noise-ruby 0.1.0

data/lib/noise/protocol.rb

@@ -0,0 +1,107 @@
+# frozen_string_literal: true
+
+module Noise
+  class Protocol
+    attr_accessor :prologue, :initiator, :cipher_state_encrypt, :cipher_state_decrypt
+    attr_reader :name, :cipher_fn, :hash_fn, :dh_fn, :hkdf_fn, :pattern
+    attr_reader :handshake_state, :keypairs, :keypair_fn
+    attr_reader :handshake_hash
+    attr_accessor :cipher_state_handshake
+
+    CIPHER = {
+      'AESGCM': Noise::Functions::Cipher::AesGcm,
+      'ChaChaPoly': Noise::Functions::Cipher::ChaChaPoly
+    }.stringify_keys.freeze
+
+    DH = {
+      '25519': Noise::Functions::DH::DH25519,
+      '448': Noise::Functions::DH::DH448
+    }.stringify_keys.freeze
+
+    HASH = {
+      'BLAKE2b': Noise::Functions::Hash::Blake2b,
+      'BLAKE2s': Noise::Functions::Hash::Blake2s,
+      'SHA256': Noise::Functions::Hash::Sha256,
+      'SHA512': Noise::Functions::Hash::Sha512
+    }.stringify_keys.freeze
+
+    def self.create(name)
+      prefix, pattern_name, dh_name, cipher_name, hash_name = name.split('_')
+      raise Noise::Exceptions::ProtocolNameError if prefix != 'Noise'
+      new(name, pattern_name, cipher_name, hash_name, dh_name)
+    end
+
+    def initialize(name, pattern_name, cipher_name, hash_name, dh_name)
+      @name = name
+      @pattern = Noise::Pattern.create(pattern_name[0..1])
+      @keypairs = { s: nil, e: nil, rs: nil, re: nil }
+      @cipher_fn = CIPHER[cipher_name]&.new
+      @hash_fn = HASH[hash_name]&.new
+      @dh_fn = DH[dh_name]&.new
+      @hkdf_fn = Noise::Functions::Hash.create_hkdf_fn(hash_name)
+      raise Noise::Exceptions::ProtocolNameError unless @cipher_fn && @hash_fn && @dh_fn
+    end
+
+    def handshake_done
+      if @pattern.one_way
+        if @initiator
+          @cipher_state_decrypt = nil
+        else
+          @cipher_state_encrypt = nil
+        end
+      end
+      @handshake_hash = @symmetric_state.handshake_hash
+      @handshake_state = nil
+      @symmetric_state = nil
+      @cipher_state_handshake = nil
+      @prologue = nil
+      @initiator = nil
+      @dh_fn = nil
+      @hash_fn = nil
+      @keypair_fn = nil
+
+    end
+
+    def validate
+      # TODO : support PSK
+      # if @psk_handshake
+      #   if @psks.inclueds? {|psk| psk.size != 32}
+      #     raise NoisePSKError
+      #   else
+      #     raise NoisePSKError
+      #   end
+      # end
+
+      # You need to set role with NoiseConnection.set_as_initiator
+      # or NoiseConnection.set_as_responder
+      raise Noise::Exceptions::NoiseValidationError if @initiator.nil?
+
+      # 'Keypair {} has to be set for chosen handshake pattern'.format(keypair)
+      # require 'pp'
+      # pp @pattern
+      # pp @initiator
+      # pp @pattern.required_keypairs(@initiator)
+      # pp @keypairs
+      raise Noise::Exceptions::NoiseValidationError if @pattern.required_keypairs(@initiator).any? { |keypair| !@keypairs[keypair] }
+
+      if @keypairs[:e] || @keypairs[:re]
+        # warnings
+        # One of ephemeral keypairs is already set.
+        # This is OK for testing, but should NEVER happen in production!
+      end
+    end
+
+    def initialise_handshake_state
+      @handshake_state = Noise::State::HandshakeState.new(
+        self,
+        @initiator,
+        @prologue,
+        @keypairs[:s],
+        @keypairs[:e],
+        @keypairs[:rs],
+        @keypairs[:re]
+      )
+      @symmetric_state = @handshake_state.symmetric_state
+    end
+  end
+end

