beaconcrypt 0.3.4__tar.gz → 0.3.6__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- beaconcrypt-0.3.6/.github/workflows/codeql.yml +105 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/.github/workflows/go.yml +3 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/.github/workflows/python.yml +24 -3
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/Cargo.lock +1 -1
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/Cargo.toml +1 -1
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/PKG-INFO +1 -1
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/README.md +15 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/beaconcrypt.go +24 -1
- beaconcrypt-0.3.6/beaconcrypt_test.go +690 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/bindings.h +8 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/doc/protocol.md +4 -4
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/pyproject.toml +6 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/src/beacon.rs +4 -4
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/src/cnsa2.rs +1 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/src/lib.rs +60 -28
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/src/pqxdh.rs +28 -18
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/src/server.rs +4 -4
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/src/shared.rs +17 -9
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/tests/beacon.rs +4 -4
- beaconcrypt-0.3.6/tests/protocol.rs +360 -0
- beaconcrypt-0.3.6/tests/test_encryption.py +298 -0
- beaconcrypt-0.3.6/tests/test_registration.py +71 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/uv.lock +1 -1
- beaconcrypt-0.3.4/beaconcrypt_test.go +0 -228
- beaconcrypt-0.3.4/tests/test_encryption.py +0 -96
- beaconcrypt-0.3.4/tests/test_registration.py +0 -24
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/.cargo/config.toml +0 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/.github/workflows/release.yml +0 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/.github/workflows/rust.yml +0 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/.gitignore +0 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/LICENSE +0 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/build.rs +0 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/clippy.toml +0 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/doc/rationale.md +0 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/doc/threat_model.md +0 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/go.mod +0 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/rustfmt.toml +0 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/src/error.rs +0 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/src/schema/cryptoframe.capnp +0 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/src/schema/phase1.capnp +0 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/src/schema/phase2.capnp +0 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/src/schema/protogram.capnp +0 -0
- {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/tests/server.rs +0 -0
|
@@ -0,0 +1,105 @@
|
|
|
1
|
+
# For most projects, this workflow file will not need changing; you simply need
|
|
2
|
+
# to commit it to your repository.
|
|
3
|
+
#
|
|
4
|
+
# You may wish to alter this file to override the set of languages analyzed,
|
|
5
|
+
# or to provide custom queries or build logic.
|
|
6
|
+
#
|
|
7
|
+
# ******** NOTE ********
|
|
8
|
+
# We have attempted to detect the languages in your repository. Please check
|
|
9
|
+
# the `language` matrix defined below to confirm you have the correct set of
|
|
10
|
+
# supported CodeQL languages.
|
|
11
|
+
#
|
|
12
|
+
name: "CodeQL"
|
|
13
|
+
|
|
14
|
+
on:
|
|
15
|
+
push:
|
|
16
|
+
branches: [ "main" ]
|
|
17
|
+
pull_request:
|
|
18
|
+
branches: [ "main" ]
|
|
19
|
+
schedule:
|
|
20
|
+
- cron: '41 12 * * 5'
|
|
21
|
+
|
|
22
|
+
jobs:
|
|
23
|
+
analyze:
|
|
24
|
+
name: Analyze (${{ matrix.language }})
|
|
25
|
+
# Runner size impacts CodeQL analysis time. To learn more, please see:
|
|
26
|
+
# - https://gh.io/recommended-hardware-resources-for-running-codeql
|
|
27
|
+
# - https://gh.io/supported-runners-and-hardware-resources
|
|
28
|
+
# - https://gh.io/using-larger-runners (GitHub.com only)
|
|
29
|
+
# Consider using larger runners or machines with greater resources for possible analysis time improvements.
|
|
30
|
+
runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
|
|
31
|
+
permissions:
|
|
32
|
+
# required for all workflows
|
|
33
|
+
security-events: write
|
|
34
|
+
|
|
35
|
+
# required to fetch internal or private CodeQL packs
|
|
36
|
+
packages: read
|
|
37
|
+
|
|
38
|
+
# only required for workflows in private repositories
|
|
39
|
+
actions: read
|
|
40
|
+
contents: read
|
|
41
|
+
|
|
42
|
+
strategy:
|
|
43
|
+
fail-fast: false
|
|
44
|
+
matrix:
|
|
45
|
+
include:
|
|
46
|
+
- language: actions
|
|
47
|
+
build-mode: none
|
|
48
|
+
- language: go
|
|
49
|
+
build-mode: autobuild
|
|
50
|
+
- language: python
|
|
51
|
+
build-mode: none
|
|
52
|
+
- language: rust
|
|
53
|
+
build-mode: none
|
|
54
|
+
# CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift'
|
|
55
|
+
# Use `c-cpp` to analyze code written in C, C++ or both
|
|
56
|
+
# Use 'java-kotlin' to analyze code written in Java, Kotlin or both
|
|
57
|
+
# Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
|
|
58
|
+
# To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
|
|
59
|
+
# see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
|
|
60
|
+
# If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
|
|
61
|
+
# your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
|
|
62
|
+
steps:
