Conversation
rocodes
force-pushed
the
one-crab-to-rule-them-all
branch
from
f4003f7 to
7713e14
Compare
mlkem, derive Copy for DHPublicKey. Refactor our key structs into typed() helper fn. bugfix: Fixup DH shared secret in primitives/x25519. Add test. bugfix: Fix mlkem768 deterministic_keygen seed size. Add from_bytes deterministic keygen fn.
…key. Refactor into new types. Add Api and (restricted) JournalistApi and implement. Remove source constructor without passphrase.
types, and Client, JournalistClient, and SourceClient (now handled by api.rs). Remove unused methods and structs from primitives.rs.
…Deprecate ServerMessageStore and use new wrapped wasm type for de/serializing hashmaps in wasm. Add uuid with js features as a dependency.
…repare for splitting into multiple files. Add passphrase function for source testing purposes.
server.rs: use primitives constant for number of fetch challenges
…and JournalistClient. Use new 0.3 functions.
rocodes
force-pushed
the
one-crab-to-rule-them-all
branch
from
7713e14 to
22a6846
Compare
rocodes
changed the title
|
This is out of draft mode and feedback is welcome. There's a little more I'll do on the setup / core tests, so the goal is feedback, not merge :) |
| ) -> Result<DHSharedSecret, Error> { | ||
| let mut shared_secret_bytes = [0u8; 32]; | ||
| libcrux_curve25519::ecdh(&mut shared_secret_bytes, &private_scalar, &public_key.0) | ||
| ecdh(&mut shared_secret_bytes, &public_key.0, &private_scalar) |
There was a problem hiding this comment.
from https://docs.rs/libcrux-curve25519/latest/libcrux_curve25519/fn.ecdh.html, param order
pub fn ecdh(
out: &mut [u8; 32],
pk: &[u8; 32],
sk: &[u8; 32],
) -> Result<(), Error>
| // Validate key sizes (XWING should have consistent sizes) | ||
| if private_key_bytes.len() != XWING_PRIVATE_KEY_LEN | ||
| || public_key_bytes.len() != XWING_PUBLIC_KEY_LEN | ||
| { | ||
| return Err(anyhow::anyhow!( | ||
| "Unexpected XWING key sizes: private={}, public={}", | ||
| private_key_bytes.len(), | ||
| public_key_bytes.len() | ||
| )); | ||
| } |
There was a problem hiding this comment.
This kind of logic might be good low-hanging fruit for #154: i.e., proving—
private_key_bytes.len() == XWING_PRIVATE_KEY_LEN
public_key_bytes.len() == XWING_PUBLIC_KEY_LEN—as invariants of these typed() helpers that they can't violate. Likewise various sanity-checking assertions, if we can make them pre- and post-conditions on function boundaries.
| request | ||
| .journalist_verifying_key | ||
| .verify(&signed_message, &bundle.signature) | ||
| .bundles | ||
| .iter() | ||
| .try_for_each(|k| request.vk.verify(&k.0.as_bytes(), &k.1.as_signature())) | ||
| .map_err(|_| anyhow::anyhow!("Invalid signature on ephemeral keys"))?; | ||
|
|
||
| // Store the ephemeral keys for the journalist | ||
| self.storage | ||
| .add_ephemeral_keys(journalist_id, Vec::from([bundle])); |
There was a problem hiding this comment.
This is probably premature overengineering, but I'll mention it just for the sake of starting the discussion early and concretely: This codebase may be a good candidate for the typestate pattern, e.g. "only save keys whose signatures have been verified".
|
Exciting to see this! I've read through and left a few comments on possible typing and verifying patterns—more ideas for future reference than feedback per se. |
securedrop_protocol_minimal::primitives::xwing::typed per <freedomofpress#164 (comment)>.
|
Discussed today: @rocodes will rebase this from |
securedrop_protocol_minimal::primitives::xwing::typed per <freedomofpress#164 (comment)>.
| /// Common client functionality for source and journalist clients | ||
| pub trait Api { |
There was a problem hiding this comment.
I like this pattern, and I think it's a good foundation for exposing the source/journalist asymmetry at the API level. However, in #167 I've just discovered that hax's F* back end doesn't yet support it. We probably don't care for this module, which is high-level enough that we're unlikely to prove much of it in hax, but just FYI.
| fn fetch_keypair(&self) -> (&DHPrivateKey, &DHPublicKey); | ||
| fn message_auth_keypair(&self) -> (&DhAkemPrivateKey, &DhAkemPublicKey); | ||
| fn build_message(&self, message: Vec<u8>) -> Plaintext; | ||
| fn keybundles(&self) -> impl Iterator<Item = &MessageKeyBundle>; |
There was a problem hiding this comment.
This (nice!) pattern crashes hax pending cryspen/hax#1965.
There was a problem hiding this comment.
...and will not be supported. I imagine we very much will want proofs for our types, key bundles among them, and when we do we'll need to use a different pattern here. (But #164 takes an incremental approach precisely so that we can decide when—in this case, when the refactoring work will be worth the proving benefit.)
cfm
left a comment
cfm
left a comment
There was a problem hiding this comment.
Approving after discussing with @redshiftzero—follow-up refinements welcome!
securedrop_protocol_minimal::primitives::xwing::typed per <freedomofpress#164 (comment)>.
2 participants
Closes #140
Towards #115
Refs #138
(WIP, more explanation tk)
encrypt_decrypt.rs(single file benchmark impl) and merge with jen scaffold impl. Update scaffold tests.Test Plan