ddidderr/fcry
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: ddidderr/fcry:1ae56389fc611eb58e565a4f5180e3edc1126e19
Branches Tags
ddidderr/fcry:main
ddidderr/fcry:v0.12.0 ddidderr/fcry:v0.11.0
...
compare: ddidderr/fcry:898697016a30782189522e547e193aa564d083cf
Branches Tags
ddidderr/fcry:main
ddidderr/fcry:v0.12.0 ddidderr/fcry:v0.11.0

4 Commits
1ae56389fc ... 898697016a

Author SHA1 Message Date
ddidderr 898697016a refactor(secrets): back SecretBytes32/SecretVec with the secrets crate 
Replace the homegrown `region::lock` + `Zeroizing` wrappers with thin
adapters over `secrets::SecretBox` and `secrets::SecretVec`. The
upstream crate already provides everything the local types were doing
by hand (mlock, zero-on-drop) and adds protections we didn't have:
guard pages around the allocation and `mprotect`-based access control
(`PROT_NONE` at rest, `PROT_READ` during a borrow, `PROT_READ|WRITE`
during a mut borrow). Net result is a security upgrade, not just a
dependency swap.

Why a local adapter still exists
--------------------------------
`secrets::SecretVec` is fixed-length — no `push`. The tty passphrase
reader needs to append bytes one at a time without ever reallocating
(a panicking partial read must not leave stale plaintext on the heap),
so `SecretVec` keeps a separate logical `len` over a fixed protected
allocation of `MAX_PASSPHRASE_LEN` bytes. Bytes past `len` stay
zero-padding and are never exposed through `with_slice`.

API shape: closure-scoped borrows
---------------------------------
The previous `as_slice` / `as_array` returned long-lived `&[u8]`
references, which would have kept the upstream pages in `PROT_READ`
for the full lifetime of the borrow. The new API uses
`with_array(|s| ...)`, `with_mut_array(|s| ...)`, `with_slice(|s| ...)`
so the unprotected window is exactly the closure body. This is uglier
at call sites (notably the nested closures in `derive_key`) but it's
the right tradeoff — minimizing the unprotected window is the whole
point of using the crate.

AEAD key copy footnote
----------------------
`XChaCha20Poly1305::new` copies the key into its own (unprotected)
state, which then lives in the `aead` binding for the entire
encrypt/decrypt loop. This is unchanged from before — the cipher
state was never protected — but it's now called out explicitly with
a comment at both call sites noting that `chacha20poly1305` zeroizes
that internal copy on drop. Future readers shouldn't have to
rediscover this by reading upstream source.

`from_vec` zeroing
------------------
`SecretVec::from_vec(v: Vec<u8>)` is used on the env-var path. It
calls `secrets::SecretVec::from(&mut [u8])`, which (verified against
secrets-1.3.0: `Box::from` -> `transfer` -> `memtransfer`) copies the
bytes into protected storage and zeroes the source slice. The
original Vec's allocation is then released through the normal
allocator — the bytes inside it are zero, but the heap block itself
isn't specially handled. The doc comment on `from_vec` reflects this
precisely. As before, the env-var path also leaves a copy in the
process `environ` table, which is a known accepted leak.

Cargo.toml
----------
Use `protected-secrets = { package = "secrets", version = "1.3" }`
with default features. The `secrets` crate has no pure-Rust backend
at v1.3 — disabling default features only switches *how* libsodium
is linked (bundled `libsodium-sys` vs. the crate's own bindings to a
system libsodium), and can break builds where the chosen path isn't
set up. Defaults are correct here. The `region` dependency is
dropped.

Test plan
---------
- `cargo build` clean.
- `cargo test` — 2 unit + 18 integration tests pass, including
  `roundtrip_passphrase_argon2id` which exercises the full
  passphrase -> argon2id -> AEAD key path through the new wrappers.
- `cargo clippy` (and `--tests`, `--benches`) clean.
- `cargo +nightly fmt` applied.
 2026-05-02 19:14:42 +02:00
ddidderr fe65e1f899 feat!: argon2id passphrases, secret hardening, atomic output, manual STREAM 
This commit lands four follow-up items that were explicitly deferred in
TODO.md after the prior file-format change, plus a CLI/units cleanup
that fell out of reviewing them:

  1. Manual STREAM nonce construction (drops `stream` cargo feature).
  2. Atomic file output (`.tmp` + rename, with cleanup on failure).
  3. Argon2id KDF + passphrase prompt + matching CLI flags.
  4. Hardened secret handling: zeroize-on-drop, mlock'd buffers,
     custom cross-platform tty reader (replaces `rpassword`).

