beaconcrypt 0.3.4__tar.gz → 0.3.6__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (43) hide show
  1. beaconcrypt-0.3.6/.github/workflows/codeql.yml +105 -0
  2. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/.github/workflows/go.yml +3 -0
  3. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/.github/workflows/python.yml +24 -3
  4. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/Cargo.lock +1 -1
  5. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/Cargo.toml +1 -1
  6. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/PKG-INFO +1 -1
  7. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/README.md +15 -0
  8. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/beaconcrypt.go +24 -1
  9. beaconcrypt-0.3.6/beaconcrypt_test.go +690 -0
  10. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/bindings.h +8 -0
  11. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/doc/protocol.md +4 -4
  12. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/pyproject.toml +6 -0
  13. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/src/beacon.rs +4 -4
  14. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/src/cnsa2.rs +1 -0
  15. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/src/lib.rs +60 -28
  16. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/src/pqxdh.rs +28 -18
  17. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/src/server.rs +4 -4
  18. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/src/shared.rs +17 -9
  19. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/tests/beacon.rs +4 -4
  20. beaconcrypt-0.3.6/tests/protocol.rs +360 -0
  21. beaconcrypt-0.3.6/tests/test_encryption.py +298 -0
  22. beaconcrypt-0.3.6/tests/test_registration.py +71 -0
  23. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/uv.lock +1 -1
  24. beaconcrypt-0.3.4/beaconcrypt_test.go +0 -228
  25. beaconcrypt-0.3.4/tests/test_encryption.py +0 -96
  26. beaconcrypt-0.3.4/tests/test_registration.py +0 -24
  27. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/.cargo/config.toml +0 -0
  28. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/.github/workflows/release.yml +0 -0
  29. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/.github/workflows/rust.yml +0 -0
  30. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/.gitignore +0 -0
  31. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/LICENSE +0 -0
  32. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/build.rs +0 -0
  33. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/clippy.toml +0 -0
  34. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/doc/rationale.md +0 -0
  35. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/doc/threat_model.md +0 -0
  36. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/go.mod +0 -0
  37. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/rustfmt.toml +0 -0
  38. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/src/error.rs +0 -0
  39. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/src/schema/cryptoframe.capnp +0 -0
  40. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/src/schema/phase1.capnp +0 -0
  41. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/src/schema/phase2.capnp +0 -0
  42. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/src/schema/protogram.capnp +0 -0
  43. {beaconcrypt-0.3.4 → beaconcrypt-0.3.6}/tests/server.rs +0 -0
@@ -0,0 +1,105 @@
1
+ # For most projects, this workflow file will not need changing; you simply need
2
+ # to commit it to your repository.
3
+ #
4
+ # You may wish to alter this file to override the set of languages analyzed,
5
+ # or to provide custom queries or build logic.
6
+ #
7
+ # ******** NOTE ********
8
+ # We have attempted to detect the languages in your repository. Please check
9
+ # the `language` matrix defined below to confirm you have the correct set of
10
+ # supported CodeQL languages.
11
+ #
12
+ name: "CodeQL"
13
+
14
+ on:
15
+ push:
16
+ branches: [ "main" ]
17
+ pull_request:
18
+ branches: [ "main" ]
19
+ schedule:
20
+ - cron: '41 12 * * 5'
21
+
22
+ jobs:
23
+ analyze:
24
+ name: Analyze (${{ matrix.language }})
25
+ # Runner size impacts CodeQL analysis time. To learn more, please see:
26
+ # - https://gh.io/recommended-hardware-resources-for-running-codeql
27
+ # - https://gh.io/supported-runners-and-hardware-resources
28
+ # - https://gh.io/using-larger-runners (GitHub.com only)
29
+ # Consider using larger runners or machines with greater resources for possible analysis time improvements.
30
+ runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
31
+ permissions:
32
+ # required for all workflows
33
+ security-events: write
34
+
35
+ # required to fetch internal or private CodeQL packs
36
+ packages: read
37
+
38
+ # only required for workflows in private repositories
39
+ actions: read
40
+ contents: read
41
+
42
+ strategy:
43
+ fail-fast: false
44
+ matrix:
45
+ include:
46
+ - language: actions
47
+ build-mode: none
48
+ - language: go
49
+ build-mode: autobuild
50
+ - language: python
51
+ build-mode: none
52
+ - language: rust
53
+ build-mode: none
54
+ # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift'
55
+ # Use `c-cpp` to analyze code written in C, C++ or both
56
+ # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
57
+ # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
58
+ # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
59
+ # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
60
+ # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
61
+ # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
62
+ steps:
63
+ - name: Checkout repository
64
+ uses: actions/checkout@v7
65
+
66
+ # Add any setup steps before running the `github/codeql-action/init` action.
67
+ # This includes steps like installing compilers or runtimes (`actions/setup-node`
68
+ # or others). This is typically only required for manual builds.
69
+ # - name: Setup runtime (example)
70
+ # uses: actions/setup-example@v1
71
+
72
+ # Initializes the CodeQL tools for scanning.
73
+ - name: Initialize CodeQL
74
+ uses: github/codeql-action/init@v4
75
+ with:
76
+ languages: ${{ matrix.language }}
77
+ build-mode: ${{ matrix.build-mode }}
78
+ # If you wish to specify custom queries, you can do so here or in a config file.
79
+ # By default, queries listed here will override any specified in a config file.
80
+ # Prefix the list here with "+" to use these queries and those in the config file.
81
+
82
+ # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
83
+ # queries: security-extended,security-and-quality
84
+
85
+ # If the analyze step fails for one of the languages you are analyzing with
86
+ # "We were unable to automatically build your code", modify the matrix above
87
+ # to set the build mode to "manual" for that language. Then modify this step
88
+ # to build your code.
89
+ # ℹ️ Command-line programs to run using the OS shell.
90
+ # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
91
+ - name: Run manual build steps
92
+ if: matrix.build-mode == 'manual'
93
+ shell: bash
94
+ run: |
95
+ echo 'If you are using a "manual" build mode for one or more of the' \
96
+ 'languages you are analyzing, replace this with the commands to build' \
97
+ 'your code, for example:'
98
+ echo ' make bootstrap'
99
+ echo ' make release'
100
+ exit 1
101
+
102
+ - name: Perform CodeQL Analysis
103
+ uses: github/codeql-action/analyze@v4
104
+ with:
105
+ category: "/language:${{matrix.language}}"
@@ -2,6 +2,8 @@ name: Go Module
2
2
 
