allow different AD order for GCM and CTR+HMAC

Author: overheadhunter

Sources/CryptomatorCryptoLib/ContentCryptor.swift

@@ -23,7 +23,7 @@ protocol ContentCryptor {
 	 - Parameter ad: Associated data, which needs to be authenticated during decryption.
 	 - Returns: Nonce/IV + ciphertext + MAC/tag, as a concatenated byte array.
 	 */
-	func encrypt(_ chunk: [UInt8], key: [UInt8], nonce: [UInt8], ad: [UInt8]...) throws -> [UInt8]
+	func encrypt(_ chunk: [UInt8], key: [UInt8], nonce: [UInt8], ad: [UInt8]) throws -> [UInt8]
 
 	/**
 	 Decrypts one single chunk of encrypted data.
@@ -33,29 +33,60 @@ protocol ContentCryptor {
 	 - Parameter ad: Associated data, which needs to be authenticated during decryption.
 	 - Returns: The original cleartext.
 	 */
-	func decrypt(_ chunk: [UInt8], key: [UInt8], ad: [UInt8]...) throws -> [UInt8]
+	func decrypt(_ chunk: [UInt8], key: [UInt8], ad: [UInt8]) throws -> [UInt8]
+
+	/**
+	 Constructs the associated data which will be authenticated during encryption/decryption of a single chunk
+
+	 - Parameter chunkNumber: The index of the chunk (starting at 0), preventing swapping of chunks
+	 - Parameter headerNonce: The nonce used in the file header, binding the chunk to this particular file.
+	 - Returns: The combined associated data.
+	 */
+	func ad(chunkNumber: UInt64, headerNonce: [UInt8]) -> [UInt8]
+}
+
+extension ContentCryptor {
+	func encryptHeader(_ header: [UInt8], key: [UInt8], nonce: [UInt8]) throws -> [UInt8] {
+		return try encrypt(header, key: key, nonce: nonce, ad: [])
+	}
+
+	func decryptHeader(_ header: [UInt8], key: [UInt8]) throws -> [UInt8] {
+		return try decrypt(header, key: key, ad: [])
+	}
+
+	func encryptChunk(_ chunk: [UInt8], chunkNumber: UInt64, chunkNonce: [UInt8], fileKey: [UInt8], headerNonce: [UInt8]) throws -> [UInt8] {
+		let ad = ad(chunkNumber: chunkNumber, headerNonce: headerNonce)
+		return try encrypt(chunk, key: fileKey, nonce: chunkNonce, ad: ad)
+	}
+
+	func decryptChunk(_ chunk: [UInt8], chunkNumber: UInt64, fileKey: [UInt8], headerNonce: [UInt8]) throws -> [UInt8] {
+		let ad = ad(chunkNumber: chunkNumber, headerNonce: headerNonce)
+		return try decrypt(chunk, key: fileKey, ad: ad)
+	}
 }
 
 class GcmContentCryptor: ContentCryptor {
 	let nonceLen = 12 // 96 bit
 	let tagLen = 16 // 128 bit
 
-	func encrypt(_ chunk: [UInt8], key keyBytes: [UInt8], nonce nonceBytes: [UInt8], ad: [UInt8]...) throws -> [UInt8] {
-		let concatAd = ad.reduce([], +)
+	func ad(chunkNumber: UInt64, headerNonce: [UInt8]) -> [UInt8] {
+		return chunkNumber.bigEndian.byteArray() + headerNonce
+	}
+
+	func encrypt(_ chunk: [UInt8], key keyBytes: [UInt8], nonce nonceBytes: [UInt8], ad: [UInt8]) throws -> [UInt8] {
 		let key = SymmetricKey(data: keyBytes)
 		let nonce = try AES.GCM.Nonce(data: nonceBytes)
-		let encrypted = try AES.GCM.seal(chunk, using: key, nonce: nonce, authenticating: concatAd)
+		let encrypted = try AES.GCM.seal(chunk, using: key, nonce: nonce, authenticating: ad)
 
 		return [UInt8](encrypted.nonce + encrypted.ciphertext + encrypted.tag)
 	}
 
-	func decrypt(_ chunk: [UInt8], key keyBytes: [UInt8], ad: [UInt8]...) throws -> [UInt8] {
+	func decrypt(_ chunk: [UInt8], key keyBytes: [UInt8], ad: [UInt8]) throws -> [UInt8] {
 		assert(chunk.count >= nonceLen + tagLen, "ciphertext chunk must at least contain nonce + tag")
 
-		let concatAd = ad.reduce([], +)
 		let key = SymmetricKey(data: keyBytes)
 		let encrypted = try AES.GCM.SealedBox(combined: chunk)
-		let decrypted = try AES.GCM.open(encrypted, using: key, authenticating: concatAd)
+		let decrypted = try AES.GCM.open(encrypted, using: key, authenticating: ad)
 
 		return [UInt8](decrypted)
 	}
@@ -73,13 +104,17 @@ class CtrThenHmacContentCryptor: ContentCryptor {
 		self.cryptoSupport = cryptoSupport
 	}
 
-	func encrypt(_ chunk: [UInt8], key: [UInt8], nonce: [UInt8], ad: [UInt8]...) throws -> [UInt8] {
+	func ad(chunkNumber: UInt64, headerNonce: [UInt8]) -> [UInt8] {
+		return headerNonce + chunkNumber.bigEndian.byteArray()
+	}
+
+	func encrypt(_ chunk: [UInt8], key: [UInt8], nonce: [UInt8], ad: [UInt8]) throws -> [UInt8] {
 		let ciphertext = try AesCtr.compute(key: key, iv: nonce, data: chunk)
 		let mac = computeHmac(ciphertext, nonce: nonce, ad: ad)
 		return nonce + ciphertext + mac
 	}
 