data/lib/noise/state.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+module Noise
+  module State
+    autoload :CipherState, 'noise/state/cipher_state'
+    autoload :HandshakeState, 'noise/state/handshake_state'
+    autoload :SymmetricState, 'noise/state/symmetric_state'
+  end
+end

data/lib/noise/state/cipher_state.rb

@@ -0,0 +1,54 @@
+# frozen_string_literal: true
+
+module Noise
+  module State
+    # A CipherState can encrypt and decrypt data based on its k and n variables:
+    #
+    # - k: A cipher key of 32 bytes (which may be empty). Empty is a special value which indicates k has not yet been
+    # initialized.
+    # - n: An 8-byte (64-bit) unsigned integer nonce.
+    #
+    class CipherState
+      MAX_NONCE = 2**64 - 1
+
+      attr_reader :k, :n
+
+      def initialize(cipher: AesGcm.new)
+        @cipher = cipher
+      end
+
+      def initialize_key(key)
+        @k = key
+        @n = 0
+      end
+
+      def key?
+        !@k.nil?
+      end
+
+      def nonce=(nonce)
+        @n = nonce
+      end
+
+      def encrypt_with_ad(ad, plaintext)
+        return plaintext unless key?
+        raise Noise::Exceptions::MaxNonceError if @n == MAX_NONCE
+        ciphertext = @cipher.encrypt(@k, @n, ad, plaintext)
+        @n += 1
+        ciphertext
+      end
+
+      def decrypt_with_ad(ad, ciphertext)
+        return ciphertext unless key?
+        raise Noise::Exceptions::MaxNonceError if @n == MAX_NONCE
+        plaintext = @cipher.decrypt(@k, @n, ad, ciphertext)
+        @n += 1
+        plaintext
+      end
+
+      def rekey
+        @k = @cipher.rekey(@k)
+      end
+    end
+  end
+end

