rbnacl 1.1.0 → 2.0.0.pre

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 5f8462f580b5f1517e510c7cf5137b4dc5edec1f
-  data.tar.gz: e6ef35925227eeb5e49edb8868ab1f375002fa3a
+  metadata.gz: 2ba5a3248fe87dd5d2f784f29857ff1d7d26e631
+  data.tar.gz: b61bd66e86e6b2bce75ed52d87d0a706df5626b6
 SHA512:
-  metadata.gz: 3f66ffdf3087fd9f5b77f85c0e87f68825ed7c9c4cfe07c45d37cab48f299971cd4e07e0a443dde9fa7d7bf245df0834eda82cc4a9f1c4afc52c10cc0602b184
-  data.tar.gz: a25f2a0fbed4b8b09a9c8bbb4e2d4029e0327684483b1aabf7f2ac8d7023cab716b51a78a38c5531c786f9a143ad6b8c5176a6aafa27ca6347a34f4379aaf06c
+  metadata.gz: ed12ef065cb24120b4ff6329026ea69bb560736f6ae6df76534fd064fb862251f29d137b8a8506ed35be67965d610b2cd3b70196253a72da645d3001a3cb7ceb
+  data.tar.gz: ea66f56eadd856e610761ecb031b95a5163e7e99d6127b2798126fa2dbf9998bfd53fd9c6cf9d245511f3ba65d70d3af91313f7f01f19bd35a642f212a45ca12

data/.travis.yml

@@ -1,15 +1,11 @@
 script: "LD_LIBRARY_PATH=lib bundle exec rake ci"
 
 rvm:
-  - 1.8.7
   - 1.9.3
   - 2.0.0
-  - ree
   - ruby-head
-  - jruby-18mode
-  - jruby-19mode
+  - jruby
   - jruby-head
-  - rbx-18mode
   - rbx-19mode 
 
 matrix:

data/CHANGES.md

@@ -1,3 +1,18 @@
+2.0.0.pre
+---------
+* ZOMG LOTS OF STUFF! We should make we get it all added to this file!
+* Add encrypt/decrypt aliases for Crypto::RandomNonceBox
+* Rename Crypto module to RbNaCl module
+* RbNaCl::VerifyKey#verify operand order was reversed. New operand order is
+  signature, message instead of message, signature
+
+1.1.0 (2013-04-19)
+------------------
+
+* Provide API for querying primitives and details about them, such as key
+  lengths, nonce lengths, etc.
+* Fixed bug on passing null bytes to sha256, sha512 functions.
+
 1.0.0 (2013-03-08)
 ------------------
 * Initial release

data/Gemfile

@@ -3,7 +3,10 @@ source 'https://rubygems.org'
 # Specify your gem's dependencies in rbnacl.gemspec
 gemspec
 
+group :development do
+  gem 'guard-rspec'
+end
+
 group :test do
-  gem 'base32'
   gem 'coveralls', :require => false
 end

data/Guardfile

@@ -0,0 +1,8 @@
+# A sample Guardfile
+# More info at https://github.com/guard/guard#readme
+
+guard :rspec do
+  watch(%r{^spec/.+_spec\.rb$})
+  watch(%r{^lib/(.+)\.rb$})     { |m| "spec/#{m[1]}_spec.rb" }
+  watch('spec/spec_helper.rb')  { "spec" }
+end

data/README.md

@@ -2,7 +2,6 @@
 ======
 [![Gem Version](https://badge.fury.io/rb/rbnacl.png)](http://badge.fury.io/rb/rbnacl)
 [![Build Status](https://travis-ci.org/cryptosphere/rbnacl.png?branch=master)](https://travis-ci.org/cryptosphere/rbnacl)
-[![Dependency Status](https://gemnasium.com/cryptosphere/rbnacl.png)](https://gemnasium.com/cryptosphere/rbnacl)
 [![Code Climate](https://codeclimate.com/github/cryptosphere/rbnacl.png)](https://codeclimate.com/github/cryptosphere/rbnacl)
 [![Coverage Status](https://coveralls.io/repos/cryptosphere/rbnacl/badge.png?branch=master)](https://coveralls.io/r/cryptosphere/rbnacl)
 
