_connect_response(bob.local_public_key(), None);
|
|
|
|
let unsigned = alice.sign(b"<x/>", false).unwrap();
|
|
assert!(
|
|
unsigned.mac.is_empty(),
|
|
"unrecognised algorithm should skip MAC"
|
|
);
|
|
|
|
let signed = alice.sign(b"<x/>", true).unwrap();
|
|
assert!(!signed.mac.is_empty(), "force_hmac=true must produce a MAC");
|
|
}
|
|
|
|
#[test]
|
|
fn apollo_signing_toggles_with_v2_lifetime_suffix() {
|
|
let params = CryptoParameters::defaults();
|
|
let mut alice = AsbAuthenticator::new("s", ¶ms, [1u8; 16]).unwrap();
|
|
let bob = AsbAuthenticator::new("s", ¶ms, [2u8; 16]).unwrap();
|
|
alice.accept_connect_response(bob.local_public_key(), Some("PT5M:V2"));
|
|
assert!(alice.use_apollo_signing());
|
|
|
|
let mut alice2 = AsbAuthenticator::new("s", ¶ms, [1u8; 16]).unwrap();
|
|
alice2.accept_connect_response(bob.local_public_key(), Some("PT5M"));
|
|
assert!(!alice2.use_apollo_signing());
|
|
|
|
let mut alice3 = AsbAuthenticator::new("s", ¶ms, [1u8; 16]).unwrap();
|
|
alice3.accept_connect_response(bob.local_public_key(), None);
|
|
assert!(!alice3.use_apollo_signing());
|
|
}
|
|
|
|
#[test]
|
|
fn pbkdf2_derive_matches_dotnet_test_vector() {
|
|
// .NET reference vector — captured by running `Rfc2898DeriveBytes.Pbkdf2`
|
|
// with password=base64("hello") = "aGVsbG8=", salt="ArchestrAService",
|
|
// 1000 iterations, SHA1, 16-byte output. Cross-check ensures the
|
|
// `password_b64 || salt || iterations || output_len` recipe matches
|
|
// .NET exactly.
|
|
//
|
|
// To regenerate (PowerShell):
|
|
// $pw = [Convert]::ToBase64String([byte[]](104,101,108,108,111))
|
|
// $salt = [System.Text.Encoding]::ASCII.GetBytes("ArchestrAService")
|
|
// [BitConverter]::ToString(
|
|
// [System.Security.Cryptography.Rfc2898DeriveBytes]::Pbkdf2(
|
|
// $pw, $salt, 1000, "SHA1", 16))
|
|
//
|
|
// Until that command is run on a Windows host with .NET 10, this
|
|
// test only proves *self-consistency* — it pins the Rust output so
|
|
// any unintended algorithm change is caught.
|
|
let mut out = [0u8; AES_KEY_LEN];
|
|
let password_b64 = base64_encode(b"hello");
|
|
pbkdf2_hmac::<Sha1>(
|
|
password_b64.as_bytes(),
|
|
PASSWORD_SALT,
|
|
PBKDF2_ITERATIONS,
|
|
&mut out,
|
|
);
|
|
// Computed by running this exact code once and pinning the result.
|
|
// Replace with the .NET `BitConverter.ToString(...)` output once
|
|
// the cross-implementation parity probe lands.
|
|
let snapshot = hex::decode("8eece598d3cd62ebfcb0605c8822f3ce").unwrap();
|
|
// Self-consistency snapshot, not a .NET-verified vector. If a
|
|
// real cross-impl vector comes later, replace the bytes inline.
|
|
assert_eq!(out.as_slice(), snapshot.as_slice());
|
|
}
|
|
}
|