Merge pull request #9 from cryptomator/feature/gcm

GCM support

Author: tobihagemann

CryptomatorCryptoLib.xcodeproj/project.pbxproj

@@ -34,6 +34,8 @@
 		9E9BB81624558DFF00F9FF51 /* MasterkeyTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 9E9BB81524558DFF00F9FF51 /* MasterkeyTests.swift */; };
 		9EB822C1248AF82200879838 /* AesCtr.swift in Sources */ = {isa = PBXBuildFile; fileRef = 9EB822C0248AF82200879838 /* AesCtr.swift */; };
 		9EB822C3248AF9C500879838 /* AesCtrTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 9EB822C2248AF9C500879838 /* AesCtrTests.swift */; };
+		9EBEC947283782E6002210DE /* CtrCryptorTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 9EBEC946283782E6002210DE /* CtrCryptorTests.swift */; };
+		9EBEC94928378308002210DE /* GcmCryptorTests.swift in Sources */ = {isa = PBXBuildFile; fileRef = 9EBEC94828378308002210DE /* GcmCryptorTests.swift */; };
 /* End PBXBuildFile section */
 
 /* Begin PBXContainerItemProxy section */
@@ -97,6 +99,8 @@
 		9E9BB81524558DFF00F9FF51 /* MasterkeyTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = MasterkeyTests.swift; sourceTree = "<group>"; };
 		9EB822C0248AF82200879838 /* AesCtr.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AesCtr.swift; sourceTree = "<group>"; };
 		9EB822C2248AF9C500879838 /* AesCtrTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AesCtrTests.swift; sourceTree = "<group>"; };
+		9EBEC946283782E6002210DE /* CtrCryptorTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = CtrCryptorTests.swift; sourceTree = "<group>"; };
+		9EBEC94828378308002210DE /* GcmCryptorTests.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = GcmCryptorTests.swift; sourceTree = "<group>"; };
 /* End PBXFileReference section */
 
 /* Begin PBXFrameworksBuildPhase section */
@@ -172,6 +176,8 @@
 				9E44EEA724599C7800A37B01 /* AesSivTests.swift */,
 				9E35C4EA24576A3D0006E50C /* CryptorTests.swift */,
 				74A5B57D25A86A69002D10F7 /* CryptoSupportMock.swift */,
+				9EBEC946283782E6002210DE /* CtrCryptorTests.swift */,
+				9EBEC94828378308002210DE /* GcmCryptorTests.swift */,
 				74A5B57525A869DD002D10F7 /* MasterkeyFileTests.swift */,
 				9E9BB81524558DFF00F9FF51 /* MasterkeyTests.swift */,
 			);
@@ -443,10 +449,12 @@
 			files = (
 				74A5B57E25A86A69002D10F7 /* CryptoSupportMock.swift in Sources */,
 				9E44EEA92459AB1500A37B01 /* AesSivTests.swift in Sources */,
+				9EBEC947283782E6002210DE /* CtrCryptorTests.swift in Sources */,
 				9EB822C3248AF9C500879838 /* AesCtrTests.swift in Sources */,
 				74A5B57625A869DD002D10F7 /* MasterkeyFileTests.swift in Sources */,
 				9E9BB81624558DFF00F9FF51 /* MasterkeyTests.swift in Sources */,
 				9E35C4EB24576A3D0006E50C /* CryptorTests.swift in Sources */,
+				9EBEC94928378308002210DE /* GcmCryptorTests.swift in Sources */,
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 		};
@@ -528,8 +536,8 @@
 				GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
-				IPHONEOS_DEPLOYMENT_TARGET = 9.0;
-				MACOSX_DEPLOYMENT_TARGET = 10.12;
+				IPHONEOS_DEPLOYMENT_TARGET = 13.0;
+				MACOSX_DEPLOYMENT_TARGET = 10.15;
 				MTL_ENABLE_DEBUG_INFO = INCLUDE_SOURCE;
 				MTL_FAST_MATH = YES;
 				ONLY_ACTIVE_ARCH = YES;
@@ -588,8 +596,8 @@
 				GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE;
 				GCC_WARN_UNUSED_FUNCTION = YES;
 				GCC_WARN_UNUSED_VARIABLE = YES;
-				IPHONEOS_DEPLOYMENT_TARGET = 9.0;
-				MACOSX_DEPLOYMENT_TARGET = 10.12;
+				IPHONEOS_DEPLOYMENT_TARGET = 13.0;
+				MACOSX_DEPLOYMENT_TARGET = 10.15;
 				MTL_ENABLE_DEBUG_INFO = NO;
 				MTL_FAST_MATH = YES;
 				OTHER_SWIFT_FLAGS = "-Xfrontend -warn-long-expression-type-checking=200 -Xfrontend -warn-long-function-bodies=200";