data/lib/noise/state/handshake_state.rb

@@ -0,0 +1,141 @@
+# frozen_string_literal: true
+
+module Noise
+  module State
+    # A HandshakeState object contains a SymmetricState plus the following variables, any of which may be empty. Empty
+    # is a special value which indicates the variable has not yet been initialized.
+    #
+    # s: The local static key pair
+    # e: The local ephemeral key pair
+    # rs: The remote party's static public key
+    # re: The remote party's ephemeral public key
+    #
+    class HandshakeState
+
+      attr_reader :message_patterns, :symmetric_state
+
+      def initialize(protocol, initiator, prologue, s, e, rs, re)
+        # @protocol = handshake_pattern.to_protocol
+        @protocol = protocol
+        @symmetric_state = SymmetricState.new
+        @symmetric_state.initialize_symmetric(@protocol)
+        @symmetric_state.mix_hash(prologue)
+        @initiator = initiator
+        @s = [s].flatten
+        @e = [e].flatten
+        @rs = [rs].flatten
+        @re = [re].flatten
+
+        # TODO : Calls MixHash() once for each public key listed in the pre-messages from  handshake_pattern, with the
+        # specified public key as input (see Section 7 for an explanation of pre-messages). If both initiator and
+        # responder have pre-messages, the initiator's public keys are hashed first.
+        get_local_keypair = ->(token) { instance_variable_get('@' + token) }
+        get_remote_keypair = ->(token) { instance_variable_get('@r' + token) }
+
+        if initiator
+          initiator_keypair_getter = get_local_keypair
+          responder_keypair_getter = get_remote_keypair
+        else
+          initiator_keypair_getter = get_remote_keypair
+          responder_keypair_getter = get_local_keypair
+        end
+
+        @protocol.pattern.initiator_pre_messages&.map do |message|
+          keypair = initiator_keypair_getter.call(message)
+          @symmetric_state.mix_hash(keypair[1])
+        end
+
+        @protocol.pattern.responder_pre_messages&.map do |message|
+          keypair = responder_keypair_getter.call(message)
+          @symmetric_state.mix_hash(keypair[1])
+        end
+        # Sets message_patterns to the message patterns from handshake_pattern
+        @message_patterns = @protocol.pattern.tokens.dup
+      end
+
+      def write_message(payload, message_buffer)
+        pattern = @message_patterns.shift
+        dh_fn = @protocol.dh_fn
+
+        pattern.each do |token|
+          case token
+          when 'e'
+            @e = dh_fn.generate_keypair if @e.compact.empty?
+            message_buffer << @e[1]
+            @symmetric_state.mix_hash(@e[1])
+            next
+          when 's'
+            message_buffer << @symmetric_state.encrypt_and_hash(@s[1])
+            next
+          when 'ee'
+            @symmetric_state.mix_key(dh_fn.dh(@e[0], @re[1]))
+            next
+          when 'es'
+            if @initiator
+              @symmetric_state.mix_key(dh_fn.dh(@e[0], @rs[1]))
+            else
+              @symmetric_state.mix_key(dh_fn.dh(@s[0], @re[1]))
+            end
+            next
+          when 'se'
+            if @initiator
+              @symmetric_state.mix_key(dh_fn.dh(@s[0], @re[1]))
+            else
+              @symmetric_state.mix_key(dh_fn.dh(@e[0], @rs[1]))
+            end
+            next
+          when 'ss'
+            @symmetric_state.mix_key(dh_fn.dh(@s[0], @rs[1]))
+            next
+          end
+        end
+        message_buffer << @symmetric_state.encrypt_and_hash(payload)
+        @symmetric_state.split if @message_patterns.empty?
+      end
+
+      def read_message(message, payload_buffer)
+        pattern = @message_patterns.shift
+        dh_fn = @protocol.dh_fn
+        len = dh_fn.dhlen
+        pattern.each do |token|
+          case token
+          when 'e'
+            @re = @protocol.dh_fn.class.from_public(message[0...len]) if @re.compact.empty?
+            message = message[len..-1]
+            @symmetric_state.mix_hash(@re[1])
+            next
+          when 's'
+            offset = @protocol.cipher_state_handshake.key? ? 16 : 0
+            temp = message[0...len + offset]
+            message = message[(len + offset)..-1]
+            @rs = @protocol.dh_fn.class.from_public(@symmetric_state.decrypt_and_hash(temp))
+            # @protocol.keypair.load(@symmetric_state.decrypt_and_hash(temp))
+            next
+          when 'ee'
+            @symmetric_state.mix_key(dh_fn.dh(@e[0], @re[1]))
+            next
+          when 'es'
+            if @initiator
+              @symmetric_state.mix_key(dh_fn.dh(@e[0], @rs[1]))
+            else
+              @symmetric_state.mix_key(dh_fn.dh(@s[0], @re[1]))
+            end
+            next
+          when 'se'
+            if @initiator
+              @symmetric_state.mix_key(dh_fn.dh(@s[0], @re[1]))
+            else
+              @symmetric_state.mix_key(dh_fn.dh(@e[0], @rs[1]))
+            end
+            next
+          when 'ss'
+            @symmetric_state.mix_key(dh_fn.dh(@s[0], @rs[1]))
+            next
+          end
+        end
+        payload_buffer << @symmetric_state.decrypt_and_hash(message)
+        @symmetric_state.split if @message_patterns.empty?
+      end
+    end
+  end
+end