3
3
  on:
4
4
  push:
5
+ branches:
6
+ - main
5
7
  tags:
6
8
  - "[0-9]*.[0-9]*.[0-9]*"
7
9
 
@@ -83,6 +85,7 @@ jobs:
83
85
  run: go test ./...
84
86
 
85
87
  publish:
88
+ if: startsWith(github.ref, 'refs/tags/')
86
89
  needs: test
87
90
  runs-on: ubuntu-latest
88
91
  permissions:
@@ -10,6 +10,8 @@ name: Upload Python Package
10
10
 
11
11
  on:
12
12
  push:
13
+ branches:
14
+ - main
13
15
  tags:
14
16
  - "[0-9]*.[0-9]*.[0-9]*"
15
17
 
@@ -17,7 +19,7 @@ permissions:
17
19
  contents: read
18
20
 
19
21
  jobs:
20
- sdist:
22
+ test:
21
23
  runs-on: ubuntu-latest
22
24
 
23
25
  steps:
@@ -33,8 +35,24 @@ jobs:
33
35
 
34
36
  - name: Run Python tests
35
37
  run: |
36
- uv run --group dev maturin develop --bindings pyo3 --features pybinds
37
- uv run --group dev pytest tests
38
+ uv run maturin develop --uv
39
+ uv run pytest tests
40
+
41
+ sdist:
42
+ if: startsWith(github.ref, 'refs/tags/')
43
+ needs: test
44
+ runs-on: ubuntu-latest
45
+
46
+ steps:
47
+ - uses: actions/checkout@v7
48
+
49
+ - name: Install uv
50
+ uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
51
+ - name: Set up Python
52
+ run: uv python install 3.14
53
+ - name: Install cap'n proto
54
+ run: |
55
+ sudo apt install capnproto
38
56
 
