Add OPAQUE implementation

2023-04-12 14:25:13 +00:00 · 2021-06-08 22:23:46 +02:00 · 2021-06-08 22:23:46 +02:00 · 973fa40dd1
commit 973fa40dd1
parent d5f84cd588
7 changed files with 425 additions and 9 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -685,6 +685,19 @@ dependencies = [
 "subtle",
 ]
 [[package]]
 name = "curve25519-dalek"
 version = "3.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "639891fde0dbea823fc3d798a0fdf9d2f9440a42d64a78ab3488b0ca025117b3"
 dependencies = [
 "byteorder",
 "digest",
 "rand_core 0.5.1",
 "subtle",
 "zeroize",
 ]
 [[package]]
 name = "derive_more"
 version = "0.99.14"
@ -718,6 +731,17 @@ version = "1.0.4"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "212d0f5754cb6769937f4501cc0e67f4f4483c8d2c3e1e922ee9edbe4ab4c7c0"
 [[package]]
 name = "displaydoc"
 version = "0.1.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "adc2ab4d5a16117f9029e9a6b5e4e79f4c67f6519bc134210d4d4a04ba31f41b"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn",
 ]
 [[package]]
 name = "dotenv"
 version = "0.15.0"
@ -927,6 +951,15 @@ dependencies = [
 "version_check",
 ]
 [[package]]
 name = "generic-bytes"
 version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d6638d839bbd1cea640d8c5348dd82e0d545dbd364f3c2a251646eaf2ef0773b"
 dependencies = [
 "generic-array",
 ]
 [[package]]
 name = "getrandom"
 version = "0.1.16"
@ -945,8 +978,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7fcd999463524c52659517fe2cea98493cfe485d10565e7b0fb07dbba7ad2753"
 dependencies = [
 "cfg-if",
 "js-sys",
 "libc",
 "wasi 0.10.2+wasi-snapshot-preview1",
 "wasm-bindgen",
 ]
 [[package]]
@ -1010,6 +1045,16 @@ version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
 [[package]]
 name = "hkdf"
 version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "51ab2f639c231793c5f6114bdb9bbe50a7dbbfcd7c7c6bd8475dec2d991e964f"
 dependencies = [
 "digest",
 "hmac",
 ]
 [[package]]
 name = "hmac"
 version = "0.10.1"
@ -1241,8 +1286,14 @@ name = "lldap_model"
 version = "0.1.0"
 dependencies = [
 "chrono",
 "curve25519-dalek",
 "getrandom 0.2.3",
 "opaque-ke",
 "rand 0.8.3",
 "serde",
 "sha2",
 "sqlx",
 "thiserror",
 ]
 [[package]]
@ -1548,6 +1599,25 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5"
 [[package]]
 name = "opaque-ke"
 version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4c5e93081243e35cb270a2812883dcba34121c8d4054f6869149f2c3f7db10e3"
 dependencies = [
 "curve25519-dalek",
 "digest",
 "displaydoc",
 "generic-array",
 "generic-bytes",
 "hkdf",
 "hmac",
 "rand 0.8.3",
 "subtle",
 "thiserror",
 "zeroize",
 ]
 [[package]]
 name = "openssl"
 version = "0.10.34"
--- a/app/Cargo.lock
+++ b/app/Cargo.lock
@ -271,6 +271,19 @@ dependencies = [
 "subtle",
 ]
 [[package]]
 name = "curve25519-dalek"
 version = "3.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "639891fde0dbea823fc3d798a0fdf9d2f9440a42d64a78ab3488b0ca025117b3"
 dependencies = [
 "byteorder",
 "digest",
 "rand_core 0.5.1",
 "subtle",
 "zeroize",
 ]
 [[package]]
 name = "digest"
 version = "0.9.0"
@ -280,6 +293,17 @@ dependencies = [
 "generic-array",
 ]
 [[package]]
 name = "displaydoc"
 version = "0.1.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "adc2ab4d5a16117f9029e9a6b5e4e79f4c67f6519bc134210d4d4a04ba31f41b"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn",
 ]
 [[package]]
 name = "dotenv"
 version = "0.15.0"
@ -433,6 +457,15 @@ dependencies = [
 "version_check",
 ]
 [[package]]