Package.swift

@@ -13,8 +13,8 @@ import PackageDescription
 let package = Package(
 	name: "CryptomatorCryptoLib",
 	platforms: [
-		.iOS(.v9),
-		.macOS(.v10_12)
+		.iOS(.v13),
+		.macOS(.v10_15)
 	],
 	products: [
 		.library(name: "CryptomatorCryptoLib", targets: ["CryptomatorCryptoLib"])

README.md

@@ -11,8 +11,8 @@ For more information on the Cryptomator encryption scheme, visit the security ar
 
 ## Requirements
 
-- iOS 9.0 or higher
-- macOS 10.12 or higher
+- iOS 13.0 or higher
+- macOS 10.15 or higher
 
 ## Installation
 
@@ -121,13 +121,16 @@ try MasterkeyFile.changePassphrase(masterkeyFileData: masterkeyFileData, oldPass
 
 #### Constructor
 
-Create a cryptor by providing a masterkey.
+Create a cryptor by providing a masterkey and a scheme (e.g., `.sivGcm`).
 
 ```swift
 let masterkey = ...
-let cryptor = Cryptor(masterkey: masterkey)
+let scheme = ...
+let cryptor = Cryptor(masterkey: masterkey, scheme: scheme)
 ```
 
+Make sure that the data you're working with is compatible with the provided scheme.
+
 #### Path Encryption and Decryption
 
 Encrypt the directory ID in order to determine the encrypted directory URL.
@@ -178,8 +181,9 @@ Please read our [contribution guide](.github/CONTRIBUTING.md), if you would like
 
 In general, the following preference is used to choose the implementation of cryptographic primitives:
 
-1. Apple Swift Crypto (HMAC)
-2. Apple CommonCrypto (AES-CTR, RFC 3394 Key Derivation)
+1. Apple CryptoKit (AES-GCM)
+2. Apple Swift Crypto (HMAC)
+3. Apple CommonCrypto (AES-CTR, RFC 3394 Key Derivation)
 
 This project uses [SwiftFormat](https://github.com/nicklockwood/SwiftFormat) and [SwiftLint](https://github.com/realm/SwiftLint) to enforce code style and conventions. Install these tools if you haven't already.
 

Sources/CryptomatorCryptoLib/ContentCryptor.swift

@@ -7,6 +7,7 @@
 //
 
 import CommonCrypto
+import CryptoKit
 import Foundation
 
 protocol ContentCryptor {
@@ -22,7 +23,7 @@ protocol ContentCryptor {
 	 - Parameter ad: Associated data, which needs to be authenticated during decryption.
 	 - Returns: Nonce/IV + ciphertext + MAC/tag, as a concatenated byte array.
 	 */
-	func encrypt(_ chunk: [UInt8], key: [UInt8], nonce: [UInt8], ad: [UInt8]...) throws -> [UInt8]
+	func encrypt(_ chunk: [UInt8], key: [UInt8], nonce: [UInt8], ad: [UInt8]) throws -> [UInt8]
 