-	func decrypt(_ chunk: [UInt8], key: [UInt8], ad: [UInt8]...) throws -> [UInt8] {
+	func decrypt(_ chunk: [UInt8], key: [UInt8], ad: [UInt8]) throws -> [UInt8] {
 		assert(chunk.count >= nonceLen + tagLen, "ciphertext chunk must at least contain nonce + tag")
 
 		// decompose chunk:
@@ -98,8 +133,8 @@ class CtrThenHmacContentCryptor: ContentCryptor {
 		return try AesCtr.compute(key: key, iv: chunkNonce, data: ciphertext)
 	}
 
-	private func computeHmac(_ ciphertext: [UInt8], nonce: [UInt8], ad: [[UInt8]]) -> [UInt8] {
-		let data = ad.reduce([UInt8](), +) + nonce + ciphertext
+	private func computeHmac(_ ciphertext: [UInt8], nonce: [UInt8], ad: [UInt8]) -> [UInt8] {
+		let data = ad + nonce + ciphertext
 		var mac = [UInt8](repeating: 0x00, count: tagLen)
 		CCHmac(CCHmacAlgorithm(kCCHmacAlgSHA256), macKey, macKey.count, data, data.count, &mac)
 		return mac

Sources/CryptomatorCryptoLib/Cryptor.swift

@@ -172,12 +172,12 @@ public class Cryptor {
 
 	func encryptHeader(_ header: FileHeader) throws -> [UInt8] {
 		let cleartext = [UInt8](repeating: 0xFF, count: fileHeaderLegacyPayloadSize) + header.contentKey
-		return try contentCryptor.encrypt(cleartext, key: masterkey.aesMasterKey, nonce: header.nonce)
+		return try contentCryptor.encryptHeader(cleartext, key: masterkey.aesMasterKey, nonce: header.nonce)
 	}
 
 	func decryptHeader(_ header: [UInt8]) throws -> FileHeader {
 		let nonce = [UInt8](header[0 ..< contentCryptor.nonceLen])
-		let cleartext = try contentCryptor.decrypt(header, key: masterkey.aesMasterKey)
+		let cleartext = try contentCryptor.decryptHeader(header, key: masterkey.aesMasterKey)
 		let contentKey = [UInt8](cleartext[fileHeaderLegacyPayloadSize...])
 		return FileHeader(nonce: nonce, contentKey: contentKey)
 	}
@@ -313,11 +313,11 @@ public class Cryptor {
 
 	func encryptSingleChunk(_ chunk: [UInt8], chunkNumber: UInt64, headerNonce: [UInt8], fileKey: [UInt8]) throws -> [UInt8] {
 		let chunkNonce = try cryptoSupport.createRandomBytes(size: contentCryptor.nonceLen)
-		return try contentCryptor.encrypt(chunk, key: fileKey, nonce: chunkNonce, ad: headerNonce, chunkNumber.bigEndian.byteArray())
+		return try contentCryptor.encryptChunk(chunk, chunkNumber: chunkNumber, chunkNonce: chunkNonce, fileKey: fileKey, headerNonce: headerNonce)
 	}
 
 	func decryptSingleChunk(_ chunk: [UInt8], chunkNumber: UInt64, headerNonce: [UInt8], fileKey: [UInt8]) throws -> [UInt8] {
-		return try contentCryptor.decrypt(chunk, key: fileKey, ad: headerNonce, chunkNumber.bigEndian.byteArray())
+		return try contentCryptor.decryptChunk(chunk, chunkNumber: chunkNumber, fileKey: fileKey, headerNonce: headerNonce)
 	}
 
 	// MARK: - File Size Calculation

Tests/CryptomatorCryptoLibTests/GcmCryptorTests.swift

@@ -72,4 +72,32 @@ class GcmCryptorTests: CryptorTests {
 		XCTAssertEqual([UInt8](repeating: 0xF0, count: 12), decrypted.nonce)
 		XCTAssertEqual([UInt8](repeating: 0xF0, count: 32), decrypted.contentKey)
 	}
+
+	func testDecryptSingleChunk() throws {
+		let headerNonce: [UInt8] = [
+			0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55,
+			0x55, 0x55, 0x55, 0x55
+		]
+		let fileKey: [UInt8] = [
+			0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
+			0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
+			0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77,
+			0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77, 0x77
+		]
+		let ciphertext: [UInt8] = [
+			// nonce
+			0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55, 0x55,
+			0x55, 0x55, 0x55, 0x55,
+			// payload
+			0x52, 0xC5, 0xEE, 0x8D, 0x7F, 0xB4, 0x4E, 0xF2,
+			0x8A, 0xEC, 0x55,
+			// tag
+			0x3C, 0xC7, 0x02, 0x65, 0xE5, 0x35, 0x2C, 0xB5,
+			0xA0, 0x9A, 0x43, 0xAE, 0x0F, 0x5C, 0xA1, 0x5D
+		]
+
+		let cleartext = try cryptor.decryptSingleChunk(ciphertext, chunkNumber: 0, headerNonce: headerNonce, fileKey: fileKey)
+
+		XCTAssertEqual([UInt8]("hello world".utf8), cleartext)
+	}
 }