 name = "generic-bytes"
 version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d6638d839bbd1cea640d8c5348dd82e0d545dbd364f3c2a251646eaf2ef0773b"
 dependencies = [
 "generic-array",
 ]
 [[package]]
 name = "getrandom"
 version = "0.1.16"
@ -451,8 +484,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7fcd999463524c52659517fe2cea98493cfe485d10565e7b0fb07dbba7ad2753"
 dependencies = [
 "cfg-if 1.0.0",
 "js-sys",
 "libc",
 "wasi 0.10.2+wasi-snapshot-preview1",
 "wasm-bindgen",
 ]
 [[package]]
@ -551,6 +586,16 @@ version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
 [[package]]
 name = "hkdf"
 version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "51ab2f639c231793c5f6114bdb9bbe50a7dbbfcd7c7c6bd8475dec2d991e964f"
 dependencies = [
 "digest",
 "hmac",
 ]
 [[package]]
 name = "hmac"
 version = "0.10.1"
@ -699,8 +744,14 @@ name = "lldap_model"
 version = "0.1.0"
 dependencies = [
 "chrono",
 "curve25519-dalek",
 "getrandom 0.2.3",
 "opaque-ke",
 "rand 0.8.4",
 "serde",
 "sha2",
 "sqlx",
 "thiserror",
 ]
 [[package]]
@ -916,6 +967,25 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5"
 [[package]]
 name = "opaque-ke"
 version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4c5e93081243e35cb270a2812883dcba34121c8d4054f6869149f2c3f7db10e3"
 dependencies = [
 "curve25519-dalek",
 "digest",
 "displaydoc",
 "generic-array",
 "generic-bytes",
 "hkdf",
 "hmac",
 "rand 0.8.4",
 "subtle",
 "thiserror",
 "zeroize",
 ]
 [[package]]
 name = "openssl"
 version = "0.10.35"
--- a/app/Cargo.toml
+++ b/app/Cargo.toml
@ -9,7 +9,6 @@ anyhow = "1"
 chrono = "*"
 http = "0.2.4"
 jwt = "0.13"
 lldap_model = { path = "../model" }
 serde = "1"
 serde_json = "1"
 wasm-bindgen = "0.2"
@ -25,5 +24,9 @@ features = [
  "console",
 ]
 [dependencies.lldap_model]
 path = "../model"
 features = [ "opaque_client" ]
 [lib]
 crate-type = ["cdylib"]
--- a/model/Cargo.lock
+++ b/model/Cargo.lock
@ -24,7 +24,7 @@ version = "0.7.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7f200cbb1e856866d9eade941cf3aa0c5d7dd36f74311c4273b494f4ef036957"
 dependencies = [
- "getrandom",
+ "getrandom 0.2.2",
 "once_cell",
 "version_check",
 ]
@ -223,6 +223,19 @@ dependencies = [
 "subtle",
 ]
 [[package]]
 name = "curve25519-dalek"
 version = "3.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "639891fde0dbea823fc3d798a0fdf9d2f9440a42d64a78ab3488b0ca025117b3"
 dependencies = [
 "byteorder",
 "digest",
 "rand_core 0.5.1",
 "subtle",
 "zeroize",
 ]
 [[package]]
 name = "digest"
 version = "0.9.0"
@ -252,6 +265,17 @@ dependencies = [
 "winapi",
 ]
 [[package]]
 name = "displaydoc"
 version = "0.1.7"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "adc2ab4d5a16117f9029e9a6b5e4e79f4c67f6519bc134210d4d4a04ba31f41b"
 dependencies = [
 "proc-macro2",
 "quote",
 "syn",
 ]
 [[package]]
 name = "dotenv"
 version = "0.15.0"
@ -399,6 +423,26 @@ dependencies = [
 "version_check",
 ]
 [[package]]
 name = "generic-bytes"
 version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "d6638d839bbd1cea640d8c5348dd82e0d545dbd364f3c2a251646eaf2ef0773b"
 dependencies = [
 "generic-array",
 ]
 [[package]]
 name = "getrandom"
 version = "0.1.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8fc3cb4d91f53b50155bdcfd23f6a4c39ae1969c2ae85982b135750cccaf5fce"
 dependencies = [
 "cfg-if",
 "libc",
 "wasi 0.9.0+wasi-snapshot-preview1",
 ]
 [[package]]
 name = "getrandom"
 version = "0.2.2"