|
|
63
|
+
- name: Checkout repository
|
|
64
|
+
uses: actions/checkout@v7
|
|
65
|
+
|
|
66
|
+
# Add any setup steps before running the `github/codeql-action/init` action.
|
|
67
|
+
# This includes steps like installing compilers or runtimes (`actions/setup-node`
|
|
68
|
+
# or others). This is typically only required for manual builds.
|
|
69
|
+
# - name: Setup runtime (example)
|
|
70
|
+
# uses: actions/setup-example@v1
|
|
71
|
+
|
|
72
|
+
# Initializes the CodeQL tools for scanning.
|
|
73
|
+
- name: Initialize CodeQL
|
|
74
|
+
uses: github/codeql-action/init@v4
|
|
75
|
+
with:
|
|
76
|
+
languages: ${{ matrix.language }}
|
|
77
|
+
build-mode: ${{ matrix.build-mode }}
|
|
78
|
+
# If you wish to specify custom queries, you can do so here or in a config file.
|
|
79
|
+
# By default, queries listed here will override any specified in a config file.
|
|
80
|
+
# Prefix the list here with "+" to use these queries and those in the config file.
|
|
81
|
+
|
|
82
|
+
# For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
|
|
83
|
+
# queries: security-extended,security-and-quality
|
|
84
|
+
|
|
85
|
+
# If the analyze step fails for one of the languages you are analyzing with
|
|
86
|
+
# "We were unable to automatically build your code", modify the matrix above
|
|
87
|
+
# to set the build mode to "manual" for that language. Then modify this step
|
|
88
|
+
# to build your code.
|
|
89
|
+
# ℹ️ Command-line programs to run using the OS shell.
|
|
90
|
+
# 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
|
|
91
|
+
- name: Run manual build steps
|
|
92
|
+
if: matrix.build-mode == 'manual'
|
|
93
|
+
shell: bash
|
|
94
|
+
run: |
|
|
95
|
+
echo 'If you are using a "manual" build mode for one or more of the' \
|
|
96
|
+
'languages you are analyzing, replace this with the commands to build' \
|
|
97
|
+
'your code, for example:'
|
|
98
|
+
echo ' make bootstrap'
|
|
99
|
+
echo ' make release'
|
|
100
|
+
exit 1
|
|
101
|
+
|
|
102
|
+
- name: Perform CodeQL Analysis
|
|
103
|
+
uses: github/codeql-action/analyze@v4
|
|
104
|
+
with:
|
|
105
|
+
category: "/language:${{matrix.language}}"
|
|
@@ -2,6 +2,8 @@ name: Go Module
|
|
|
2
2
|
|
|
3
3
|
on:
|
|
4
4
|
push:
|
|
5
|
+
branches:
|
|
6
|
+
- main
|
|
5
7
|
tags:
|
|
6
8
|
- "[0-9]*.[0-9]*.[0-9]*"
|
|
7
9
|
|
|
@@ -83,6 +85,7 @@ jobs:
|
|
|
83
85
|
run: go test ./...
