ssh-cipher: impl AeadInOut for ChaCha20Poly1305 (#370)

Replaces the inherent method-based API with an `AeadInOut` trait impl.

AAD is supported up to lengths of 16 (i.e. the Poly1305 block size).

This is sufficient to cover the relevant use cases for OpenSSH, which
are empty AAD or AAD with a length of 4 (i.e. encrypted `uint32`
length).

Author: tarcieri

ssh-cipher/src/chacha20poly1305.rs

@@ -4,11 +4,12 @@ pub use chacha20::ChaCha20Legacy as ChaCha20;
 
 use crate::Tag;
 use aead::{
-    AeadCore, Error, KeyInit, KeySizeUser, Result, TagPosition,
+    AeadCore, AeadInOut, Error, KeyInit, KeySizeUser, Result, TagPosition,
     array::typenum::{U8, U16, U32},
+    inout::InOutBuf,
 };
 use cipher::{KeyIvInit, StreamCipher, StreamCipherSeek};
-use poly1305::Poly1305;
+use poly1305::{Poly1305, universal_hash::UniversalHash};
 use subtle::ConstantTimeEq;
 
 #[cfg(feature = "zeroize")]
@@ -27,6 +28,11 @@ pub type ChaChaNonce = chacha20::LegacyNonce;
 /// - Nonce is 64-bit instead of 96-bit (i.e. uses legacy "djb" ChaCha20 variant).
 /// - The AAD and ciphertext inputs of Poly1305 are not padded.
 /// - The lengths of ciphertext and AAD are not authenticated using Poly1305.
+/// - Maximum supported AAD size is 16.
+///
+/// ## Usage notes
+/// - In the context of SSH packet encryption, AAD will be 4 bytes and contain the encrypted length.
+/// - In the context of SSH key encryption, AAD will be empty.
 ///
 /// [PROTOCOL.chacha20poly1305]: https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?annotate=HEAD
 /// [RFC8439]: https://datatracker.ietf.org/doc/html/rfc8439
@@ -52,46 +58,25 @@ impl AeadCore for ChaCha20Poly1305 {
     const TAG_POSITION: TagPosition = TagPosition::Postfix;
 }
 
-impl ChaCha20Poly1305 {
-    /// Encrypt the provided `buffer` in-place, returning the Poly1305 authentication tag.
-    ///
-    /// The input `buffer` should contain the concatenation of any additional associated data (AAD)
-    /// and the plaintext to be encrypted, where in the context of the SSH packet encryption
-    /// protocol the AAD represents an encrypted packet length, which is itself 4-bytes / 64-bits.
-    ///
-    /// `aad_len` is the length of the AAD in bytes:
-    /// - In the context of SSH packet encryption, this should be `4`.
-    /// - In the context of SSH key encryption, `aad_len` should be `0`.
-    ///
-    /// The first `aad_len` bytes of `buffer` will be unmodified after encryption is completed.
-    /// Only the data after `aad_len` will be encrypted.
-    ///
-    /// The resulting `Tag` authenticates both the AAD and the ciphertext in the buffer.
-    pub fn encrypt(&self, nonce: &ChaChaNonce, buffer: &mut [u8], aad_len: usize) -> Result<Tag> {
-        Cipher::new(&self.key, nonce).encrypt(buffer, aad_len)
+impl AeadInOut for ChaCha20Poly1305 {
+    // Required methods
+    fn encrypt_inout_detached(
+        &self,
+        nonce: &ChaChaNonce,
+        associated_data: &[u8],
+        buffer: InOutBuf<'_, '_, u8>,
+    ) -> Result<Tag> {
+        Cipher::new(&self.key, nonce).encrypt(associated_data, buffer)
     }
 