data/lib/noise/state/symmetric_state.rb

@@ -0,0 +1,86 @@
+# frozen_string_literal: true
+
+module Noise
+  module State
+    # A SymmetricState object contains a CipherState plus the following variables:
+    #
+    # - ck: A chaining key of HASHLEN bytes.
+    # - h: A hash output of HASHLEN bytes.
+    #
+    class SymmetricState
+      attr_reader :h, :ck
+      attr_reader :cipher_state
+
+      def initialize_symmetric(protocol)
+        @protocol = protocol
+        @ck = @h =
+                if @protocol.name.length <= @protocol.hash_fn.hashlen
+                  @protocol.name.ljust(@protocol.hash_fn.hashlen, "\x00")
+                else
+                  @protocol.hash_fn.hash(@protocol.name)
+                end
+
+        @cipher_state = CipherState.new(cipher: @protocol.cipher_fn)
+        @cipher_state.initialize_key(nil)
+        @protocol.cipher_state_handshake = @cipher_state
+      end
+
+      def mix_key(input_key_meterial)
+        @ck, temp_k = @protocol.hkdf_fn.call(@ck, input_key_meterial, 2)
+        temp_k = truncate(temp_k)
+        @cipher_state.initialize_key(temp_k)
+      end
+
+      # data [String] binary string
+      def mix_hash(data)
+        @h = @protocol.hash_fn.hash(@h + data)
+      end
+
+      def mix_key_and_hash(input_key_meterial)
+        @ck, temp_h, temp_k = @protocol.hkdf_fn.call(@ck, input_key_meterial, 3)
+        mix_hash(temp_h)
+        temp_k = truncate(temp_k)
+        @cipher_state.initialize_key(temp_k)
+      end
+
+      def handshake_hash
+        @h
+      end
+
+      def encrypt_and_hash(plaintext)
+        ciphertext = @cipher_state.encrypt_with_ad(@h, plaintext)
+        mix_hash(ciphertext)
+        ciphertext
+      end
+
+      def decrypt_and_hash(ciphertext)
+        plaintext = @cipher_state.decrypt_with_ad(@h, ciphertext)
+        mix_hash(ciphertext)
+        plaintext
+      end
+
+      def split
+        temp_k1, temp_k2 = @protocol.hkdf_fn.call(@ck, '', 2)
+        temp_k1 = truncate(temp_k1)
+        temp_k2 = truncate(temp_k2)
+        c1 = CipherState.new(cipher: @protocol.cipher_fn)
+        c2 = CipherState.new(cipher: @protocol.cipher_fn)
+        c1.initialize_key(temp_k1)
+        c2.initialize_key(temp_k2)
+        if @protocol.initiator
+          @protocol.cipher_state_encrypt = c1
+          @protocol.cipher_state_decrypt = c2
+        else
+          @protocol.cipher_state_encrypt = c2
+          @protocol.cipher_state_decrypt = c1
+        end
+        @protocol.handshake_done
+        [c1, c2]
+      end
+
+      def truncate(temp_k)
+        @protocol.hash_fn.hashlen == 64 ? temp_k[0, 32] : temp_k
+      end
+    end
+  end
+end

data/lib/noise/utils/hash.rb

@@ -0,0 +1,9 @@
+# frozen_string_literal: true
+
+class Hash
+  def stringify_keys
+    keys.each_with_object({}) do |key, h|
+      h[key.to_s] = self[key]
+    end
+  end
+end

data/lib/noise/utils/string.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+class String
+  def htb
+    [self].pack("H*")
+  end
+  def bth
+    self.unpack("H*").first
+  end
+end

data/lib/noise/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Noise
+  VERSION = '0.1.0'
+end

data/noise.gemspec

@@ -0,0 +1,29 @@
+lib = File.expand_path('../lib', __FILE__)
+$LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
+require 'noise/version'
+
+Gem::Specification.new do |spec|
+  spec.name          = 'noise-ruby'
+  spec.version       = Noise::VERSION
+  spec.authors       = ['Hajime Yamaguchi']
+  spec.email         = ['gen.yamaguchi0@gmail.com']
+
+  spec.summary       = 'A Ruby implementation of the Noise Protocol framework'
+  spec.description   = 'A Ruby implementation of the Noise Protocol framework(http://noiseprotocol.org/).'
+  spec.homepage      = 'https://github.com/Yamaguchi/noise'
+
+  spec.files = `git ls-files -z`.split("\x0").reject do |f|
+    f.match(%r{^(test|spec|features)/})
+  end
+  spec.bindir = 'exe'
+  spec.executables = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
+  spec.require_paths = ['lib']
+
+  spec.add_development_dependency 'bundler', '~> 1.15'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec', '~> 3.0'
+
+  spec.add_runtime_dependency 'ecdsa'
+  spec.add_runtime_dependency 'rbnacl'
+  spec.add_runtime_dependency 'rb-pure25519'
+end