@@ -47,6 +46,10 @@ is extremely fast with comparatively small cryptographic keys.
 For more information on NaCl's goals, see Dan Bernstein's presentation
 [Blaming the Cryptographic User](http://cr.yp.to/talks/2012.08.08/slides.pdf)
 
+### Is it any good?
+
+[Yes.](http://news.ycombinator.com/item?id=3067434)
+
 ## Supported platforms
 
 You can use RbNaCl anywhere you can get libsodium installed (see below).
@@ -54,7 +57,6 @@ RbNaCl is continuously integration tested on the following Ruby VMs:
 
 * MRI 2.0
 * MRI 1.9 (YARV)
-* MRI 1.8 / REE
 * JRuby 1.7 (in both 1.8/1.9 mode)
 * Rubinius HEAD (in both 1.8/1.9 mode)
 
@@ -200,6 +202,53 @@ Coursera offers from Stanford University Professor Dan Boneh:
 
 [http://crypto-class.org](http://crypto-class.org)
 
+## Important Questions
+
+### Is it "Military Grade™"?
+
+Only if your military understands twisted Edwards curves
+
+### Does it have a lock with a checkmark?
+
+Sure, here you go:
+
+![Checkmarked Lock](http://i.imgur.com/dwA0Ffi.png)
+
+### Is it full of NSA backdoors?
+
+![No NIST](http://i.imgur.com/HSxeAmp.png)
+
+The design of RbNaCl's primitives is completely free from NIST (and by
+association, NSA) influence, with the following minor exceptions:
+
+* The Poly1305 MAC, used for authenticating integrity of ciphertexts, uses AES
+  as a replaceable component
+* The Ed25519 digital signature algorithm uses SHA-512 for both key derivation
+  and computing message digests
+* APIs are provided to certain NIST hash functions, including SHA-256, SHA-512,
+  and their associated HMAC counterparts
+
+Otherwise, all of the algorithms in NaCl were designed by Dan Bernstein and his
+collaborators.
+
+The design choices in NaCl, particularly in regard to the Curve25519
+Diffie-Hellman function, emphasize security (whereas [NIST curves emphasize
+"performance" at the cost of security][nist-security-dangers]), and "magic
+constants" in NaCl are picked by theorems designed to maximize security.
+The same cannot be said of NIST curves, where the specific origins of certain
+constants are not described by the standards and may be subject to malicious
+influence by the NSA.
+
+It is the opinion of this library's authors that Dan Bernstein is unlikely to be
+subject to NSA influence (although we have no way of actually knowing this).
+
+Dan Bernstein's designs have been well-scrutinized both as part of the [ESTREAM
+Project](https://en.wikipedia.org/wiki/ESTREAM) and the cryptographic community
+as a whole. And despite the emphasis on higher security, NaCl's primitives are
+faster across-the-board than most implementations of the NIST standards.
+
+[nist-security-dangers]: http://www.hyperelliptic.org/tanja/vortraege/20130531.pdf
+
 ## Contributing
 
 * Fork this repository on Github
@@ -208,5 +257,5 @@ Coursera offers from Stanford University Professor Dan Boneh:
 
 ## License
 
-Copyright (c) 2013 Tony Arcieri, Jonathan Stott.
+Copyright (c) 2013 Jonathan Stott, Tony Arcieri.
 Distributed under the MIT License. See LICENSE.txt for further details.

