Add OPAQUE implementation

This commit is contained in:
Valentin Tolmer 2021-06-08 22:23:46 +02:00 committed by nitnelave
parent d5f84cd588
commit 973fa40dd1
7 changed files with 425 additions and 9 deletions

70
Cargo.lock generated
View File

@ -685,6 +685,19 @@ dependencies = [
"subtle",
]
[[package]]
name = "curve25519-dalek"
version = "3.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "639891fde0dbea823fc3d798a0fdf9d2f9440a42d64a78ab3488b0ca025117b3"
dependencies = [
"byteorder",
"digest",
"rand_core 0.5.1",
"subtle",
"zeroize",
]
[[package]]
name = "derive_more"
version = "0.99.14"
@ -718,6 +731,17 @@ version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "212d0f5754cb6769937f4501cc0e67f4f4483c8d2c3e1e922ee9edbe4ab4c7c0"
[[package]]
name = "displaydoc"
version = "0.1.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "adc2ab4d5a16117f9029e9a6b5e4e79f4c67f6519bc134210d4d4a04ba31f41b"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]]
name = "dotenv"
version = "0.15.0"
@ -927,6 +951,15 @@ dependencies = [
"version_check",
]
[[package]]
name = "generic-bytes"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d6638d839bbd1cea640d8c5348dd82e0d545dbd364f3c2a251646eaf2ef0773b"
dependencies = [
"generic-array",
]
[[package]]
name = "getrandom"
version = "0.1.16"
@ -945,8 +978,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7fcd999463524c52659517fe2cea98493cfe485d10565e7b0fb07dbba7ad2753"
dependencies = [
"cfg-if",
"js-sys",
"libc",
"wasi 0.10.2+wasi-snapshot-preview1",
"wasm-bindgen",
]
[[package]]
@ -1010,6 +1045,16 @@ version = "0.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
[[package]]
name = "hkdf"
version = "0.10.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "51ab2f639c231793c5f6114bdb9bbe50a7dbbfcd7c7c6bd8475dec2d991e964f"
dependencies = [
"digest",
"hmac",
]
[[package]]
name = "hmac"
version = "0.10.1"
@ -1241,8 +1286,14 @@ name = "lldap_model"
version = "0.1.0"
dependencies = [
"chrono",
"curve25519-dalek",
"getrandom 0.2.3",
"opaque-ke",
"rand 0.8.3",
"serde",
"sha2",
"sqlx",
"thiserror",
]
[[package]]
@ -1548,6 +1599,25 @@ version = "0.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5"
[[package]]
name = "opaque-ke"
version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4c5e93081243e35cb270a2812883dcba34121c8d4054f6869149f2c3f7db10e3"
dependencies = [
"curve25519-dalek",
"digest",
"displaydoc",
"generic-array",
"generic-bytes",
"hkdf",
"hmac",
"rand 0.8.3",
"subtle",
"thiserror",
"zeroize",
]
[[package]]
name = "openssl"
version = "0.10.34"

70
app/Cargo.lock generated
View File

@ -271,6 +271,19 @@ dependencies = [
"subtle",
]
[[package]]
name = "curve25519-dalek"
version = "3.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "639891fde0dbea823fc3d798a0fdf9d2f9440a42d64a78ab3488b0ca025117b3"
dependencies = [
"byteorder",
"digest",
"rand_core 0.5.1",
"subtle",
"zeroize",
]
[[package]]
name = "digest"
version = "0.9.0"
@ -280,6 +293,17 @@ dependencies = [
"generic-array",
]
[[package]]
name = "displaydoc"
version = "0.1.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "adc2ab4d5a16117f9029e9a6b5e4e79f4c67f6519bc134210d4d4a04ba31f41b"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]]
name = "dotenv"
version = "0.15.0"
@ -433,6 +457,15 @@ dependencies = [
"version_check",
]
[[package]]
name = "generic-bytes"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d6638d839bbd1cea640d8c5348dd82e0d545dbd364f3c2a251646eaf2ef0773b"
dependencies = [
"generic-array",
]
[[package]]
name = "getrandom"
version = "0.1.16"
@ -451,8 +484,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7fcd999463524c52659517fe2cea98493cfe485d10565e7b0fb07dbba7ad2753"
dependencies = [
"cfg-if 1.0.0",
"js-sys",
"libc",
"wasi 0.10.2+wasi-snapshot-preview1",
"wasm-bindgen",
]
[[package]]
@ -551,6 +586,16 @@ version = "0.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
[[package]]
name = "hkdf"
version = "0.10.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "51ab2f639c231793c5f6114bdb9bbe50a7dbbfcd7c7c6bd8475dec2d991e964f"
dependencies = [
"digest",
"hmac",
]
[[package]]
name = "hmac"
version = "0.10.1"
@ -699,8 +744,14 @@ name = "lldap_model"
version = "0.1.0"
dependencies = [
"chrono",
"curve25519-dalek",
"getrandom 0.2.3",
"opaque-ke",
"rand 0.8.4",
"serde",
"sha2",
"sqlx",
"thiserror",
]
[[package]]
@ -916,6 +967,25 @@ version = "0.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5"
[[package]]
name = "opaque-ke"
version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4c5e93081243e35cb270a2812883dcba34121c8d4054f6869149f2c3f7db10e3"
dependencies = [
"curve25519-dalek",
"digest",
"displaydoc",
"generic-array",
"generic-bytes",
"hkdf",
"hmac",
"rand 0.8.4",
"subtle",
"thiserror",
"zeroize",
]
[[package]]
name = "openssl"
version = "0.10.35"

