Merge branch 'use-xsalsa20-poly1305' into 'master'

Use XSalsa20-Poly1305 instead of AES-GCM for transport encryption and password storage.

This patch integrates @str4d's new authenticated cipher implementation. It depends on !18.

See merge request !35

briar-android/src/org/briarproject/android/invitation/AddContactActivity.java

@@ -55,12 +55,12 @@ implements InvitationListener {
 	private boolean localCompared = false, remoteCompared = false;
 	private boolean localMatched = false, remoteMatched = false;
 	private String contactName = null;
-	private boolean bluetoothWasEnabled = false;
 
 	// Fields that are accessed from background threads must be volatile
 	@Inject private volatile DatabaseComponent db;
 	@Inject private volatile IdentityManager identityManager;
-	private volatile boolean leaveBluetoothEnabled = true;
+	private volatile boolean bluetoothWasEnabled = false;
+	private volatile boolean leaveBluetoothEnabled = false;
 
 	@Override
 	public void onCreate(Bundle state) {
@@ -173,7 +173,8 @@ implements InvitationListener {
 					long duration = System.currentTimeMillis() - now;
 					if (LOG.isLoggable(INFO))
 						LOG.info("Loading setting took " + duration + " ms");
-					leaveBluetoothEnabled = c.getBoolean("enable", false);
+					leaveBluetoothEnabled = bluetoothWasEnabled
+							|| c.getBoolean("enable", false);
 				} catch (DbException e) {
 					if (LOG.isLoggable(WARNING))
 						LOG.log(WARNING, e.toString(), e);
@@ -328,7 +329,7 @@ implements InvitationListener {
 	}
 
 	public void disableBluetooth() {
-		if (!bluetoothWasEnabled && !leaveBluetoothEnabled) {
+		if (!leaveBluetoothEnabled) {
 			if (LOG.isLoggable(INFO)) LOG.info("Turning off Bluetooth again");
 
 			BluetoothAdapter adapter = BluetoothAdapter.getDefaultAdapter();

briar-api/src/org/briarproject/api/transport/TransportConstants.java

@@ -19,7 +19,7 @@ public interface TransportConstants {
 			+ MAC_LENGTH;
 
 	/** The length of the frame initalisation vector (IV) in bytes. */
-	int FRAME_IV_LENGTH = 12;
+	int FRAME_IV_LENGTH = 24;
 
 	/** The length of the frame header in bytes. */
 	int FRAME_HEADER_LENGTH = 4 + MAC_LENGTH;

briar-core/src/org/briarproject/crypto/AuthenticatedCipher.java

@@ -26,14 +26,14 @@ interface AuthenticatedCipher {
 	 *              including the MAC.
 	 * @param inputOff the offset into the input array where the data to be
 	 *                 processed starts.
-	 * @param len the number of bytes to be processed. If decrypting, includes
-	 *            the MAC length.
-	 * @param output the output buffer the processed bytes go into. If
-	 *               encrypting, the ciphertext including the MAC. If
-	 *               decrypting, the plaintext.
-	 * @param outputOff the offset into the output byte array the processed
-	 *                  data starts at.
-	 * @return  the number of bytes processed.
+	 * @param len the length of the input. If decrypting, includes the MAC
+	 *            length.
+	 * @param output the output byte array. If encrypting, the ciphertext
+	 *               including the MAC. If decrypting, the plaintext.
+	 * @param outputOff the offset into the output byte array where the
+	 *                  processed data starts.
+	 * @return  the length of the output. If encrypting, includes the MAC
+	 *          length.
 	 * @throws GeneralSecurityException on invalid input.
 	 */
 	int process(byte[] input, int inputOff, int len, byte[] output,