data/lib/rbnacl.rb

@@ -1,5 +1,22 @@
 # encoding: binary
-module Crypto
+require "rbnacl/version"
+require "rbnacl/sodium"
+require "rbnacl/serializable"
+require "rbnacl/key_comparator"
+require "rbnacl/auth"
+require "rbnacl/util"
+require "rbnacl/random"
+require "rbnacl/random_nonce_box"
+require "rbnacl/test_vectors"
+require "rbnacl/init"
+
+module RbNaCl
+  REQUIRED_LIBSODIUM_VERSION = "0.4.5"
+
+  if Util.sodium_version_string < REQUIRED_LIBSODIUM_VERSION
+    raise "Sorry, you need to install libsodium #{REQUIRED_LIBSODIUM_VERSION}+. You have #{Util.sodium_version_string} installed"
+  end
+
   # Oh no, something went wrong!
   #
   # This indicates a failure in the operation of a cryptographic primitive such
@@ -18,35 +35,54 @@ module Crypto
   # This indicates that an attempt has been made to use something (probably a key)
   # with an incorrect primitive
   class IncorrectPrimitiveError < ArgumentError; end
-end
 
-# TIMTOWTDI!
-RbNaCl = Crypto
+  # The signature was forged or otherwise corrupt
+  class BadSignatureError < CryptoError; end
 
-require "rbnacl/nacl"
-require "rbnacl/version"
-require "rbnacl/serializable"
-require "rbnacl/keys/key_comparator"
-require "rbnacl/keys/private_key"
-require "rbnacl/keys/public_key"
-require "rbnacl/keys/signing_key"
-require "rbnacl/keys/verify_key"
-require "rbnacl/box"
-require "rbnacl/secret_box"
-require "rbnacl/hash"
-require "rbnacl/util"
-require "rbnacl/auth"
-require "rbnacl/hmac/sha512256"
-require "rbnacl/hmac/sha256"
-require "rbnacl/auth/one_time"
-require "rbnacl/random"
-require "rbnacl/encoder"
-require "rbnacl/encoders/base64"
-require "rbnacl/encoders/hex"
-require "rbnacl/encoders/raw"
-require "rbnacl/point"
-require "rbnacl/random_nonce_box"
-require "rbnacl/test_vectors"
+  # Public Key Encryption (Box): Curve25519XSalsa20Poly1305
+  require "rbnacl/boxes/curve25519xsalsa20poly1305"
+  require "rbnacl/boxes/curve25519xsalsa20poly1305/private_key"
+  require "rbnacl/boxes/curve25519xsalsa20poly1305/public_key"
+
+  # Secret Key Encryption (SecretBox): XSalsa20Poly1305
+  require "rbnacl/secret_boxes/xsalsa20poly1305"
+
+  # Digital Signatures: Ed25519
+  require "rbnacl/signatures/ed25519"
+  require "rbnacl/signatures/ed25519/signing_key"
+  require "rbnacl/signatures/ed25519/verify_key"
+
+  # Group Elements: Curve25519
+  require "rbnacl/group_elements/curve25519"
+
+  # One-time Authentication: Poly1305
+  require "rbnacl/one_time_auths/poly1305"
+
+  # Hash functions: SHA256/512 and Blake2b
+  require "rbnacl/hash"
+  require "rbnacl/hash/sha256"
+  require "rbnacl/hash/sha512"
+  require "rbnacl/hash/blake2b"
+
+  # HMAC: SHA256 and SHA512256
+  require "rbnacl/hmac/sha256"
+  require "rbnacl/hmac/sha512256"
+
+  #
+  # Bind aliases used by the public API
+  #
+  Box          = Boxes::Curve25519XSalsa20Poly1305
+  PrivateKey   = Boxes::Curve25519XSalsa20Poly1305::PrivateKey
+  PublicKey    = Boxes::Curve25519XSalsa20Poly1305::PublicKey
+  SecretBox    = SecretBoxes::XSalsa20Poly1305
+  SigningKey   = Signatures::Ed25519::SigningKey
+  VerifyKey    = Signatures::Ed25519::VerifyKey
+  GroupElement = GroupElements::Curve25519
+  OneTimeAuth  = OneTimeAuths::Poly1305
+end
+
+# Select platform-optimized versions of algorithms
+Thread.exclusive { RbNaCl::Init.sodium_init }
 