@ -406,8 +450,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c9495705279e7140bf035dde1f6e750c162df8b625267cd52cc44e0b156732c8"
 dependencies = [
 "cfg-if",
 "js-sys",
 "libc",
- "wasi",
+ "wasi 0.10.2+wasi-snapshot-preview1",
 "wasm-bindgen",
 ]
 [[package]]
@ -452,6 +498,16 @@ version = "0.4.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
 [[package]]
 name = "hkdf"
 version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "51ab2f639c231793c5f6114bdb9bbe50a7dbbfcd7c7c6bd8475dec2d991e964f"
 dependencies = [
 "digest",
 "hmac",
 ]
 [[package]]
 name = "hmac"
 version = "0.10.1"
@ -547,8 +603,14 @@ name = "lldap_model"
 version = "0.1.0"
 dependencies = [
 "chrono",
 "curve25519-dalek",
 "getrandom 0.2.2",
 "opaque-ke",
 "rand",
 "serde",
 "sha2",
 "sqlx",
 "thiserror",
 ]
 [[package]]
@ -753,6 +815,25 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5"
 [[package]]
 name = "opaque-ke"
 version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "4c5e93081243e35cb270a2812883dcba34121c8d4054f6869149f2c3f7db10e3"
 dependencies = [
 "curve25519-dalek",
 "digest",
 "displaydoc",
 "generic-array",
 "generic-bytes",
 "hkdf",
 "hmac",
 "rand",
 "subtle",
 "thiserror",
 "zeroize",
 ]
 [[package]]
 name = "openssl"
 version = "0.10.34"
@ -896,7 +977,7 @@ checksum = "0ef9e7e66b4468674bfcb0c81af8b7fa0bb154fa9f28eb840da5c447baeb8d7e"
 dependencies = [
 "libc",
 "rand_chacha",
- "rand_core",
+ "rand_core 0.6.2",
 "rand_hc",
 ]
@ -907,7 +988,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e12735cf05c9e10bf21534da50a147b924d555dc7a547c42e6bb2d5b6017ae0d"
 dependencies = [
 "ppv-lite86",
- "rand_core",
+ "rand_core 0.6.2",
 ]
 [[package]]
 name = "rand_core"
 version = "0.5.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "90bde5296fc891b0cef12a6d03ddccc162ce7b2aff54160af9338f8d40df6d19"
 dependencies = [
 "getrandom 0.1.16",
 ]
 [[package]]
@ -916,7 +1006,7 @@ version = "0.6.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "34cf66eb183df1c5876e2dcf6b13d57340741e8dc255b48e40a26de954d06ae7"
 dependencies = [
- "getrandom",
+ "getrandom 0.2.2",
 ]
 [[package]]
@ -925,7 +1015,7 @@ version = "0.3.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3190ef7066a446f2e7f42e239d161e905420ccab01eb967c9eb27d21b2322a73"
 dependencies = [
- "rand_core",
+ "rand_core 0.6.2",
 ]
 [[package]]
@ -943,7 +1033,7 @@ version = "0.4.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "528532f3d801c87aec9def2add9ca802fe569e44a544afe633765267840abe64"
 dependencies = [
- "getrandom",
+ "getrandom 0.2.2",
 "redox_syscall",
 ]
@ -1458,6 +1548,12 @@ version = "0.9.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5fecdca9a5291cc2b8dcf7dc02453fee791a280f3743cb0905f8822ae463b3fe"
 [[package]]
 name = "wasi"
 version = "0.9.0+wasi-snapshot-preview1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cccddf32554fecc6acb585f82a32a72e28b48f8c4c1883ddfeeeaa96f7d8e519"
 [[package]]
 name = "wasi"
 version = "0.10.2+wasi-snapshot-preview1"
--- a/model/Cargo.toml
+++ b/model/Cargo.toml
@ -5,10 +5,18 @@ authors = ["Valentin Tolmer <valentin@tolmer.fr>", "Steve Barrau <steve.barrau@g
 edition = "2018"
 [features]
 default = ["opaque_server", "opaque_client"]
 opaque_server = []
 opaque_client = []
 js = []
 [dependencies]
 curve25519-dalek = "3"
 opaque-ke = "0.5"
 rand = "0.8"
 serde = "*"
 sha2 = "0.9"
 thiserror = "*"
 [dependencies.chrono]
 version = "*"
@ -25,3 +33,11 @@ features = [
  "runtime-actix-native-tls",
  "sqlite",
 ]