briar-core/src/org/briarproject/crypto/AuthenticatedCipherImpl.java

@@ -1,57 +0,0 @@
-package org.briarproject.crypto;
-
-import static org.briarproject.api.transport.TransportConstants.MAC_LENGTH;
-
-import java.security.GeneralSecurityException;
-
-import org.briarproject.api.crypto.SecretKey;
-import org.spongycastle.crypto.DataLengthException;
-import org.spongycastle.crypto.InvalidCipherTextException;
-import org.spongycastle.crypto.engines.AESLightEngine;
-import org.spongycastle.crypto.modes.AEADBlockCipher;
-import org.spongycastle.crypto.modes.GCMBlockCipher;
-import org.spongycastle.crypto.modes.gcm.BasicGCMMultiplier;
-import org.spongycastle.crypto.params.AEADParameters;
-import org.spongycastle.crypto.params.KeyParameter;
-
-class AuthenticatedCipherImpl implements AuthenticatedCipher {
-
-	private final AEADBlockCipher cipher;
-
-	AuthenticatedCipherImpl() {
-		cipher = new GCMBlockCipher(new AESLightEngine(),
-				new BasicGCMMultiplier());
-	}
-
-	public int process(byte[] input, int inputOff, int len, byte[] output,
-			int outputOff) throws GeneralSecurityException {
-		int processed = 0;
-		if (len != 0) {
-			processed = cipher.processBytes(input, inputOff, len, output,
-					outputOff);
-		}
-		try {
-			return processed + cipher.doFinal(output, outputOff + processed);
-		} catch (DataLengthException e) {
-			throw new GeneralSecurityException(e.getMessage());
-		} catch (InvalidCipherTextException e) {
-			throw new GeneralSecurityException(e.getMessage());
-		}
-	}
-
-	public void init(boolean encrypt, SecretKey key, byte[] iv)
-			throws GeneralSecurityException {
-		KeyParameter k = new KeyParameter(key.getBytes());
-		// Authenticate the IV by passing it as additional authenticated data
-		AEADParameters params = new AEADParameters(k, MAC_LENGTH * 8, iv, iv);
-		try {
-			cipher.init(encrypt, params);
-		} catch (IllegalArgumentException e) {
-			throw new GeneralSecurityException(e.getMessage());
-		}
-	}
-
-	public int getMacBytes() {
-		return MAC_LENGTH;
-	}
-}

briar-core/src/org/briarproject/crypto/CryptoComponentImpl.java

@@ -55,8 +55,8 @@ class CryptoComponentImpl implements CryptoComponent {
 
 	private static final int AGREEMENT_KEY_PAIR_BITS = 256;
 	private static final int SIGNATURE_KEY_PAIR_BITS = 256;
-	private static final int STORAGE_IV_BYTES = 16; // 128 bits
-	private static final int PBKDF_SALT_BYTES = 16; // 128 bits
+	private static final int STORAGE_IV_BYTES = 24; // 196 bits
+	private static final int PBKDF_SALT_BYTES = 32; // 256 bits
 	private static final int PBKDF_TARGET_MILLIS = 500;
 	private static final int PBKDF_SAMPLES = 30;
 
@@ -94,16 +94,16 @@ class CryptoComponentImpl implements CryptoComponent {
 	private final KeyParser agreementKeyParser, signatureKeyParser;
 
 	@Inject
-	CryptoComponentImpl(SeedProvider r) {
+	CryptoComponentImpl(SeedProvider seedProvider) {
 		if (!FortunaSecureRandom.selfTest()) throw new RuntimeException();
-		SecureRandom secureRandom1 = new SecureRandom();
+		SecureRandom platformSecureRandom = new SecureRandom();
 		if (LOG.isLoggable(INFO)) {
-			String provider = secureRandom1.getProvider().getName();
-			String algorithm = secureRandom1.getAlgorithm();
+			String provider = platformSecureRandom.getProvider().getName();
+			String algorithm = platformSecureRandom.getAlgorithm();
 			LOG.info("Default SecureRandom: " + provider + " " + algorithm);
 		}
-		SecureRandom secureRandom2 = new FortunaSecureRandom(r.getSeed());
-		secureRandom = new CombinedSecureRandom(secureRandom1, secureRandom2);
+		SecureRandom fortuna = new FortunaSecureRandom(seedProvider.getSeed());
+		secureRandom = new CombinedSecureRandom(platformSecureRandom, fortuna);
 		ECKeyGenerationParameters params = new ECKeyGenerationParameters(
 				PARAMETERS, secureRandom);
 		agreementKeyPairGenerator = new ECKeyPairGenerator();
@@ -325,7 +325,7 @@ class CryptoComponentImpl implements CryptoComponent {
 	}
 
 	public byte[] encryptWithPassword(byte[] input, String password) {
-		AuthenticatedCipher cipher = new AuthenticatedCipherImpl();
+		AuthenticatedCipher cipher = new XSalsa20Poly1305AuthenticatedCipher();
 		int macBytes = cipher.getMacBytes();
 		// Generate a random salt
 		byte[] salt = new byte[PBKDF_SALT_BYTES];
@@ -355,7 +355,7 @@ class CryptoComponentImpl implements CryptoComponent {
 	}
 
 	public byte[] decryptWithPassword(byte[] input, String password) {
-		AuthenticatedCipher cipher = new AuthenticatedCipherImpl();
+		AuthenticatedCipher cipher = new XSalsa20Poly1305AuthenticatedCipher();
 		int macBytes = cipher.getMacBytes();
 		// The input contains the salt, iterations, IV, ciphertext and MAC
 		if (input.length < PBKDF_SALT_BYTES + 4 + STORAGE_IV_BYTES + macBytes)

briar-core/src/org/briarproject/crypto/CryptoModule.java

@@ -1,6 +1,14 @@
 package org.briarproject.crypto;
 