 # Perform self test on load
-require "rbnacl/self_test"
+require "rbnacl/self_test" unless $RBNACL_SELF_TEST == false

data/lib/rbnacl/auth.rb

@@ -1,5 +1,5 @@
 # encoding: binary
-module Crypto
+module RbNaCl
   # Secret Key Authenticators
   #
   # These provide a means of verifying the integrity of a message, but only
@@ -18,10 +18,8 @@ module Crypto
     # A new authenticator, ready for auth and verification
     #
     # @param [#to_str] key the key used for authenticators, 32 bytes.
-    # @param [#to_sym] encoding decode key from this format (default raw)
-    def initialize(key, encoding = :raw)
-      @key = Encoder[encoding].decode(key)
-      Util.check_length(@key, key_bytes, "#{self.class} key")
+    def initialize(key)
+      @key = Util.check_string(key, key_bytes, "#{self.class} key")
     end
 
     # Compute authenticator for message
@@ -37,38 +35,36 @@ module Crypto
     # Verifies the given authenticator with the message.
     #
     # @param [#to_str] key the key used for the authenticator
-    # @param [#to_str] message the message to be authenticated
     # @param [#to_str] authenticator to be checked
+    # @param [#to_str] message the message to be authenticated
     #
     # @return [Boolean] Was it valid?
-    def self.verify(key, message, authenticator)
-      new(key).verify(message, authenticator)
+    def self.verify(key, authenticator, message)
+      new(key).verify(authenticator, message)
     end
 
     # Compute authenticator for message
     #
     # @param [#to_str] message the message to authenticate
-    # @param [#to_sym] authenticator_encoding format of the authenticator (default raw)
     #
     # @return [String] The authenticator in the requested encoding (default raw)
-    def auth(message, authenticator_encoding = :raw)
+    def auth(message)
       authenticator = Util.zeros(tag_bytes)
       message = message.to_str
-      compute_authenticator(message, authenticator)
-      Encoder[authenticator_encoding].encode(authenticator)
+      compute_authenticator(authenticator, message)
+      authenticator
     end
 
     # Verifies the given authenticator with the message.
     #
     # @param [#to_str] authenticator to be checked
     # @param [#to_str] message the message to be authenticated
-    # @param [#to_sym] authenticator_encoding format of the authenticator (default raw)
     #
     # @return [Boolean] Was it valid?
-    def verify(message, authenticator, authenticator_encoding = :raw)
-      auth = Encoder[authenticator_encoding].decode(authenticator)
+    def verify(authenticator, message)
+      auth = authenticator.to_s
       return false unless auth.bytesize == tag_bytes
-      verify_message(message, auth)
+      verify_message(auth, message)
     end
 
     # The crypto primitive for this authenticator instance
@@ -99,7 +95,7 @@ module Crypto
     def tag_bytes; self.class.tag_bytes; end
 
     private
-    def compute_authenticator(message, authenticator); raise NotImplementedError; end
-    def verify_message(message, authenticator);        raise NotImplementedError; end
+    def compute_authenticator(authenticator, message); raise NotImplementedError; end
+    def verify_message(authenticator, message);        raise NotImplementedError; end
   end
 end