 # For WASM targets, use the JS getrandom.
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies.getrandom]
 version = "0.2"
 features = ["js"]
 [target.'cfg(target_arch = "wasm32")'.dependencies.getrandom]
 version = "0.2"
--- a/model/src/lib.rs
+++ b/model/src/lib.rs
@ -1,7 +1,9 @@
 use serde::{Deserialize, Serialize};
 use chrono::prelude::*;
 use serde::{Deserialize, Serialize};
 use std::collections::HashSet;
 pub mod opaque;
 #[derive(PartialEq, Eq, Debug, Serialize, Deserialize, Clone)]
 pub struct BindRequest {
    pub name: String,
--- a/model/src/opaque.rs
+++ b/model/src/opaque.rs
@ -0,0 +1,159 @@
 use opaque_ke::ciphersuite::CipherSuite;
 use rand::{CryptoRng, RngCore};
 #[derive(thiserror::Error, Debug)]
 pub enum AuthenticationError {
    #[error("Protocol error: `{0}`")]
    ProtocolError(#[from] opaque_ke::errors::ProtocolError),
 }
 pub type AuthenticationResult<T> = std::result::Result<T, AuthenticationError>;
 /// The ciphersuite trait allows to specify the underlying primitives
 /// that will be used in the OPAQUE protocol
 #[allow(dead_code)]
 pub struct DefaultSuite;
 impl CipherSuite for DefaultSuite {
    type Group = curve25519_dalek::ristretto::RistrettoPoint;
    type KeyExchange = opaque_ke::key_exchange::tripledh::TripleDH;
    type Hash = sha2::Sha512;
    type SlowHash = opaque_ke::slow_hash::NoOpHash;
 }
 /// Client-side code for OPAQUE protocol handling, to register a new user and login.  All methods'
 /// results must be sent to the server using the serialized `.message`. Incoming messages can be
 /// deserialized using the type's `deserialize` method.
 #[cfg(feature = "opaque_client")]
 pub mod client {
    use super::*;
    /// Methods to register a new user, from the client side.
    pub mod registration {
        use super::*;
        use opaque_ke::{
            ClientRegistration, ClientRegistrationFinishParameters, ClientRegistrationFinishResult,
            ClientRegistrationStartResult, RegistrationResponse,
        };
        /// Initiate the registration negotiation.
        pub fn start_registration<R: RngCore + CryptoRng>(
            password: &str,
            rng: &mut R,
        ) -> AuthenticationResult<ClientRegistrationStartResult<DefaultSuite>> {
            Ok(ClientRegistration::<DefaultSuite>::start(
                rng,
                password.as_bytes(),
            )?)