-import static java.util.concurrent.TimeUnit.SECONDS;
+import com.google.inject.AbstractModule;
+import com.google.inject.Provides;
+
+import org.briarproject.api.crypto.CryptoComponent;
+import org.briarproject.api.crypto.CryptoExecutor;
+import org.briarproject.api.crypto.PasswordStrengthEstimator;
+import org.briarproject.api.crypto.StreamDecrypterFactory;
+import org.briarproject.api.crypto.StreamEncrypterFactory;
+import org.briarproject.api.lifecycle.LifecycleManager;
 
 import java.util.concurrent.BlockingQueue;
 import java.util.concurrent.Executor;
@@ -11,15 +19,7 @@ import java.util.concurrent.ThreadPoolExecutor;
 
 import javax.inject.Singleton;
 
-import org.briarproject.api.crypto.CryptoComponent;
-import org.briarproject.api.crypto.CryptoExecutor;
-import org.briarproject.api.crypto.PasswordStrengthEstimator;
-import org.briarproject.api.crypto.StreamDecrypterFactory;
-import org.briarproject.api.crypto.StreamEncrypterFactory;
-import org.briarproject.api.lifecycle.LifecycleManager;
-
-import com.google.inject.AbstractModule;
-import com.google.inject.Provides;
+import static java.util.concurrent.TimeUnit.SECONDS;
 
 public class CryptoModule extends AbstractModule {
 
@@ -42,7 +42,8 @@ public class CryptoModule extends AbstractModule {
 
 	@Override
 	protected void configure() {
-		bind(AuthenticatedCipher.class).to(AuthenticatedCipherImpl.class);
+		bind(AuthenticatedCipher.class).to(
+				XSalsa20Poly1305AuthenticatedCipher.class);
 		bind(CryptoComponent.class).to(
 				CryptoComponentImpl.class).in(Singleton.class);
 		bind(PasswordStrengthEstimator.class).to(

briar-core/src/org/briarproject/crypto/XSalsa20Poly1305AuthenticatedCipher.java

@@ -24,7 +24,8 @@ import static org.briarproject.api.transport.TransportConstants.MAC_LENGTH;
  *     <li>http://cr.yp.to/highspeed/naclcrypto-20090310.pdf</li>
  * </ul>
  */
-public class XSalsa20Poly1305AC implements AuthenticatedCipher {
+public class XSalsa20Poly1305AuthenticatedCipher
+		implements AuthenticatedCipher {
 
 	/** Length of the padding to be used to generate the Poly1305 key */
 	private static final int SUBKEY_LENGTH = 32;
@@ -34,13 +35,14 @@ public class XSalsa20Poly1305AC implements AuthenticatedCipher {
 
 	private boolean encrypting;
 
-	XSalsa20Poly1305AC() {
+	XSalsa20Poly1305AuthenticatedCipher() {
 		xSalsa20Engine = new XSalsa20Engine();
 		poly1305 = new Poly1305();
 	}
 
 	@Override
-	public void init(boolean encrypt, SecretKey key, byte[] iv) throws GeneralSecurityException {
+	public void init(boolean encrypt, SecretKey key, byte[] iv)
+			throws GeneralSecurityException {
 		encrypting = encrypt;
 		KeyParameter k = new KeyParameter(key.getBytes());
 		ParametersWithIV params = new ParametersWithIV(k, iv);
@@ -52,12 +54,10 @@ public class XSalsa20Poly1305AC implements AuthenticatedCipher {
 	}
 
 	@Override
-	public int process(byte[] input, int inputOff, int len, byte[] output, int outputOff) throws GeneralSecurityException {
-		if (len == 0)
-			return 0;
-		else if (!encrypting && len < MAC_LENGTH)
+	public int process(byte[] input, int inputOff, int len, byte[] output,
+			int outputOff) throws GeneralSecurityException {
+		if (!encrypting && len < MAC_LENGTH)
 			throw new GeneralSecurityException("Invalid MAC");
-
 		try {
 			// Generate the Poly1305 subkey from an empty array
 			byte[] zero = new byte[SUBKEY_LENGTH];
@@ -100,7 +100,7 @@ public class XSalsa20Poly1305AC implements AuthenticatedCipher {
 					throw new GeneralSecurityException("Invalid MAC");
 			}
 
-			// Invert the stream encryption
+			// Apply or invert the stream encryption
 			int processed = xSalsa20Engine.processBytes(
 					input, encrypting ? inputOff : inputOff + MAC_LENGTH,
 					encrypting ? len : len - MAC_LENGTH,
@@ -112,7 +112,7 @@ public class XSalsa20Poly1305AC implements AuthenticatedCipher {
 				poly1305.doFinal(output, outputOff);
 			}
 