View File

@ -9,7 +9,6 @@ anyhow = "1"
chrono = "*"
http = "0.2.4"
jwt = "0.13"
lldap_model = { path = "../model" }
serde = "1"
serde_json = "1"
wasm-bindgen = "0.2"
@ -25,5 +24,9 @@ features = [
"console",
]
[dependencies.lldap_model]
path = "../model"
features = [ "opaque_client" ]
[lib]
crate-type = ["cdylib"]

110
model/Cargo.lock generated
View File

@ -24,7 +24,7 @@ version = "0.7.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7f200cbb1e856866d9eade941cf3aa0c5d7dd36f74311c4273b494f4ef036957"
dependencies = [
"getrandom",
"getrandom 0.2.2",
"once_cell",
"version_check",
]
@ -223,6 +223,19 @@ dependencies = [
"subtle",
]
[[package]]
name = "curve25519-dalek"
version = "3.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "639891fde0dbea823fc3d798a0fdf9d2f9440a42d64a78ab3488b0ca025117b3"
dependencies = [
"byteorder",
"digest",
"rand_core 0.5.1",
"subtle",
"zeroize",
]
[[package]]
name = "digest"
version = "0.9.0"
@ -252,6 +265,17 @@ dependencies = [
"winapi",
]
[[package]]
name = "displaydoc"
version = "0.1.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "adc2ab4d5a16117f9029e9a6b5e4e79f4c67f6519bc134210d4d4a04ba31f41b"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]]
name = "dotenv"
version = "0.15.0"
@ -399,6 +423,26 @@ dependencies = [
"version_check",
]
[[package]]
name = "generic-bytes"
version = "0.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d6638d839bbd1cea640d8c5348dd82e0d545dbd364f3c2a251646eaf2ef0773b"
dependencies = [
"generic-array",
]
[[package]]
name = "getrandom"
version = "0.1.16"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8fc3cb4d91f53b50155bdcfd23f6a4c39ae1969c2ae85982b135750cccaf5fce"
dependencies = [
"cfg-if",
"libc",
"wasi 0.9.0+wasi-snapshot-preview1",
]
[[package]]
name = "getrandom"
version = "0.2.2"
@ -406,8 +450,10 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c9495705279e7140bf035dde1f6e750c162df8b625267cd52cc44e0b156732c8"
dependencies = [
"cfg-if",
"js-sys",
"libc",
"wasi",
"wasi 0.10.2+wasi-snapshot-preview1",
"wasm-bindgen",
]
[[package]]
@ -452,6 +498,16 @@ version = "0.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7f24254aa9a54b5c858eaee2f5bccdb46aaf0e486a595ed5fd8f86ba55232a70"
[[package]]
name = "hkdf"
version = "0.10.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "51ab2f639c231793c5f6114bdb9bbe50a7dbbfcd7c7c6bd8475dec2d991e964f"
dependencies = [
"digest",
"hmac",
]
[[package]]
name = "hmac"
version = "0.10.1"
@ -547,8 +603,14 @@ name = "lldap_model"
version = "0.1.0"
dependencies = [
"chrono",
"curve25519-dalek",
"getrandom 0.2.2",
"opaque-ke",
"rand",
"serde",
"sha2",
"sqlx",
"thiserror",
]
[[package]]
@ -753,6 +815,25 @@ version = "0.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5"
[[package]]
name = "opaque-ke"
version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4c5e93081243e35cb270a2812883dcba34121c8d4054f6869149f2c3f7db10e3"
dependencies = [
"curve25519-dalek",
"digest",
"displaydoc",
"generic-array",
"generic-bytes",
"hkdf",
"hmac",
"rand",
"subtle",
"thiserror",
"zeroize",
]
[[package]]
name = "openssl"
version = "0.10.34"
@ -896,7 +977,7 @@ checksum = "0ef9e7e66b4468674bfcb0c81af8b7fa0bb154fa9f28eb840da5c447baeb8d7e"
dependencies = [
"libc",
"rand_chacha",
"rand_core",
"rand_core 0.6.2",
"rand_hc",
]
@ -907,7 +988,16 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e12735cf05c9e10bf21534da50a147b924d555dc7a547c42e6bb2d5b6017ae0d"
dependencies = [
"ppv-lite86",
"rand_core",
"rand_core 0.6.2",
]
[[package]]
name = "rand_core"
version = "0.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "90bde5296fc891b0cef12a6d03ddccc162ce7b2aff54160af9338f8d40df6d19"
dependencies = [
"getrandom 0.1.16",
]
[[package]]
@ -916,7 +1006,7 @@ version = "0.6.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "34cf66eb183df1c5876e2dcf6b13d57340741e8dc255b48e40a26de954d06ae7"
dependencies = [
"getrandom",
"getrandom 0.2.2",
]
[[package]]
@ -925,7 +1015,7 @@ version = "0.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3190ef7066a446f2e7f42e239d161e905420ccab01eb967c9eb27d21b2322a73"
dependencies = [
"rand_core",
"rand_core 0.6.2",
]
[[package]]
@ -943,7 +1033,7 @@ version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "528532f3d801c87aec9def2add9ca802fe569e44a544afe633765267840abe64"
dependencies = [
"getrandom",
"getrandom 0.2.2",
"redox_syscall",
]
@ -1458,6 +1548,12 @@ version = "0.9.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5fecdca9a5291cc2b8dcf7dc02453fee791a280f3743cb0905f8822ae463b3fe"
[[package]]
name = "wasi"
version = "0.9.0+wasi-snapshot-preview1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cccddf32554fecc6acb585f82a32a72e28b48f8c4c1883ddfeeeaa96f7d8e519"
[[package]]
name = "wasi"
version = "0.10.2+wasi-snapshot-preview1"