 	/**
 	 Decrypts one single chunk of encrypted data.
@@ -32,7 +33,63 @@ protocol ContentCryptor {
 	 - Parameter ad: Associated data, which needs to be authenticated during decryption.
 	 - Returns: The original cleartext.
 	 */
-	func decrypt(_ chunk: [UInt8], key: [UInt8], ad: [UInt8]...) throws -> [UInt8]
+	func decrypt(_ chunk: [UInt8], key: [UInt8], ad: [UInt8]) throws -> [UInt8]
+
+	/**
+	 Constructs the associated data which will be authenticated during encryption/decryption of a single chunk
+
+	 - Parameter chunkNumber: The index of the chunk (starting at 0), preventing swapping of chunks
+	 - Parameter headerNonce: The nonce used in the file header, binding the chunk to this particular file.
+	 - Returns: The combined associated data.
+	 */
+	func ad(chunkNumber: UInt64, headerNonce: [UInt8]) -> [UInt8]
+}
+
+extension ContentCryptor {
+	func encryptHeader(_ header: [UInt8], key: [UInt8], nonce: [UInt8]) throws -> [UInt8] {
+		return try encrypt(header, key: key, nonce: nonce, ad: [])
+	}
+
+	func decryptHeader(_ header: [UInt8], key: [UInt8]) throws -> [UInt8] {
+		return try decrypt(header, key: key, ad: [])
+	}
+
+	func encryptChunk(_ chunk: [UInt8], chunkNumber: UInt64, chunkNonce: [UInt8], fileKey: [UInt8], headerNonce: [UInt8]) throws -> [UInt8] {
+		let ad = ad(chunkNumber: chunkNumber, headerNonce: headerNonce)
+		return try encrypt(chunk, key: fileKey, nonce: chunkNonce, ad: ad)
+	}
+
+	func decryptChunk(_ chunk: [UInt8], chunkNumber: UInt64, fileKey: [UInt8], headerNonce: [UInt8]) throws -> [UInt8] {
+		let ad = ad(chunkNumber: chunkNumber, headerNonce: headerNonce)
+		return try decrypt(chunk, key: fileKey, ad: ad)
+	}
+}
+
+class GcmContentCryptor: ContentCryptor {
+	let nonceLen = 12 // 96 bit
+	let tagLen = 16 // 128 bit
+
+	func ad(chunkNumber: UInt64, headerNonce: [UInt8]) -> [UInt8] {
+		return chunkNumber.bigEndian.byteArray() + headerNonce
+	}
+
+	func encrypt(_ chunk: [UInt8], key keyBytes: [UInt8], nonce nonceBytes: [UInt8], ad: [UInt8]) throws -> [UInt8] {
+		let key = SymmetricKey(data: keyBytes)
+		let nonce = try AES.GCM.Nonce(data: nonceBytes)
+		let encrypted = try AES.GCM.seal(chunk, using: key, nonce: nonce, authenticating: ad)
+
+		return [UInt8](encrypted.nonce + encrypted.ciphertext + encrypted.tag)
+	}
+
+	func decrypt(_ chunk: [UInt8], key keyBytes: [UInt8], ad: [UInt8]) throws -> [UInt8] {
+		assert(chunk.count >= nonceLen + tagLen, "ciphertext chunk must at least contain nonce + tag")
+
+		let key = SymmetricKey(data: keyBytes)
+		let encrypted = try AES.GCM.SealedBox(combined: chunk)
+		let decrypted = try AES.GCM.open(encrypted, using: key, authenticating: ad)
+
+		return [UInt8](decrypted)
+	}
 }
 
 class CtrThenHmacContentCryptor: ContentCryptor {
@@ -47,13 +104,17 @@ class CtrThenHmacContentCryptor: ContentCryptor {
 		self.cryptoSupport = cryptoSupport
 	}
 
-	func encrypt(_ chunk: [UInt8], key: [UInt8], nonce: [UInt8], ad: [UInt8]...) throws -> [UInt8] {
+	func ad(chunkNumber: UInt64, headerNonce: [UInt8]) -> [UInt8] {
+		return headerNonce + chunkNumber.bigEndian.byteArray()
+	}
+
+	func encrypt(_ chunk: [UInt8], key: [UInt8], nonce: [UInt8], ad: [UInt8]) throws -> [UInt8] {
 		let ciphertext = try AesCtr.compute(key: key, iv: nonce, data: chunk)
 		let mac = computeHmac(ciphertext, nonce: nonce, ad: ad)
 		return nonce + ciphertext + mac
 	}
 
-	func decrypt(_ chunk: [UInt8], key: [UInt8], ad: [UInt8]...) throws -> [UInt8] {
+	func decrypt(_ chunk: [UInt8], key: [UInt8], ad: [UInt8]) throws -> [UInt8] {
 		assert(chunk.count >= nonceLen + tagLen, "ciphertext chunk must at least contain nonce + tag")
 
 		// decompose chunk:
@@ -72,8 +133,8 @@ class CtrThenHmacContentCryptor: ContentCryptor {
 		return try AesCtr.compute(key: key, iv: chunkNonce, data: ciphertext)
 	}
 
-	private func computeHmac(_ ciphertext: [UInt8], nonce: [UInt8], ad: [[UInt8]]) -> [UInt8] {
-		let data = ad.reduce([UInt8](), +) + nonce + ciphertext
+	private func computeHmac(_ ciphertext: [UInt8], nonce: [UInt8], ad: [UInt8]) -> [UInt8] {
+		let data = ad + nonce + ciphertext
 		var mac = [UInt8](repeating: 0x00, count: tagLen)
 		CCHmac(CCHmacAlgorithm(kCCHmacAlgSHA256), macKey, macKey.count, data, data.count, &mac)
 		return mac