Why
---
The prior version had three concrete weaknesses that were fine for
"early development" but unacceptable past that point:

  * `--raw-key` was the only way to supply a key, exposing it in
    `/proc/$pid/cmdline`. There was no passphrase mode at all.
  * Crashes/aborts during encrypt could leave a half-written output
    file in place of (or replacing) the user's target.
  * Key material wasn't zeroed and could end up in swap or coredumps.
    rpassword's reallocating String buffers also leaked stale heap
    copies of typed passphrases that no `Zeroizing` wrapper could
    reach after the fact.

(1) Manual STREAM nonces
------------------------
Replaces `aead::stream::EncryptorBE32` / `DecryptorBE32` with
explicit `make_nonce(prefix, counter, last)` and direct
`XChaCha20Poly1305::{encrypt,decrypt}_in_place` calls. The wire format
is unchanged (XChaCha20Poly1305 STREAM-BE32 = 19-byte prefix || 4-byte
big-endian counter || 1-byte last-block flag), so files written by the
previous version still decrypt. Counter overflow is now an explicit
`Format` error rather than a panic in the upstream stream wrapper.

This removes the `stream` cargo feature from `chacha20poly1305` and
prepares the encrypt path for parallelism: with explicit nonces we can
hand chunks to a worker pool keyed by counter without the stream
wrapper's stateful API getting in the way.

(2) Atomic file output
----------------------
New `utils::OutSink` writes to `<path>.tmp`, calls `sync_all()` on
`commit()`, and renames into place. If dropped without commit (panic,
crypto/IO error, ctrl-C), the temp file is unlinked so the existing
target is untouched. Stdout output is unaffected (no temp dance).

A new integration test (`atomic_output_no_stale_tmp_on_failure`)
verifies that a failed decrypt leaves neither the final output nor
the temp file behind.

(3) Argon2id + passphrase
-------------------------
New `KdfParams::Argon2id { salt, m_cost, t_cost, p_cost }` variant
encoded into the header (and authenticated as AAD), so tampering with
KDF params fails authentication on every chunk.

CLI surface (BREAKING):
  * `--raw-key` is now optional; one of `--raw-key`, `--passphrase`,
    `--passphrase-env <VAR>` is required.
  * `--passphrase` prompts on the controlling terminal with echo off,
    and asks for confirmation when encrypting.
  * `--passphrase-env <VAR>` reads from a named env var; intended for
    non-interactive use (scripts, tests). The env-table copy is a
    known leak for that path.
  * `--argon-memory <MiB>` (default 1024 = 1 GiB), `--argon-passes`
    (default 2), `--argon-parallelism` (default 4). Names follow
    argon2 RFC 9106 terminology; memory is MiB rather than KiB to
    match how humans actually think about RAM. Defaults follow the
    "Balanced" preset for 2026-era hardware (~1.5–4 s on a laptop).
    The argon2 crate wants KiB internally, so the CLI value is
    multiplied by 1024 with overflow-check.

(4) Secret hardening
--------------------
New `secrets` module provides:

  * `SecretBytes32`: heap-allocated 32-byte buffer wrapped in
    `Zeroizing<[u8; 32]>` and mlock'd via the `region` crate.
    Field order ensures the lock guard drops *before* the buffer is
    freed (otherwise munlock would target freed memory).
  * `SecretVec`: fixed-capacity, mlock'd, zeroize-on-drop byte
    buffer. `push()` rejects writes past the reserved capacity so
    the underlying allocation never reallocates and moves — which
    would invalidate the lock and leave a stale unzeroed copy on
    the heap.
  * `read_passphrase_tty()`: direct tty reader. On Unix, opens
    `/dev/tty`, clears `ECHO` via `tcgetattr`/`tcsetattr` with an
    RAII guard that restores termios on drop. On Windows, opens
    `CONIN$`/`CONOUT$` and clears `ENABLE_ECHO_INPUT` via
    `Get/SetConsoleMode`. Reads byte-by-byte into a pre-reserved
    `SecretVec` (1024 bytes), so neither the Rust side nor the libc
    side reallocates during read. This replaces `rpassword`, which
    returned a `String` that grew by reallocation and left
    unzeroed copies of typed passphrases on the heap.

`PartialEq` on `SecretVec` is constant-time-ish (length check +
xor-or accumulate) so the confirmation comparison doesn't early-out
on the first differing byte.