        }
        /// Finalize the registration negotiation.
        pub fn finish_registration<R: RngCore + CryptoRng>(
            registration_start: ClientRegistration<DefaultSuite>,
            registration_response: RegistrationResponse<DefaultSuite>,
            rng: &mut R,
        ) -> AuthenticationResult<ClientRegistrationFinishResult<DefaultSuite>> {
            Ok(registration_start.finish(
                rng,
                registration_response,
                ClientRegistrationFinishParameters::default(),
            )?)
        }
    }
    /// Methods to login, from the client side.
    pub mod login {
        use super::*;
        use opaque_ke::{
            ClientLogin, ClientLoginFinishParameters, ClientLoginFinishResult,
            ClientLoginStartParameters, ClientLoginStartResult, CredentialResponse,
        };
        /// Initiate the login negotiation.
        pub fn start_login<R: RngCore + CryptoRng>(
            password: &str,
            rng: &mut R,
        ) -> AuthenticationResult<ClientLoginStartResult<DefaultSuite>> {
            Ok(ClientLogin::<DefaultSuite>::start(
                rng,
                password.as_bytes(),
                ClientLoginStartParameters::default(),
            )?)
        }
        /// Finalize the client login negotiation.
        pub fn finish_login(
            login_start: ClientLogin<DefaultSuite>,
            login_response: CredentialResponse<DefaultSuite>,
        ) -> AuthenticationResult<ClientLoginFinishResult<DefaultSuite>> {
            Ok(login_start.finish(login_response, ClientLoginFinishParameters::default())?)
        }
    }
 }
 /// Server-side code for OPAQUE protocol handling, to register a new user and login.  The
 /// intermediate results must be sent to the client using the serialized `.message`.
 #[cfg(feature = "opaque_server")]
 pub mod server {
    use super::*;
    use opaque_ke::{keypair::Key, ServerRegistration};
    /// Methods to register a new user, from the server side.
    pub mod registration {
        use super::*;
        use opaque_ke::{RegistrationRequest, RegistrationUpload, ServerRegistrationStartResult};
        /// Start a registration process, from a request sent by the client.
        ///
        /// The result must be kept for the next step.
        pub fn start_registration<R: RngCore + CryptoRng>(
            rng: &mut R,
            registration_request: RegistrationRequest<DefaultSuite>,
            server_public_key: &Key,
        ) -> AuthenticationResult<ServerRegistrationStartResult<DefaultSuite>> {
            Ok(ServerRegistration::<DefaultSuite>::start(
                rng,
                registration_request,
                server_public_key,
            )?)
        }
        /// Finish to register a new user, and get the data to store in the database.
        pub fn get_password_file(
            registration_start: ServerRegistration<DefaultSuite>,
            registration_upload: RegistrationUpload<DefaultSuite>,
        ) -> AuthenticationResult<ServerRegistration<DefaultSuite>> {
            Ok(registration_start.finish(registration_upload)?)
        }
    }
    /// Methods to handle user login, from the server-side.
    pub mod login {
        use super::*;
        use opaque_ke::{
            CredentialFinalization, CredentialRequest, ServerLogin, ServerLoginFinishResult,
            ServerLoginStartParameters, ServerLoginStartResult,
        };
        /// Start a login process, from a request sent by the client.
        ///
        /// The result must be kept for the next step.
        pub fn start_login<R: RngCore + CryptoRng>(
            rng: &mut R,
            password_file: ServerRegistration<DefaultSuite>,
            server_private_key: &Key,
            credential_request: CredentialRequest<DefaultSuite>,
        ) -> AuthenticationResult<ServerLoginStartResult<DefaultSuite>> {
            Ok(ServerLogin::start(
                rng,
                password_file,
                server_private_key,
                credential_request,
                ServerLoginStartParameters::default(),
            )?)
        }
        /// Finish to authorize a new user, and get the session key to decrypt associated data.
        pub fn finalize_login(
            login_start: ServerLogin<DefaultSuite>,
            credential_finalization: CredentialFinalization<DefaultSuite>,
        ) -> AuthenticationResult<ServerLoginFinishResult> {
            Ok(login_start.finish(credential_finalization)?)
        }
    }
 }