sodium 0.0.0 → 0.5.0

data/lib/sodium/buffer.rb

@@ -0,0 +1,141 @@
+require 'sodium'
+require 'securerandom'
+
+class Sodium::Buffer
+  def self.key(size)
+    Sodium::Random.bytes(size)
+  end
+
+  def self.nonce(size)
+    Sodium::Random.bytes(size)
+  end
+
+  def self.empty(size)
+    self.new("\0" * size).tap {|buffer| yield buffer if block_given? }
+  end
+
+  def self.new(bytes, size = bytes.bytesize)
+    raise Sodium::LengthError, "buffer must be exactly #{size} bytes long" unless
+      bytes.bytesize == size
+
+    bytes.kind_of?(self) ?
+      bytes              :
+      super(bytes)
+  end
+
+  def initialize(bytes)
+    # initialize with a forced hard copy of the bytes (Ruby is smart
+    # about using copy-on-write for strings 24 bytes or longer, so we
+    # have to perform a no-op that forces Ruby to copy the bytes)
+    @bytes = bytes.tr('','').tap {|s|
+      s.force_encoding('BINARY') if
+      s.respond_to?(:force_encoding)
+    }.freeze
+
+    self.class._mlock! @bytes
+    self.class._mwipe!  bytes
+
+    ObjectSpace.define_finalizer self,
+      self.class._finalizer(@bytes)
+  end
+
+  def +(other)
+    Sodium::Buffer.new(
+      self.to_str +
+      Sodium::Buffer.new(other).to_str
+    )
+  end
+
+  def pad(size)
+    self.class.new(
+      ("\0" * size) + @bytes
+    )
+  end
+
+  def unpad(size)
+    self.byteslice(size .. -1)
+  end
+
+  def byteslice(*args)
+    return self.class.new(
+      @bytes.byteslice(*args).to_s
+    ) if (
+      # Ruby 1.8 doesn't have byteslice
+      @bytes.respond_to?(:byteslice) or
+
+      # JRuby reuses memory regions when calling byteslice, which
+      # results in them getting cleared when the new buffer initializes
+      defined?(RUBY_ENGINE) and RUBY_ENGINE == 'java'
+    )
+
+    raise ArgumentError, 'wrong number of arguments (0 for 1..2)' if
+      args.length < 1 or args.length > 2
+
+    start, finish = case
+      when args[1]
+        # matches: byteslice(start, size)
+        start  = args[0].to_i
+        size   = args[1].to_i
+
+        # if size is less than 1, finish needs to be small enough that
+        # `finish - start + 1 <= 0` even after finish is wrapped
+        # around to account for negative indices
+        finish = size > 0  ?
+          start + size - 1 :
+          - self.bytesize.succ
+
+        [ start, finish ]
+      when args[0].kind_of?(Range)
+        # matches: byteslice(start .. finish)
+        # matches: byteslice(start ... finish)
+        range  = args[0]
+        start  = range.begin.to_i
+        finish = range.exclude_end? ? range.end.to_i - 1 : range.end.to_i
+
+        [ start, finish ]
+      else
+        # matches: byteslice(start)
+        [ args[0].to_i, args[0].to_i ]
+    end
+
+    # ensure negative values are wrapped around explicitly
+    start  += self.bytesize if start  < 0
+    finish += self.bytesize if finish < 0
+    size    = finish - start + 1
+
+    bytes = (start >= 0 and size >= 0)         ?
+      @bytes.unpack("@#{start}a#{size}").first :
+      ''
+
+    self.class.new(bytes)
+  end
+
+  def bytesize
+    @bytes.bytesize
+  end
+
+  def inspect
+    # this appears to be equivalent to the default Object#inspect,
+    # albeit without instance variables
+    "#<%s:0x%x>" % [ self.class.name, self.__id__ * 2 ]
+  end
+
+  def to_str
+    @bytes.to_str
+  end
+
+  private
+
+  def self._finalizer(buffer)
+    proc { self._mwipe!(buffer) }
+  end
+
+  def self._mwipe!(buffer)
+    Sodium::FFI::Crypto.sodium_memzero(buffer, buffer.bytesize)
+  end
+
+  def self._mlock!(buffer)
+    Sodium::FFI::LibC.mlock(buffer, buffer.bytesize) or
+      raise Sodium::MemoryError, 'could not mlock(2) secure buffer into memory'
+  end
+end