-			return processed;
+			return encrypting ? processed + MAC_LENGTH : processed;
 		} catch (DataLengthException e) {
 			throw new GeneralSecurityException(e.getMessage());
 		}

briar-tests/src/org/briarproject/crypto/XSalsa20Poly1305AuthenticatedCipherTest.java

@@ -6,10 +6,12 @@ import org.briarproject.util.StringUtils;
 import org.junit.Test;
 
 import java.security.GeneralSecurityException;
+import java.util.Random;
 
 import static org.junit.Assert.assertArrayEquals;
+import static org.junit.Assert.assertEquals;
 
-public class XSalsa20Poly1305ACTest extends BriarTestCase {
+public class XSalsa20Poly1305AuthenticatedCipherTest extends BriarTestCase {
 
 	// Test vectors from the NaCl paper
 	// http://cr.yp.to/highspeed/naclcrypto-20090310.pdf
@@ -47,43 +49,45 @@ public class XSalsa20Poly1305ACTest extends BriarTestCase {
 	@Test
 	public void testEncrypt() throws Exception {
 		SecretKey k = new SecretKey(TEST_KEY);
-		AuthenticatedCipher cipher = new XSalsa20Poly1305AC();
+		AuthenticatedCipher cipher = new XSalsa20Poly1305AuthenticatedCipher();
 		cipher.init(true, k, TEST_IV);
-		byte[] output = new byte[TEST_PLAINTEXT.length + cipher.getMacBytes()];
-		cipher.process(TEST_PLAINTEXT, 0, TEST_PLAINTEXT.length, output, 0);
+		byte[] output = new byte[TEST_CIPHERTEXT.length];
+		assertEquals(TEST_CIPHERTEXT.length, cipher.process(TEST_PLAINTEXT, 0,
+						TEST_PLAINTEXT.length, output, 0));
 		assertArrayEquals(TEST_CIPHERTEXT, output);
 	}
 
 	@Test
 	public void testDecrypt() throws Exception {
 		SecretKey k = new SecretKey(TEST_KEY);
-		AuthenticatedCipher cipher = new XSalsa20Poly1305AC();
+		AuthenticatedCipher cipher = new XSalsa20Poly1305AuthenticatedCipher();
 		cipher.init(false, k, TEST_IV);
-		byte[] output = new byte[TEST_CIPHERTEXT.length - cipher.getMacBytes()];
-		cipher.process(TEST_CIPHERTEXT, 0, TEST_CIPHERTEXT.length, output, 0);
+		byte[] output = new byte[TEST_PLAINTEXT.length];
+		assertEquals(TEST_PLAINTEXT.length, cipher.process(TEST_CIPHERTEXT, 0,
+				TEST_CIPHERTEXT.length, output, 0));
 		assertArrayEquals(TEST_PLAINTEXT, output);
 	}
 
 	@Test(expected = GeneralSecurityException.class)
 	public void testDecryptFailsWithShortInput() throws Exception {
 		SecretKey k = new SecretKey(TEST_KEY);
-		AuthenticatedCipher cipher = new XSalsa20Poly1305AC();
+		AuthenticatedCipher cipher = new XSalsa20Poly1305AuthenticatedCipher();
 		cipher.init(false, k, TEST_IV);
-		byte[] input = new byte[8];
-		System.arraycopy(TEST_CIPHERTEXT, 0, input, 0, 8);
-		byte[] output = new byte[TEST_CIPHERTEXT.length - cipher.getMacBytes()];
+		byte[] input = new byte[cipher.getMacBytes() - 1];
+		System.arraycopy(TEST_CIPHERTEXT, 0, input, 0, input.length);
+		byte[] output = new byte[TEST_PLAINTEXT.length];
 		cipher.process(input, 0, input.length, output, 0);
 	}
 
 	@Test(expected = GeneralSecurityException.class)
 	public void testDecryptFailsWithAlteredCiphertext() throws Exception {
 		SecretKey k = new SecretKey(TEST_KEY);
-		AuthenticatedCipher cipher = new XSalsa20Poly1305AC();
+		AuthenticatedCipher cipher = new XSalsa20Poly1305AuthenticatedCipher();
 		cipher.init(false, k, TEST_IV);
 		byte[] input = new byte[TEST_CIPHERTEXT.length];
 		System.arraycopy(TEST_CIPHERTEXT, 0, input, 0, TEST_CIPHERTEXT.length);
-		input[TEST_CIPHERTEXT.length - cipher.getMacBytes()] = 42;
-		byte[] output = new byte[TEST_CIPHERTEXT.length - cipher.getMacBytes()];
+		input[new Random().nextInt(TEST_CIPHERTEXT.length)] ^= 0xFF;
+		byte[] output = new byte[TEST_PLAINTEXT.length];
 		cipher.process(input, 0, input.length, output, 0);
 	}
 }