|
|
84
86
|
|
|
85
87
|
publish:
|
|
88
|
+
if: startsWith(github.ref, 'refs/tags/')
|
|
86
89
|
needs: test
|
|
87
90
|
runs-on: ubuntu-latest
|
|
88
91
|
permissions:
|
|
@@ -10,6 +10,8 @@ name: Upload Python Package
|
|
|
10
10
|
|
|
11
11
|
on:
|
|
12
12
|
push:
|
|
13
|
+
branches:
|
|
14
|
+
- main
|
|
13
15
|
tags:
|
|
14
16
|
- "[0-9]*.[0-9]*.[0-9]*"
|
|
15
17
|
|
|
@@ -17,7 +19,7 @@ permissions:
|
|
|
17
19
|
contents: read
|
|
18
20
|
|
|
19
21
|
jobs:
|
|
20
|
-
|
|
22
|
+
test:
|
|
21
23
|
runs-on: ubuntu-latest
|
|
22
24
|
|
|
23
25
|
steps:
|
|
@@ -33,8 +35,24 @@ jobs:
|
|
|
33
35
|
|
|
34
36
|
- name: Run Python tests
|
|
35
37
|
run: |
|
|
36
|
-
uv run
|
|
37
|
-
uv run
|
|
38
|
+
uv run maturin develop --uv
|
|
39
|
+
uv run pytest tests
|
|
40
|
+
|
|
41
|
+
sdist:
|
|
42
|
+
if: startsWith(github.ref, 'refs/tags/')
|
|
43
|
+
needs: test
|
|
44
|
+
runs-on: ubuntu-latest
|
|
45
|
+
|
|
46
|
+
steps:
|
|
47
|
+
- uses: actions/checkout@v7
|
|
48
|
+
|
|
49
|
+
- name: Install uv
|
|
50
|
+
uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
|
|
51
|
+
- name: Set up Python
|
|
52
|
+
run: uv python install 3.14
|
|
53
|
+
- name: Install cap'n proto
|
|
54
|
+
run: |
|
|
55
|
+
sudo apt install capnproto
|
|
38
56
|
|
|
39
57
|
- name: Build source distribution
|
|
40
58
|
run: uvx maturin sdist --out dist
|
|
@@ -46,6 +64,8 @@ jobs:
|
|
|
46
64
|
path: dist/
|
|
47
65
|
|
|
48
66
|
wheels:
|
|
67
|
+
if: startsWith(github.ref, 'refs/tags/')
|
|
68
|
+
needs: test
|
|
49
69
|
name: Build wheels on ${{ matrix.os }}
|
|
50
70
|
runs-on: ${{ matrix.os }}
|
|
51
71
|
strategy:
|
|
@@ -74,6 +94,7 @@ jobs:
|
|
|
74
94
|
path: dist/
|
|
75
95
|
|
|
76
96
|
pypi-publish:
|
|
97
|
+
if: startsWith(github.ref, 'refs/tags/')
|
|
77
98
|
runs-on: ubuntu-latest
|
|
78
99
|
needs:
|
|
79
100
|
- sdist
|
|
@@ -46,14 +46,29 @@ Test the C interface
|
|
|
46
46
|
# Reference implementation
|
|
47
47
|
I don't use rust a lot, so the code is probably fairly naive. It provides both a beacon and server implementation with C bindings through `cbindgen`. Ideally more bindings would be built on top of that so it can be used in the mythic server-side.
|
|
48
48
|
|
|
49
|
+
The reference implementation expects that all beacons are compiled with the server's public key, and that beaconcrypt is initialized with it.
|
|
50
|
+
|
|
51
|
+
The server is currently not very usable as it doesn't support saving the state of any individual beacon. This means that if your server goes down, you will not be able to communicate with any previously-registered beacons anymore. The server doesn't support being initialized with an Ed25519 seed (32 random bytes). Users wishing to use the server in practical cases should use this interface to ensure their server keeps its identity across reboots.
|
|
52
|
+
|
|
49
53
|
## Building
|
|
50
54
|
You will need [Capn'Proto](https://capnproto.org/install.html) (just the binaries) and a recent version of rust for every build.
|
|
51
55
|
|
|
52
56
|
For windows, I prefer building with stable-gnu for normal usage, and nightly-gnu for release builds. You can find the exact arguments I use to the the static library as small as possible in [release.yml](/.github\workflows\release.yml). The MSVC toolchain is expected to work just as well, I just like mingw.
|
|
53
57
|
|
|
58
|
+
Build and run all tests:
|
|
59
|
+
```bash
|
|
60
|
+
cargo test
|
|
61
|
+
cargo build --target x86_64-pc-windows-gnu
|
|
62
|
+
go test ./...
|
|
63
|
+
uv run maturin develop --uv
|
|
64
|
+
uv run pytest tests
|
|
65
|
+
```
|
|
66
|
+
|
|
54
67
|
## Profiles
|
|
55
68
|
The reference implementation has two profiles: `PQXDH` and `CNSA2`. Profiles are controlled by cargo features. The CNSA2 profile only exists as a test for now. It uses a simple ML-KEM encapsulation for key exchange and the underlying libraries are not FIPS-approved. It is experimental and is likely broken. PQXDH is the intended target and the default.
|
|
56
69
|
|
|
70
|
+
**CNSA2 is currently completely broken**
|
|
71
|
+
|
|
57
72
|
## Usage
|
|
58
73
|
The reference implementation is a library that can currently be used either from rust or through C FFI. The C interface is currently not tested.