`disable_core_dumps()` calls `setrlimit(CORE, 0)` on Unix; on
Windows it's a no-op (WER/minidump suppression is a per-machine
policy and intentionally not done here).

`Cli`'s secret-bearing fields are moved out into local bindings at
the top of `run()` and the `Cli` is explicitly dropped, so they
don't sit in the parsed struct for the rest of the function.
`Cli.raw_key` is `Option<Zeroizing<String>>` so the field we own
zeroes itself on drop. Clap's own intermediate copies during
parsing are an accepted leak.

Threat model — what is and isn't covered
-----------------------------------------
Covered (best-effort):
  * Secrets in coredumps                  → rlimit on Unix.
  * Secrets paged to swap or hibernation  → mlock on the AEAD key
                                            and passphrase buffer.
  * Half-written ciphertext on crash      → atomic rename.
  * Stale heap copies of typed passphrase → custom tty reader,
                                            pre-reserved buffer.
  * Stale stack/heap copies of the AEAD
    key or passphrase post-process-exit   → zeroize on drop.

Not covered (and not pretending to be):
  * Live-process attackers with ptrace or `/proc/$pid/mem` access.
  * The kernel's tty/line buffer.
  * Clap's transient String allocations during arg parsing.
  * The `environ` table copy of an env-var passphrase.
  * Swap on systems without functioning mlock or with
    `RLIMIT_MEMLOCK = 0`.

mlock is small (32 bytes + 1024 bytes — two pages at most on any
of the three target OSes), so it fits well under the typical
unprivileged `RLIMIT_MEMLOCK` of 64 KiB.

Portability
-----------
The whole binary targets Linux, macOS, and Windows 11 with the
same security properties where the OS supports them:

  * `region` crate provides cross-platform mlock/munlock.
  * `libc::tcgetattr`/`tcsetattr` covers Linux + macOS.
  * `windows-sys` covers Console API.
  * `rlimit` is gated to `cfg(unix)`.

The Windows tty path compiles in my head but is unverified on this
machine — there is no `x86_64-pc-windows-*` target installed and
no Windows runner. Treat that path as "best-effort, needs CI on
Windows" until exercised.

Files written by the previous v0.10 (Raw KDF, BE32 STREAM) are
still readable: the wire format is unchanged for that path.

Test plan
---------
Existing 17 integration tests pass unchanged. Two new tests:

  * `roundtrip_passphrase_argon2id` — encrypts and decrypts via
    `--passphrase-env` with cheap argon2 params (8 MiB / 1 pass) so
    the test stays fast; also verifies that a wrong passphrase
    fails.
  * `atomic_output_no_stale_tmp_on_failure` — wrong-key decrypt
    leaves neither the final file nor the `.tmp` in place.

Manual sanity (not automated): run with `--passphrase` on a
terminal and confirm echo is off and confirmation works.

Follow-ups (still in TODO.md)
-----------------------------
  * Multi-threaded encrypt pipeline (now feasible — manual nonces).
  * Length-committed mode + random-access decrypt fast path.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
 2026-05-02 18:26:44 +02:00
ddidderr 4eee8e7a95 feat!: add file-format header, configurable chunks, integration tests 
Introduce a self-describing on-disk format and use it to address several
shortcomings of the 0.9 file layout, where the file simply began with a
raw 19-byte STREAM nonce prefix and used a hardcoded 64 KiB chunk size.

What changed for users
----------------------
* fcry files now start with a 16-byte header: magic ("fcry"), version,
  algorithm id, flags, reserved byte, plaintext chunk_size (u32 LE),
  KDF id + params, then the 19-byte nonce prefix. The full encoded
  header is bound as AAD to every chunk, so tampering with chunk_size,
  algorithm id, nonce prefix, or any future KDF parameter causes
  authentication failure on every chunk -- not just the first.
* New `--chunk-size` CLI flag (encryption only). The decryptor reads
  the chunk size from the header, so files encrypted with a non-default
  size decrypt without the user having to remember it.
* Default plaintext chunk size raised from 64 KiB to 1 MiB.
* Bad input is now reported as an error instead of panicking: empty
  ciphertext, truncated final chunk, wrong magic, bad version, zero
  chunk_size, unknown algorithm id, and short --raw-key all return a
  non-zero exit status with a diagnostic on stderr.
* Empty plaintext now produces a valid (authenticated) empty
  ciphertext instead of panicking; the decryptor verifies it.
* `main` exits with status 1 on error (previously it printed and
  returned 0).