39
57
  - name: Build source distribution
40
58
  run: uvx maturin sdist --out dist
@@ -46,6 +64,8 @@ jobs:
46
64
  path: dist/
47
65
 
48
66
  wheels:
67
+ if: startsWith(github.ref, 'refs/tags/')
68
+ needs: test
49
69
  name: Build wheels on ${{ matrix.os }}
50
70
  runs-on: ${{ matrix.os }}
51
71
  strategy:
@@ -74,6 +94,7 @@ jobs:
74
94
  path: dist/
75
95
 
76
96
  pypi-publish:
97
+ if: startsWith(github.ref, 'refs/tags/')
77
98
  runs-on: ubuntu-latest
78
99
  needs:
79
100
  - sdist
@@ -84,7 +84,7 @@ checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
84
84
 
85
85
  [[package]]
86
86
  name = "beaconcrypt"
87
- version = "0.3.4"
87
+ version = "0.3.6"
88
88
  dependencies = [
89
89
  "capnp",
90
90
  "capnpc",
@@ -1,6 +1,6 @@
1
1
  [package]
2
2
  name = "beaconcrypt"
3
- version = "0.3.4"
3
+ version = "0.3.6"
4
4
  edition = "2024"
5
5
  license-file = "LICENSE"
6
6
  readme = "README.md"
@@ -1,6 +1,6 @@
1
1
  Metadata-Version: 2.4
2
2
  Name: beaconcrypt
3
- Version: 0.3.4
3
+ Version: 0.3.6
4
4
  Classifier: Programming Language :: Rust
5
5
  Classifier: Programming Language :: Python :: Implementation :: CPython
6
6
  Classifier: Programming Language :: Python :: Implementation :: PyPy
@@ -46,14 +46,29 @@ Test the C interface
46
46
  # Reference implementation
47
47
  I don't use rust a lot, so the code is probably fairly naive. It provides both a beacon and server implementation with C bindings through `cbindgen`. Ideally more bindings would be built on top of that so it can be used in the mythic server-side.
48
48
 
49
+ The reference implementation expects that all beacons are compiled with the server's public key, and that beaconcrypt is initialized with it.
50
+
51
+ The server is currently not very usable as it doesn't support saving the state of any individual beacon. This means that if your server goes down, you will not be able to communicate with any previously-registered beacons anymore. The server doesn't support being initialized with an Ed25519 seed (32 random bytes). Users wishing to use the server in practical cases should use this interface to ensure their server keeps its identity across reboots.
52
+
49
53
  ## Building
50
54
  You will need [Capn'Proto](https://capnproto.org/install.html) (just the binaries) and a recent version of rust for every build.
51
55
 
52
56
  For windows, I prefer building with stable-gnu for normal usage, and nightly-gnu for release builds. You can find the exact arguments I use to the the static library as small as possible in [release.yml](/.github\workflows\release.yml). The MSVC toolchain is expected to work just as well, I just like mingw.
53
57
 
58
+ Build and run all tests:
59
+ ```bash
60
+ cargo test
61
+ cargo build --target x86_64-pc-windows-gnu
62
+ go test ./...
63
+ uv run maturin develop --uv
64
+ uv run pytest tests
65
+ ```
66
+
54
67
  ## Profiles
55
68
  The reference implementation has two profiles: `PQXDH` and `CNSA2`. Profiles are controlled by cargo features. The CNSA2 profile only exists as a test for now. It uses a simple ML-KEM encapsulation for key exchange and the underlying libraries are not FIPS-approved. It is experimental and is likely broken. PQXDH is the intended target and the default.
56
69
 
70
+ **CNSA2 is currently completely broken**
71
+
57
72
  ## Usage
58
73
  The reference implementation is a library that can currently be used either from rust or through C FFI. The C interface is currently not tested.
59
74
 