|
|
59
74
|
|
|
@@ -33,7 +33,9 @@ beaconcrypt_go_buffer beaconcrypt_go_process_initial_message(void *handle, const
|
|
|
33
33
|
beaconcrypt_go_buffer beaconcrypt_go_encrypt_to_beacon(void *handle, uint64_t key_id, const uint8_t *ptr, uintptr_t len);
|
|
34
34
|
beaconcrypt_go_buffer beaconcrypt_go_encrypt_to_beacon_signed(void *handle, uint64_t key_id, const uint8_t *ptr, uintptr_t len);
|
|
35
35
|
beaconcrypt_go_buffer beaconcrypt_go_decrypt_beacon_message(void *handle, uint64_t key_id, const uint8_t *ptr, uintptr_t len);
|
|
36
|
+
beaconcrypt_go_buffer beaconcrypt_go_decrypt_beacon_message_signed(void *handle, const uint8_t *ptr, uintptr_t len);
|
|
36
37
|
beaconcrypt_go_buffer beaconcrypt_go_encrypt_to_server(void *handle, const uint8_t *ptr, uintptr_t len);
|
|
38
|
+
beaconcrypt_go_buffer beaconcrypt_go_encrypt_to_server_signed(void *handle, const uint8_t *ptr, uintptr_t len);
|
|
37
39
|
beaconcrypt_go_buffer beaconcrypt_go_decrypt_server_message(void *handle, const uint8_t *ptr, uintptr_t len);
|
|
38
40
|
beaconcrypt_go_buffer beaconcrypt_go_decrypt_server_message_signed(void *handle, const uint8_t *ptr, uintptr_t len);
|
|
39
41
|
*/
|
|
@@ -203,6 +205,15 @@ func (s *Server) DecryptBeaconMessage(keyID uint64, ciphertext []byte) ([]byte,
|
|
|
203
205
|
})
|
|
204
206
|
}
|
|
205
207
|
|
|
208
|
+
func (s *Server) DecryptBeaconMessageSigned(ciphertext []byte) ([]byte, error) {
|
|
209
|
+
if s == nil || s.handle == nil {
|
|
210
|
+
return nil, ErrClosed
|
|
211
|
+
}
|
|
212
|
+
return callUnary(ciphertext, func(ptr *C.uint8_t, len C.uintptr_t) C.beaconcrypt_go_buffer {
|
|
213
|
+
return C.beaconcrypt_go_decrypt_beacon_message_signed(s.handle, ptr, len)
|
|
214
|
+
})
|
|
215
|
+
}
|
|
216
|
+
|
|
206
217
|
func (b *Beacon) EncryptToServer(plaintext []byte) ([]byte, error) {
|
|
207
218
|
if b == nil || b.handle == nil {
|
|
208
219
|
return nil, ErrClosed
|
|
@@ -212,6 +223,15 @@ func (b *Beacon) EncryptToServer(plaintext []byte) ([]byte, error) {
|
|
|
212
223
|
})
|
|
213
224
|
}
|
|
214
225
|
|
|
226
|
+
func (b *Beacon) EncryptToServerSigned(plaintext []byte) ([]byte, error) {
|
|
227
|
+
if b == nil || b.handle == nil {
|
|
228
|
+
return nil, ErrClosed
|
|
229
|
+
}
|
|
230
|
+
return callUnary(plaintext, func(ptr *C.uint8_t, len C.uintptr_t) C.beaconcrypt_go_buffer {
|
|
231
|
+
return C.beaconcrypt_go_encrypt_to_server_signed(b.handle, ptr, len)
|
|
232
|
+
})
|
|
233
|
+
}
|
|
234
|
+
|
|
215
235
|
func (b *Beacon) DecryptServerMessage(ciphertext []byte) ([]byte, error) {
|
|
216
236
|
if b == nil || b.handle == nil {
|
|
217
237
|
return nil, ErrClosed
|
|
@@ -240,10 +260,13 @@ func callUnary(data []byte, call func(*C.uint8_t, C.uintptr_t) C.beaconcrypt_go_
|
|
|
240
260
|
}
|
|
241
261
|
|
|
242
262
|
func copyBuffer(buffer C.beaconcrypt_go_buffer) ([]byte, error) {
|
|
243
|
-
if buffer.ptr == nil
|
|
263
|
+
if buffer.ptr == nil {
|
|
244
264
|
return nil, ErrCrypto
|
|
245
265
|
}
|
|
246
266
|
defer C.beaconcrypt_go_free_buffer(buffer)
|
|
267
|
+
if buffer.len == 0 {
|
|
268
|
+
return []byte{}, nil
|
|
269
|
+
}
|
|
247
270
|
return C.GoBytes(unsafe.Pointer(buffer.ptr), C.int(buffer.len)), nil
|
|
248
271
|
}
|
|
249
272
|
|