This is a breaking change to the file format: 0.9.x files have no magic
or header and cannot be read by 0.10.x. Version bumped to 0.10.0.

Why this approach
-----------------
The header-as-AAD pattern is the standard way to make file-format
metadata tamper-evident without a separate signature: any bit-flip in
the header propagates into every chunk's authentication tag check, so
an attacker cannot, for example, change chunk_size to mis-frame the
stream or downgrade the algorithm id.

Storing chunk_size in the header (rather than fixing it at compile
time) lets us experiment with chunk sizes without breaking decrypt
compatibility, and is preparation for the parallel-pipeline work in
Roadmap 1.0 where worker count and chunk size interact.

The KDF section is a tagged variant (currently only `Raw`) so that
adding Argon2id later only adds a new variant + its salt/cost fields;
existing files keep decrypting because they carry `kdf_id = 0`.

Other changes bundled in
------------------------
* Switch RNG from `rand` (0.10) to `getrandom` (0.3). We only need
  OS-provided random bytes for the nonce prefix; pulling in the full
  `rand` crate for one `OsRng.fill_bytes` call was overkill, and
  `rand` 0.10's `OsRng` API churn makes `getrandom` the cleaner fit.
* `FcryError` gains a `Format(String)` variant for header / framing
  errors and a `From<getrandom::Error>` impl (replacing the
  `rand::Error` impl).
* Drop the noisy `[reader]` / `[encrypt]` / `[decrypt]` stderr
  tracing prints and the `dbg!(&cli.raw_key)` (which leaked the key
  to stderr).
* Replace `unwrap()` on file open / create with `?` so I/O errors
  surface as structured `FcryError::Io` instead of aborting.
* Remove the unused `AheadReader::read_exact` wrapper -- the
  decryptor now reads the header through the underlying `BufRead`
  directly before wrapping it in `AheadReader`.

Tests
-----
Add `tests/roundtrip.rs` (assert_cmd + tempfile) covering: empty
input, single byte, sub-chunk, exact chunk, chunk+1, multi-chunk,
custom small chunk size (4096), pathological 1-byte chunk size,
stdin/stdout pipe mode, wrong key rejection, tampered header,
tampered ciphertext, truncated ciphertext, bad magic, short raw key,
and the header-is-authoritative property (encrypt with a weird chunk
size, decrypt without specifying one). Also adds a unit test in
`header.rs` for header encode/decode roundtrip and bad-magic rejection.

TODO.md trimmed to the concrete follow-up sequence (manual STREAM
nonces, secrets/rlimit, atomic output, argon2id KDF + prompt,
multi-threaded pipeline, length-committed mode).

Test plan
---------
* `cargo clippy && cargo clippy --tests` -- clean.
* `cargo +nightly fmt` -- no diff.
* `cargo test` -- 16 integration + 2 header unit tests pass.
* Manual: `echo hi | fcry --raw-key 0123456789abcdef0123456789abcdef
  | fcry -d --raw-key 0123456789abcdef0123456789abcdef` prints `hi`.