-    /// Decrypt the provided `buffer` in-place, verifying it against the provided Poly1305
-    /// authentication `tag`.
-    ///
-    /// The input `buffer` should contain the concatenation of any additional associated data (AAD)
-    /// and the ciphertext to be authenticated, where in the context of the SSH packet encryption
-    /// protocol the AAD represents an encrypted packet length, which is itself 4-bytes / 64-bits.
-    ///
-    /// `aad_len` is the length of the AAD in bytes:
-    /// - In the context of SSH packet encryption, this should be `4`.
-    /// - In the context of SSH key encryption, `aad_len` should be `0`.
-    ///
-    /// The first `aad_len` bytes of `buffer` will be unmodified after decryption completes
-    /// successfully. Only data after `aad_len` will be decrypted.
-    pub fn decrypt(
+    fn decrypt_inout_detached(
         &self,
         nonce: &ChaChaNonce,
-        buffer: &mut [u8],
-        tag: Tag,
-        aad_len: usize,
+        associated_data: &[u8],
+        buffer: InOutBuf<'_, '_, u8>,
+        tag: &Tag,
     ) -> Result<()> {
-        Cipher::new(&self.key, nonce).decrypt(buffer, tag, aad_len)
+        Cipher::new(&self.key, nonce).decrypt(associated_data, buffer, tag)
     }
 }
 
@@ -128,37 +113,53 @@ impl Cipher {
 
     /// Encrypt the provided `buffer` in-place, returning the Poly1305 authentication tag.
     #[inline]
-    pub fn encrypt(mut self, buffer: &mut [u8], aad_len: usize) -> Result<Tag> {
-        if buffer.len() < aad_len {
-            return Err(Error);
-        }
-
-        self.cipher.apply_keystream(&mut buffer[aad_len..]);
-        Ok(self.mac.compute_unpadded(buffer))
+    pub fn encrypt(mut self, aad: &[u8], mut buffer: InOutBuf<'_, '_, u8>) -> Result<Tag> {
+        self.cipher.apply_keystream_inout(buffer.reborrow());
+        compute_mac(self.mac, aad, buffer.get_out())
     }
 
     /// Decrypt the provided `buffer` in-place, verifying it against the provided Poly1305
     /// authentication `tag`.
     #[inline]
-    pub fn decrypt(mut self, buffer: &mut [u8], tag: Tag, aad_len: usize) -> Result<()> {
-        if buffer.len() < aad_len {
-            return Err(Error);
-        }
-
-        let expected_tag = self.mac.compute_unpadded(buffer);
+    pub fn decrypt(mut self, aad: &[u8], buffer: InOutBuf<'_, '_, u8>, tag: &Tag) -> Result<()> {
+        let expected_tag = compute_mac(self.mac, aad, buffer.get_in())?;
 
-        if expected_tag.ct_eq(&tag).into() {
-            self.cipher.apply_keystream(&mut buffer[aad_len..]);
+        if expected_tag.ct_eq(tag).into() {
+            self.cipher.apply_keystream_inout(buffer);
             Ok(())
         } else {
             Err(Error)
         }
     }
 }
 
+/// Compute the MAC for a given input buffer (containing ciphertext).
+fn compute_mac(mut mac: Poly1305, aad: &[u8], buffer: &[u8]) -> Result<Tag> {
+    match aad.len() {
+        0 => Ok(mac.compute_unpadded(buffer)),
+        1..poly1305::BLOCK_SIZE => {
+            let mut block = poly1305::Block::default();
+            block[..aad.len()].copy_from_slice(aad);
+
+            let block_remaining = poly1305::BLOCK_SIZE.checked_sub(aad.len()).ok_or(Error)?;
+            if buffer.len() > block_remaining {
+                let (head, tail) = buffer.split_at(block_remaining);
+                block[aad.len()..].copy_from_slice(head);
+                mac.update(&[block]);
+                Ok(mac.compute_unpadded(tail))
+            } else {
+                let msg_len = aad.len().checked_add(buffer.len()).ok_or(Error)?;
+                block[aad.len()..msg_len].copy_from_slice(buffer);
+                Ok(mac.compute_unpadded(&block[..msg_len]))
+            }
+        }
+        _ => Err(Error),
+    }
+}
+
 #[cfg(test)]
 mod tests {
-    use super::{ChaCha20Poly1305, KeyInit};
+    use super::{AeadInOut, ChaCha20Poly1305, KeyInit};
     use hex_literal::hex;
 