data/lib/rbnacl/boxes/curve25519xsalsa20poly1305.rb

@@ -0,0 +1,185 @@
+# encoding: binary
+module RbNaCl
+  module Boxes
+    # The Box class boxes and unboxes messages between a pair of keys
+    #
+    # This class uses the given public and secret keys to derive a shared key,
+    # which is used with the nonce given to encrypt the given messages and
+    # decrypt the given ciphertexts.  The same shared key will generated from
+    # both pairing of keys, so given two keypairs belonging to alice (pkalice,
+    # skalice) and bob(pkbob, skbob), the key derived from (pkalice, skbob) with
+    # equal that from (pkbob, skalice).  This is how the system works:
+    #
+    # @example
+    #   # On bob's system
+    #   bobkey = RbNaCl::PrivateKey.generate
+    #   #=> #<RbNaCl::PrivateKey ...>
+    #
+    #   # send bobkey.public_key to alice
+    #   # recieve alice's public key, alicepk
+    #   # NB: This is actually the hard part of the system.  How to do it securely
+    #   # is left as an exercise to for the reader.
+    #   alice_pubkey = "..."
+    #
+    #   # make a box
+    #   alicebob_box = RbNaCl::Box.new(alice_pubkey, bobkey)
+    #   #=> #<RbNaCl::Box ...>
+    #
+    #   # encrypt a message to alice
+    #   cipher_text = alicebob_box.box("A bad example of a nonce", "Hello, Alice!")
+    #   #=> "..." # a string of bytes, 29 bytes long
+    #
+    #   # send ["A bad example of a nonce", cipher_text] to alice
+    #   # note that nonces don't have to be secret
+    #   # receive [nonce, cipher_text_to_bob] from alice
+    #
+    #   # decrypt the reply
+    #   # Alice has been a little more sensible than bob, and has a random nonce
+    #   # that is too fiddly to type here.  But there are other choices than just
+    #   # random
+    #   plain_text = alicebob_box.open(nonce, cipher_text_to_bob)
+    #   #=> "Hey there, Bob!"
+    #
+    #   # we have a new message!
+    #   # But Eve has tampered with this message, by flipping some bytes around!
+    #   # [nonce2, cipher_text_to_bob_honest_love_eve]
+    #   alicebob_box.open(nonce2, cipher_text_to_bob_honest_love_eve)
+    #
+    #   # BOOM!
+    #   # Bob gets a RbNaCl::CryptoError to deal with!
+    #
+    # It is VITALLY important that the nonce is a nonce, i.e. it is a number used
+    # only once for any given pair of keys.  If you fail to do this, you
+    # compromise the privacy of the the messages encrypted.  Also, bear in mind
+    # the property mentioned just above. Give your nonces a different prefix, or
+    # have one side use an odd counter and one an even counter.  Just make sure
+    # they are different.
+    #
+    # The ciphertexts generated by this class include a 16-byte authenticator which
+    # is checked as part of the decryption.  An invalid authenticator will cause
+    # the unbox function to raise.  The authenticator is not a signature.  Once
+    # you've looked in the box, you've demonstrated the ability to create
+    # arbitrary valid messages, so messages you send are repudiable.  For
+    # non-repudiable messages, sign them before or after encryption.
+    class Curve25519XSalsa20Poly1305
+      extend Sodium
+
+      sodium_type      :box
+      sodium_primitive :curve25519xsalsa20poly1305
+      sodium_constant  :NONCEBYTES
+      sodium_constant  :ZEROBYTES
+      sodium_constant  :BOXZEROBYTES
+      sodium_constant  :BEFORENMBYTES
+      sodium_constant  :PUBLICKEYBYTES
+      sodium_constant  :SECRETKEYBYTES, :PRIVATEKEYBYTES
+
+      sodium_function :box_curve25519xsalsa20poly1305_beforenm,
+                      :crypto_box_curve25519xsalsa20poly1305_beforenm,
+                      [:pointer, :pointer, :pointer]
+
+      sodium_function :box_curve25519xsalsa20poly1305_open_afternm,
+                      :crypto_box_curve25519xsalsa20poly1305_open_afternm,
+                      [:pointer, :pointer, :ulong_long, :pointer, :pointer]
+      
+      sodium_function :box_curve25519xsalsa20poly1305_afternm,