@@ -33,7 +33,9 @@ beaconcrypt_go_buffer beaconcrypt_go_process_initial_message(void *handle, const
33
33
  beaconcrypt_go_buffer beaconcrypt_go_encrypt_to_beacon(void *handle, uint64_t key_id, const uint8_t *ptr, uintptr_t len);
34
34
  beaconcrypt_go_buffer beaconcrypt_go_encrypt_to_beacon_signed(void *handle, uint64_t key_id, const uint8_t *ptr, uintptr_t len);
35
35
  beaconcrypt_go_buffer beaconcrypt_go_decrypt_beacon_message(void *handle, uint64_t key_id, const uint8_t *ptr, uintptr_t len);
36
+ beaconcrypt_go_buffer beaconcrypt_go_decrypt_beacon_message_signed(void *handle, const uint8_t *ptr, uintptr_t len);
36
37
  beaconcrypt_go_buffer beaconcrypt_go_encrypt_to_server(void *handle, const uint8_t *ptr, uintptr_t len);
38
+ beaconcrypt_go_buffer beaconcrypt_go_encrypt_to_server_signed(void *handle, const uint8_t *ptr, uintptr_t len);
37
39
  beaconcrypt_go_buffer beaconcrypt_go_decrypt_server_message(void *handle, const uint8_t *ptr, uintptr_t len);
38
40
  beaconcrypt_go_buffer beaconcrypt_go_decrypt_server_message_signed(void *handle, const uint8_t *ptr, uintptr_t len);
39
41
  */
@@ -203,6 +205,15 @@ func (s *Server) DecryptBeaconMessage(keyID uint64, ciphertext []byte) ([]byte,
203
205
  })
204
206
  }
205
207
 
208
+ func (s *Server) DecryptBeaconMessageSigned(ciphertext []byte) ([]byte, error) {
209
+ if s == nil || s.handle == nil {
210
+ return nil, ErrClosed
211
+ }
212
+ return callUnary(ciphertext, func(ptr *C.uint8_t, len C.uintptr_t) C.beaconcrypt_go_buffer {
213
+ return C.beaconcrypt_go_decrypt_beacon_message_signed(s.handle, ptr, len)
214
+ })
215
+ }
216
+
206
217
  func (b *Beacon) EncryptToServer(plaintext []byte) ([]byte, error) {
207
218
  if b == nil || b.handle == nil {
208
219
  return nil, ErrClosed
@@ -212,6 +223,15 @@ func (b *Beacon) EncryptToServer(plaintext []byte) ([]byte, error) {
212
223
  })
213
224
  }
214
225
 
226
+ func (b *Beacon) EncryptToServerSigned(plaintext []byte) ([]byte, error) {
227
+ if b == nil || b.handle == nil {
228
+ return nil, ErrClosed
229
+ }
230
+ return callUnary(plaintext, func(ptr *C.uint8_t, len C.uintptr_t) C.beaconcrypt_go_buffer {
231
+ return C.beaconcrypt_go_encrypt_to_server_signed(b.handle, ptr, len)
232
+ })
233
+ }
234
+
215
235
  func (b *Beacon) DecryptServerMessage(ciphertext []byte) ([]byte, error) {
216
236
  if b == nil || b.handle == nil {
217
237
  return nil, ErrClosed
@@ -240,10 +260,13 @@ func callUnary(data []byte, call func(*C.uint8_t, C.uintptr_t) C.beaconcrypt_go_
240
260
  }
241
261
 
242
262
  func copyBuffer(buffer C.beaconcrypt_go_buffer) ([]byte, error) {
243
- if buffer.ptr == nil || buffer.len == 0 {
263
+ if buffer.ptr == nil {
244
264
  return nil, ErrCrypto
245
265
  }
246
266
  defer C.beaconcrypt_go_free_buffer(buffer)
267
+ if buffer.len == 0 {
268
+ return []byte{}, nil
269
+ }
247
270
  return C.GoBytes(unsafe.Pointer(buffer.ptr), C.int(buffer.len)), nil
248
271
  }
249
272