data/lib/sodium/delegate.rb

@@ -0,0 +1,58 @@
+require 'sodium'
+
+module Sodium::Delegate
+  def self.included(base)
+    base.send :extend, ClassMethods
+    base.send :extend, self.class_methods(base)
+  end
+
+  module ClassMethods
+    def inherited(base)
+      @_nacl_implementations ||= []
+      @_nacl_implementations <<  base
+
+      class << base
+        undef_method  :implementation=
+        define_method(:implementation) { self }
+      end
+    end
+
+    def primitive
+      self.implementation[:PRIMITIVE].to_sym
+    end
+
+    def implementation(name = nil)
+      name ?               _find_implementation(name) :
+        @_nacl_default ||= _find_implementation(self::DEFAULT)
+    end
+
+    def implementation=(implementation)
+      @_nacl_default = implementation
+    end
+
+    private
+
+    def _find_implementation(name)
+      @_nacl_implementations.detect {|i| i.primitive == name }
+    end
+  end
+
+  def self.class_methods(base)
+    Module.new do
+      define_method :new do |*args, &block|
+        return super(*args, &block) unless self == base
+        return self.implementation.new(*args, &block)
+      end
+    end
+  end
+
+  def primitive
+    self.class.primitive
+  end
+
+  protected
+
+  def implementation
+    self.class.implementation
+  end
+end

data/lib/sodium/ffi.rb

@@ -0,0 +1,9 @@
+require 'sodium'
+require 'ffi'
+
+module Sodium::FFI
+end
+
+require 'sodium/ffi/lib_c'
+require 'sodium/ffi/crypto'
+require 'sodium/ffi/random'

data/lib/sodium/ffi/crypto.rb

@@ -0,0 +1,106 @@
+require 'sodium/ffi'
+require 'yaml'
+
+module Sodium::FFI::Crypto
+  CONFIG_PATH = File.expand_path('../../../../config/nacl_ffi.yml', __FILE__)
+  CONFIG      = YAML.load_file(CONFIG_PATH)
+
+  def self._install_default(delegate, configuration)
+    family    = configuration[:family]
+    method    = _install_function delegate, family, nil, :PRIMITIVE, [ :string ]
+    primitive = delegate.send(method)
+  rescue FFI::NotFoundError
+    primitive = configuration[:primitives].first
+  ensure
+    delegate.const_set :DEFAULT, primitive.to_s.downcase.to_sym
+  end
+
+  def self._install_primitives(delegate, configuration)
+    configuration[:primitives].each do |primitive|
+      subclass = Class.new(delegate) do
+        def self.[](name)
+          self.const_get(name)
+        end
+      end
+
+      delegate.const_set primitive, subclass
+
+      _install_constants subclass, configuration[:family], primitive,
+        configuration[:constants]
+
+      _install_functions subclass, configuration[:family], primitive,
+        configuration[:functions]
+    end
+  end
+
+  def self._install_constants(subclass, family, primitive, constants)
+    constants = constants.inject(
+      :PRIMITIVE => :string
+    ) {|hash, constant| hash.update(constant => :size_t) }
+
+    constants.each_pair do |name, type|
+      _install_constant(subclass, family, primitive, name, type)
+    end
+  end
+
+  def self._install_constant(subclass, family, primitive, name, type)
+    method = _install_function subclass, family, primitive, name, [ type ]
+
+    family = family.to_s.upcase
+    name   = name.to_s.upcase
+    value  = subclass.send(method)
+
+    self.    const_set("#{family}_#{primitive}_#{name}", value)
+    subclass.const_set(name,                             value)
+  end
+
+  def self._install_functions(subclass, family, primitive, methods)
+    methods.each do |name, arguments|
+      _install_function(subclass, family, primitive, name, arguments, &:zero?)
+    end
+  end
+
+  def self._install_function(subclass, family, primitive, name, arguments, &converter)
+    imp       = [ family, primitive, name ].compact.join('_').downcase
+    meth      = [ 'nacl',            name ].compact.join('_').downcase
+    arguments = arguments.map(&:to_sym)
+
+    self.attach_function imp, arguments[0..-2], arguments.last
+    self.attach_method   imp, self, subclass, meth, &converter
+
+    meth
+  end
+
+  def self.attach_method(implementation, nacl, delegate, method)
+    self._metaclass(delegate).send :define_method, method do |*a, &b|
+      value = nacl.send(implementation, *a, &b)
+      block_given? ? yield(value) : value
+    end
+  end
+
+  def self._load_class(name)
+    name.split('::').inject(Object) {|klass, part| klass.const_get(part) }
+  end
+
+  def self._metaclass(klass)
+    (class << klass; self; end)
+  end
+end
+
+module Sodium::FFI::Crypto
+  extend FFI::Library
+
+  ffi_lib 'sodium'
+
+  attach_function 'sodium_init',    [],                  :void
+  attach_function 'sodium_memzero', [:pointer, :size_t], :void
+
+  sodium_init
+
+  CONFIG.each do |configuration|
+    delegate = self._load_class configuration[:class]
+
+    self._install_default    delegate, configuration
+    self._install_primitives delegate, configuration
+  end
+end

data/lib/sodium/ffi/lib_c.rb

@@ -0,0 +1,9 @@
+require 'sodium/ffi'
+
+module Sodium::FFI::LibC
+  extend FFI::Library
+
+  ffi_lib FFI::Library::LIBC
+
+  attach_function 'mlock', [:pointer, :size_t], :int
+end