View File

@ -5,10 +5,18 @@ authors = ["Valentin Tolmer <valentin@tolmer.fr>", "Steve Barrau <steve.barrau@g
edition = "2018"
[features]
default = ["opaque_server", "opaque_client"]
opaque_server = []
opaque_client = []
js = []
[dependencies]
curve25519-dalek = "3"
opaque-ke = "0.5"
rand = "0.8"
serde = "*"
sha2 = "0.9"
thiserror = "*"
[dependencies.chrono]
version = "*"
@ -25,3 +33,11 @@ features = [
"runtime-actix-native-tls",
"sqlite",
]
# For WASM targets, use the JS getrandom.
[target.'cfg(not(target_arch = "wasm32"))'.dependencies.getrandom]
version = "0.2"
features = ["js"]
[target.'cfg(target_arch = "wasm32")'.dependencies.getrandom]
version = "0.2"

View File

@ -1,7 +1,9 @@
use serde::{Deserialize, Serialize};
use chrono::prelude::*;
use serde::{Deserialize, Serialize};
use std::collections::HashSet;
pub mod opaque;
#[derive(PartialEq, Eq, Debug, Serialize, Deserialize, Clone)]
pub struct BindRequest {
pub name: String,

159
model/src/opaque.rs Normal file
View File

@ -0,0 +1,159 @@
use opaque_ke::ciphersuite::CipherSuite;
use rand::{CryptoRng, RngCore};
#[derive(thiserror::Error, Debug)]
pub enum AuthenticationError {
#[error("Protocol error: `{0}`")]
ProtocolError(#[from] opaque_ke::errors::ProtocolError),
}
pub type AuthenticationResult<T> = std::result::Result<T, AuthenticationError>;
/// The ciphersuite trait allows to specify the underlying primitives
/// that will be used in the OPAQUE protocol
#[allow(dead_code)]
pub struct DefaultSuite;
impl CipherSuite for DefaultSuite {
type Group = curve25519_dalek::ristretto::RistrettoPoint;
type KeyExchange = opaque_ke::key_exchange::tripledh::TripleDH;
type Hash = sha2::Sha512;
type SlowHash = opaque_ke::slow_hash::NoOpHash;
}
/// Client-side code for OPAQUE protocol handling, to register a new user and login. All methods'
/// results must be sent to the server using the serialized `.message`. Incoming messages can be
/// deserialized using the type's `deserialize` method.
#[cfg(feature = "opaque_client")]
pub mod client {
use super::*;
/// Methods to register a new user, from the client side.
pub mod registration {
use super::*;
use opaque_ke::{
ClientRegistration, ClientRegistrationFinishParameters, ClientRegistrationFinishResult,
ClientRegistrationStartResult, RegistrationResponse,
};
/// Initiate the registration negotiation.
pub fn start_registration<R: RngCore + CryptoRng>(
password: &str,
rng: &mut R,
) -> AuthenticationResult<ClientRegistrationStartResult<DefaultSuite>> {
Ok(ClientRegistration::<DefaultSuite>::start(
rng,
password.as_bytes(),
)?)
}
/// Finalize the registration negotiation.
pub fn finish_registration<R: RngCore + CryptoRng>(
registration_start: ClientRegistration<DefaultSuite>,
registration_response: RegistrationResponse<DefaultSuite>,
rng: &mut R,
) -> AuthenticationResult<ClientRegistrationFinishResult<DefaultSuite>> {
Ok(registration_start.finish(
rng,
registration_response,
ClientRegistrationFinishParameters::default(),
)?)
}
}
/// Methods to login, from the client side.
pub mod login {
use super::*;