     #[test]
@@ -170,30 +171,24 @@ mod tests {
         let ciphertext = hex!("6dcfb03be8a55e7f0220465672edd921489ea0171198e8a7");
         let tag = hex!("3e82fe0a2db7128d58ef8d9047963ca3");
 
-        const AAD_LEN: usize = 4;
-        const PT_LEN: usize = 24;
-        assert_eq!(aad.len(), AAD_LEN);
-        assert_eq!(plaintext.len(), PT_LEN);
-
         let cipher = ChaCha20Poly1305::new(key.as_ref());
-        let mut buffer = [0u8; AAD_LEN + PT_LEN];
-        let (a, p) = buffer.split_at_mut(AAD_LEN);
-        a.copy_from_slice(&aad);
-        p.copy_from_slice(&plaintext);
-
+        let mut buffer = plaintext.clone();
         let actual_tag = cipher
-            .encrypt(nonce.as_ref(), &mut buffer, AAD_LEN)
+            .encrypt_inout_detached(nonce.as_ref(), &aad, buffer.as_mut_slice().into())
             .unwrap();
 
-        assert_eq!(&buffer[..AAD_LEN], aad);
-        assert_eq!(&buffer[AAD_LEN..], ciphertext);
+        assert_eq!(buffer, ciphertext);
         assert_eq!(actual_tag, tag);
 
         cipher
-            .decrypt(nonce.as_ref(), &mut buffer, actual_tag, AAD_LEN)
+            .decrypt_inout_detached(
+                nonce.as_ref(),
+                &aad,
+                buffer.as_mut_slice().into(),
+                &actual_tag,
+            )
             .unwrap();
 
-        assert_eq!(&buffer[..AAD_LEN], aad);
-        assert_eq!(&buffer[AAD_LEN..], plaintext);
+        assert_eq!(buffer, plaintext);
     }
 }

ssh-cipher/src/lib.rs

@@ -45,12 +45,12 @@ use encoding::{Label, LabelError};
 
 #[cfg(feature = "aes-gcm")]
 use {
-    aead::{AeadInOut, array::typenum::U12},
+    aead::array::typenum::U12,
     aes_gcm::{Aes128Gcm, Aes256Gcm},
 };
 
 #[cfg(any(feature = "aes-gcm", feature = "chacha20poly1305"))]
-use aead::KeyInit;
+use aead::{AeadInOut, KeyInit};
 
 /// AES-128 in block chaining (CBC) mode
 const AES128_CBC: &str = "aes128-cbc";
@@ -258,7 +258,7 @@ impl Cipher {
                 let nonce = iv.try_into().map_err(|_| Error::IvSize)?;
                 let tag = tag.ok_or(Error::TagSize)?;
                 ChaCha20Poly1305::new(key)
-                    .decrypt(nonce, buffer, tag, 0)
+                    .decrypt_inout_detached(nonce, &[], buffer.into(), &tag)
                     .map_err(|_| Error::Crypto)
             }
             // Use `Decryptor` for non-AEAD modes
@@ -320,7 +320,7 @@ impl Cipher {
                 let key = key.try_into().map_err(|_| Error::KeySize)?;
                 let nonce = iv.try_into().map_err(|_| Error::IvSize)?;
                 let tag = ChaCha20Poly1305::new(key)
-                    .encrypt(nonce, buffer, 0)
+                    .encrypt_inout_detached(nonce, &[], buffer.into())
                     .map_err(|_| Error::Crypto)?;
                 Ok(Some(tag))
             }