data/lib/sodium/ffi/random.rb

@@ -0,0 +1,11 @@
+require 'sodium/ffi'
+
+module Sodium::FFI::Random
+  extend FFI::Library
+
+  ffi_lib 'sodium'
+
+  attach_function 'randombytes_random',  [],                  :uint32
+  attach_function 'randombytes_uniform', [:uint32],           :uint32
+  attach_function 'randombytes_buf',     [:pointer, :size_t], :void
+end

data/lib/sodium/hash.rb

@@ -0,0 +1,23 @@
+require 'sodium'
+
+class Sodium::Hash
+  include Sodium::Delegate
+
+  def self.hash(message)
+    message = _message(message)
+
+    Sodium::Buffer.empty self.implementation[:BYTES] do |digest|
+      self.implementation.nacl(
+        digest.to_str,
+        message.to_str,
+        message.to_str.bytesize
+      ) or raise Sodium::CryptoError, 'failed to generate a hash for the message'
+    end
+  end
+
+  private
+
+  def self._message(m)
+    Sodium::Buffer.new m
+  end
+end

data/lib/sodium/one_time_auth.rb

@@ -0,0 +1,52 @@
+require 'sodium'
+
+class Sodium::OneTimeAuth
+  include Sodium::Delegate
+
+  def self.key
+    Sodium::Buffer.key self.implementation[:KEYBYTES]
+  end
+
+  def initialize(key)
+    @key = self.class._key(key)
+  end
+
+  def one_time_auth(message)
+    message = self.class._message(message)
+
+    Sodium::Buffer.empty self.implementation[:BYTES] do |authenticator|
+      self.implementation.nacl(
+        authenticator.to_str,
+        message.to_str,
+        message.to_str.bytesize,
+        @key.to_str
+      ) or raise Sodium::CryptoError, 'failed to generate an authenticator'
+    end
+  end
+
+  def verify(message, authenticator)
+    message       = self.class._message(message)
+    authenticator = self.class._authenticator(authenticator)
+
+    self.implementation.nacl_verify(
+      authenticator.to_str,
+      message.to_str,
+      message.to_str.bytesize,
+      @key.to_str
+    )
+  end
+
+  private
+
+  def self._key(k)
+    Sodium::Buffer.new k, self.implementation[:KEYBYTES]
+  end
+
+  def self._authenticator(a)
+    Sodium::Buffer.new a, self.implementation[:BYTES]
+  end
+
+  def self._message(m)
+    Sodium::Buffer.new m
+  end
+end

data/lib/sodium/random.rb

@@ -0,0 +1,16 @@
+require 'sodium'
+
+module Sodium::Random
+  def self.bytes(size)
+    Sodium::Buffer.empty(size) do |buffer|
+      Sodium::FFI::Random.randombytes_buf(
+        buffer.to_str,
+        buffer.bytesize
+      )
+    end
+  end
+
+  def self.integer(max = 2 ** 32 - 1)
+    Sodium::FFI::Random.randombytes_uniform(max)
+  end
+end

data/lib/sodium/secret_box.rb

@@ -0,0 +1,65 @@
+require 'sodium'
+
+class Sodium::SecretBox
+  include Sodium::Delegate
+
+  def self.key
+    Sodium::Buffer.key self.implementation[:KEYBYTES]
+  end
+
+  def initialize(key)
+    @key = self.class._key(key)
+  end
+
+  def nonce
+    Sodium::Buffer.nonce self.implementation[:NONCEBYTES]
+  end
+
+  def secret_box(message, nonce)
+    message = self.class._message(message)
+    nonce   = self.class._nonce(nonce)
+
+    Sodium::Buffer.empty(message.bytesize) do |ciphertext|
+      self.implementation.nacl(
+        ciphertext.to_str,
+        message.to_str,
+        message.to_str.bytesize,
+        nonce.to_str,
+        @key.to_str
+      ) or raise Sodium::CryptoError, 'failed to close the secret box'
+    end.unpad self.implementation[:BOXZEROBYTES]
+  end
+
+  def open(ciphertext, nonce)
+    ciphertext = self.class._ciphertext(ciphertext)
+    nonce      = self.class._nonce(nonce)
+
+    Sodium::Buffer.empty(ciphertext.bytesize) do |message|
+      self.implementation.nacl_open(
+        message.to_str,
+        ciphertext.to_str,
+        ciphertext.to_str.bytesize,
+        nonce.to_str,
+        @key.to_str
+      ) or raise Sodium::CryptoError, 'failed to open the secret box'
+    end.unpad self.implementation[:ZEROBYTES]
+  end
+
+  private
+
+  def self._key(k)
+    Sodium::Buffer.new k, self.implementation[:KEYBYTES]
+  end
+
+  def self._message(m)
+    Sodium::Buffer.new(m).pad self.implementation[:ZEROBYTES]
+  end
+
+  def self._ciphertext(c)
+    Sodium::Buffer.new(c).pad self.implementation[:BOXZEROBYTES]
+  end
+
+  def self._nonce(n)
+    Sodium::Buffer.new n, self.implementation[:NONCEBYTES]
+  end
+end