use opaque_ke::{
ClientLogin, ClientLoginFinishParameters, ClientLoginFinishResult,
ClientLoginStartParameters, ClientLoginStartResult, CredentialResponse,
};
/// Initiate the login negotiation.
pub fn start_login<R: RngCore + CryptoRng>(
password: &str,
rng: &mut R,
) -> AuthenticationResult<ClientLoginStartResult<DefaultSuite>> {
Ok(ClientLogin::<DefaultSuite>::start(
rng,
password.as_bytes(),
ClientLoginStartParameters::default(),
)?)
}
/// Finalize the client login negotiation.
pub fn finish_login(
login_start: ClientLogin<DefaultSuite>,
login_response: CredentialResponse<DefaultSuite>,
) -> AuthenticationResult<ClientLoginFinishResult<DefaultSuite>> {
Ok(login_start.finish(login_response, ClientLoginFinishParameters::default())?)
}
}
}
/// Server-side code for OPAQUE protocol handling, to register a new user and login. The
/// intermediate results must be sent to the client using the serialized `.message`.
#[cfg(feature = "opaque_server")]
pub mod server {
use super::*;
use opaque_ke::{keypair::Key, ServerRegistration};
/// Methods to register a new user, from the server side.
pub mod registration {
use super::*;
use opaque_ke::{RegistrationRequest, RegistrationUpload, ServerRegistrationStartResult};
/// Start a registration process, from a request sent by the client.
///
/// The result must be kept for the next step.
pub fn start_registration<R: RngCore + CryptoRng>(
rng: &mut R,
registration_request: RegistrationRequest<DefaultSuite>,
server_public_key: &Key,
) -> AuthenticationResult<ServerRegistrationStartResult<DefaultSuite>> {
Ok(ServerRegistration::<DefaultSuite>::start(
rng,
registration_request,
server_public_key,
)?)
}
/// Finish to register a new user, and get the data to store in the database.
pub fn get_password_file(
registration_start: ServerRegistration<DefaultSuite>,
registration_upload: RegistrationUpload<DefaultSuite>,
) -> AuthenticationResult<ServerRegistration<DefaultSuite>> {
Ok(registration_start.finish(registration_upload)?)
}
}
/// Methods to handle user login, from the server-side.
pub mod login {
use super::*;
use opaque_ke::{
CredentialFinalization, CredentialRequest, ServerLogin, ServerLoginFinishResult,
ServerLoginStartParameters, ServerLoginStartResult,
};
/// Start a login process, from a request sent by the client.
///
/// The result must be kept for the next step.
pub fn start_login<R: RngCore + CryptoRng>(
rng: &mut R,
password_file: ServerRegistration<DefaultSuite>,
server_private_key: &Key,
credential_request: CredentialRequest<DefaultSuite>,
) -> AuthenticationResult<ServerLoginStartResult<DefaultSuite>> {
Ok(ServerLogin::start(
rng,
password_file,
server_private_key,
credential_request,
ServerLoginStartParameters::default(),
)?)
}
/// Finish to authorize a new user, and get the session key to decrypt associated data.
pub fn finalize_login(
login_start: ServerLogin<DefaultSuite>,
credential_finalization: CredentialFinalization<DefaultSuite>,
) -> AuthenticationResult<ServerLoginFinishResult> {
Ok(login_start.finish(credential_finalization)?)
}
}
}