Sources/CryptomatorCryptoLib/Cryptor.swift

@@ -49,6 +49,11 @@ public extension InputStream {
 	}
 }
 
+public enum CryptorScheme: String, Codable {
+	case sivCtrMac = "SIV_CTRMAC"
+	case sivGcm = "SIV_GCM"
+}
+
 public enum FileNameEncoding: String {
 	case base64url
 	case base32
@@ -66,8 +71,8 @@ public class Cryptor {
 		return contentCryptor.nonceLen + fileHeaderPayloadSize + contentCryptor.tagLen
 	}
 
-	private let cleartextChunkSize = 32 * 1024
-	private var ciphertextChunkSize: Int {
+	let cleartextChunkSize = 32 * 1024
+	var ciphertextChunkSize: Int {
 		return contentCryptor.nonceLen + cleartextChunkSize + contentCryptor.tagLen
 	}
 
@@ -81,9 +86,15 @@ public class Cryptor {
 		self.contentCryptor = contentCryptor
 	}
 
-	public convenience init(masterkey: Masterkey) {
+	public convenience init(masterkey: Masterkey, scheme: CryptorScheme) {
 		let cryptoSupport = CryptoSupport()
-		let contentCryptor = CtrThenHmacContentCryptor(macKey: masterkey.macMasterKey, cryptoSupport: cryptoSupport)
+		let contentCryptor: ContentCryptor
+		switch scheme {
+		case .sivCtrMac:
+			contentCryptor = CtrThenHmacContentCryptor(macKey: masterkey.macMasterKey, cryptoSupport: cryptoSupport)
+		case .sivGcm:
+			contentCryptor = GcmContentCryptor()
+		}
 		self.init(masterkey: masterkey, cryptoSupport: cryptoSupport, contentCryptor: contentCryptor)
 	}
 
@@ -154,19 +165,19 @@ public class Cryptor {
 	// MARK: - File Header Encryption and Decryption
 
 	func createHeader() throws -> FileHeader {
-		let nonce = try cryptoSupport.createRandomBytes(size: kCCBlockSizeAES128)
+		let nonce = try cryptoSupport.createRandomBytes(size: contentCryptor.nonceLen)
 		let contentKey = try cryptoSupport.createRandomBytes(size: kCCKeySizeAES256)
 		return FileHeader(nonce: nonce, contentKey: contentKey)
 	}
 
 	func encryptHeader(_ header: FileHeader) throws -> [UInt8] {
 		let cleartext = [UInt8](repeating: 0xFF, count: fileHeaderLegacyPayloadSize) + header.contentKey
-		return try contentCryptor.encrypt(cleartext, key: masterkey.aesMasterKey, nonce: header.nonce)
+		return try contentCryptor.encryptHeader(cleartext, key: masterkey.aesMasterKey, nonce: header.nonce)
 	}
 
 	func decryptHeader(_ header: [UInt8]) throws -> FileHeader {
 		let nonce = [UInt8](header[0 ..< contentCryptor.nonceLen])
-		let cleartext = try contentCryptor.decrypt(header, key: masterkey.aesMasterKey)
+		let cleartext = try contentCryptor.decryptHeader(header, key: masterkey.aesMasterKey)
 		let contentKey = [UInt8](cleartext[fileHeaderLegacyPayloadSize...])
 		return FileHeader(nonce: nonce, contentKey: contentKey)
 	}
@@ -301,12 +312,12 @@ public class Cryptor {
 	}
 
 	func encryptSingleChunk(_ chunk: [UInt8], chunkNumber: UInt64, headerNonce: [UInt8], fileKey: [UInt8]) throws -> [UInt8] {
-		let chunkNonce = try cryptoSupport.createRandomBytes(size: kCCBlockSizeAES128)
-		return try contentCryptor.encrypt(chunk, key: fileKey, nonce: chunkNonce, ad: headerNonce, chunkNumber.bigEndian.byteArray())
+		let chunkNonce = try cryptoSupport.createRandomBytes(size: contentCryptor.nonceLen)
+		return try contentCryptor.encryptChunk(chunk, chunkNumber: chunkNumber, chunkNonce: chunkNonce, fileKey: fileKey, headerNonce: headerNonce)
 	}
 
 	func decryptSingleChunk(_ chunk: [UInt8], chunkNumber: UInt64, headerNonce: [UInt8], fileKey: [UInt8]) throws -> [UInt8] {
-		return try contentCryptor.decrypt(chunk, key: fileKey, ad: headerNonce, chunkNumber.bigEndian.byteArray())
+		return try contentCryptor.decryptChunk(chunk, chunkNumber: chunkNumber, fileKey: fileKey, headerNonce: headerNonce)
 	}
 
 	// MARK: - File Size Calculation