+                      :crypto_box_curve25519xsalsa20poly1305_afternm,
+                      [:pointer, :pointer, :ulong_long, :pointer, :pointer]
+
+      # Create a new Box
+      #
+      # Sets up the Box for deriving the shared key and encrypting and
+      # decrypting messages.
+      #
+      # @param public_key [String,RbNaCl::PublicKey] The public key to encrypt to
+      # @param private_key [String,RbNaCl::PrivateKey] The private key to encrypt with
+      # @param encoding [Symbol] Parse keys from the given encoding
+      #
+      # @raise [RbNaCl::LengthError] on invalid keys
+      #
+      # @return [RbNaCl::Box] The new Box, ready to use
+      def initialize(public_key, private_key, encoding = :raw)
+        @public_key   = PublicKey  === public_key  ? public_key  : PublicKey.new(public_key)
+        @private_key  = PrivateKey === private_key ? private_key : PrivateKey.new(private_key)
+        raise IncorrectPrimitiveError unless @public_key.primitive == primitive && @private_key.primitive == primitive
+      end
+
+      # Encrypts a message
+      #
+      # Encrypts the message with the given nonce to the keypair set up when
+      # initializing the class.  Make sure the nonce is unique for any given
+      # keypair, or you might as well just send plain text.
+      #
+      # This function takes care of the padding required by the NaCL C API.
+      #
+      # @param nonce [String] A 24-byte string containing the nonce.
+      # @param message [String] The message to be encrypted.
+      #
+      # @raise [RbNaCl::LengthError] If the nonce is not valid
+      #
+      # @return [String] The ciphertext without the nonce prepended (BINARY encoded)
+      def box(nonce, message)
+        Util.check_length(nonce, nonce_bytes, "Nonce")
+        msg = Util.prepend_zeros(ZEROBYTES, message)
+        ct  = Util.zeros(msg.bytesize)
+
+        self.class.box_curve25519xsalsa20poly1305_afternm(ct, msg, msg.bytesize, nonce, beforenm) || raise(CryptoError, "Encryption failed")
+        Util.remove_zeros(BOXZEROBYTES, ct)
+      end
+      alias encrypt box
+
+      # Decrypts a ciphertext
+      #
+      # Decrypts the ciphertext with the given nonce using the keypair setup when
+      # initializing the class.
+      #
+      # This function takes care of the padding required by the NaCL C API.
+      #
+      # @param nonce [String] A 24-byte string containing the nonce.
+      # @param ciphertext [String] The message to be decrypted.
+      #
+      # @raise [RbNaCl::LengthError] If the nonce is not valid
+      # @raise [RbNaCl::CryptoError] If the ciphertext cannot be authenticated.
+      #
+      # @return [String] The decrypted message (BINARY encoded)
+      def open(nonce, ciphertext)
+        Util.check_length(nonce, nonce_bytes, "Nonce")
+        ct = Util.prepend_zeros(BOXZEROBYTES, ciphertext)
+        message  = Util.zeros(ct.bytesize)
+
+        self.class.box_curve25519xsalsa20poly1305_open_afternm(message, ct, ct.bytesize, nonce, beforenm) || raise(CryptoError, "Decryption failed. Ciphertext failed verification.")
+        Util.remove_zeros(ZEROBYTES, message)
+      end
+      alias decrypt open
+
+      # The crypto primitive for the box class
+      #
+      # @return [Symbol] The primitive used
+      def primitive
+        self.class.primitive
+      end
+
+      # The nonce bytes for the box class
+      #
+      # @return [Integer] The number of bytes in a valid nonce
+      def self.nonce_bytes
+        NONCEBYTES
+      end
+
+      # The nonce bytes for the box instance
+      #
+      # @return [Integer] The number of bytes in a valid nonce
+      def nonce_bytes
+        NONCEBYTES
+      end
+
+      private
+      def beforenm
+        @k ||= begin
+                 k = Util.zeros(BEFORENMBYTES)
+                 self.class.box_curve25519xsalsa20poly1305_beforenm(k, @public_key.to_s, @private_key.to_s) || raise(CryptoError, "Failed to derive shared key")
+                 k
+               end
+      end
+    end
+  end
+end