Trailers
--------
Refs: TODO.md (Roadmap 1.0 follow-up sequence)
Breaking-Change: file format; 0.9.x files cannot be decrypted by 0.10.x
 2026-05-02 17:22:47 +02:00
ddidderr 5e51b4bfe1 whatever 2026-05-02 16:20:20 +02:00
11 changed files with 1823 additions and 252 deletions
Expand all files Collapse all files
Cargo.lock
Generated
+470 -108
View File
@@ -1,6 +1,6 @@
# This file is automatically @generated by Cargo.
# It is not intended for manual editing.
version = 3
version = 4
[[package]]
name = "aead"
@@ -14,57 +14,127 @@ dependencies = [
[[package]]
name = "anstream"
version = "0.6.12"
version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "96b09b5178381e0874812a9b157f7fe84982617e48f71f4e3235482775e5b540"
checksum = "824a212faf96e9acacdbd09febd34438f8f711fb84e09a8916013cd7815ca28d"
dependencies = [
"anstyle",
"anstyle-parse",
"anstyle-query",
"anstyle-wincon",
"colorchoice",
"is_terminal_polyfill",
"utf8parse",
]
[[package]]
name = "anstyle"
version = "1.0.6"
version = "1.0.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8901269c6307e8d93993578286ac0edf7f195079ffff5ebdeea6a59ffb7e36bc"
checksum = "940b3a0ca603d1eade50a4846a2afffd5ef57a9feac2c0e2ec2e14f9ead76000"
[[package]]
name = "anstyle-parse"
version = "0.2.3"
version = "1.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c75ac65da39e5fe5ab759307499ddad880d724eed2f6ce5b5e8a26f4f387928c"
checksum = "52ce7f38b242319f7cabaa6813055467063ecdc9d355bbb4ce0c68908cd8130e"
dependencies = [
"utf8parse",
]
[[package]]
name = "anstyle-query"
version = "1.0.2"
version = "1.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e28923312444cdd728e4738b3f9c9cac739500909bb3d3c94b43551b16517648"
checksum = "40c48f72fd53cd289104fc64099abca73db4166ad86ea0b4341abe65af83dadc"
dependencies = [
"windows-sys",
"windows-sys 0.61.2",
]
[[package]]
name = "anstyle-wincon"
version = "3.0.2"
version = "3.0.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1cd54b81ec8d6180e24654d0b371ad22fc3dd083b6ff8ba325b72e00c87660a7"
checksum = "291e6a250ff86cd4a820112fb8898808a366d8f9f58ce16d1f538353ad55747d"
dependencies = [
"anstyle",
"windows-sys",
"once_cell_polyfill",
"windows-sys 0.61.2",
]
[[package]]
name = "argon2"
version = "0.5.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3c3610892ee6e0cbce8ae2700349fcf8f98adb0dbfbee85aec3c9179d29cc072"
dependencies = [
"base64ct",
"blake2",
"cpufeatures",
"password-hash",
]
[[package]]
name = "assert_cmd"
version = "2.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "39bae1d3fa576f7c6519514180a72559268dd7d1fe104070956cb687bc6673bd"
dependencies = [
"anstyle",
"bstr",
"libc",
"predicates",
"predicates-core",
"predicates-tree",
"wait-timeout",
]
[[package]]
name = "base64ct"
version = "1.8.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2af50177e190e07a26ab74f8b1efbfe2ef87da2116221318cb1c2e82baf7de06"
[[package]]
name = "bitflags"
version = "2.11.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c4512299f36f043ab09a583e57bceb5a5aab7a73db1805848e8fef3c9e8c78b3"
[[package]]
name = "blake2"
version = "0.10.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "46502ad458c9a52b69d4d4d32775c788b7a1b85e8bc9d482d92250fc0e3f8efe"
dependencies = [
"digest",
]
[[package]]
name = "block-buffer"
version = "0.10.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3078c7629b62d3f0439517fa394996acacc5cbc91c5a20d8c658e77abd503a71"
dependencies = [
"generic-array",
]
[[package]]
name = "bstr"
version = "1.12.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "63044e1ae8e69f3b5a92c736ca6269b8d12fa7efe39bf34ddb06d102cf0e2cab"
dependencies = [
"memchr",
"regex-automata",
"serde",
]
[[package]]
name = "cfg-if"
version = "1.0.0"
version = "1.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd"
checksum = "9330f8b2ff13f34540b44e946ef35111825727b38d33286ef986142615121801"
[[package]]
name = "chacha20"
@@ -103,9 +173,9 @@ dependencies = [
[[package]]
name = "clap"
version = "4.5.1"
version = "4.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c918d541ef2913577a0f9566e9ce27cb35b6df072075769e0b26cb5a554520da"
checksum = "1ddb117e43bbf7dacf0a4190fef4d345b9bad68dfc649cb349e7d17d28428e51"
dependencies = [
"clap_builder",
"clap_derive",
@@ -113,9 +183,9 @@ dependencies = [
[[package]]
name = "clap_builder"
version = "4.5.1"
version = "4.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9f3e7391dad68afb0c2ede1bf619f579a3dc9c2ec67f089baa397123a2f3d1eb"
checksum = "714a53001bf66416adb0e2ef5ac857140e7dc3a0c48fb28b2f10762fc4b5069f"
dependencies = [
"anstream",
"anstyle",
@@ -125,9 +195,9 @@ dependencies = [
[[package]]
name = "clap_derive"
version = "4.5.0"
version = "4.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "307bc0538d5f0f83b8248db3087aa92fe504e4691294d0c96c0eabc33f47ba47"
checksum = "f2ce8604710f6733aa641a2b3731eaa1e8b3d9973d5e3565da11800813f997a9"
dependencies = [
"heck",
"proc-macro2",
@@ -137,30 +207,30 @@ dependencies = [
[[package]]
name = "clap_lex"
version = "0.7.0"
version = "1.1.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "98cc8fbded0c607b7ba9dd60cd98df59af97e84d24e49c8557331cfc26d301ce"
checksum = "c8d4a3bb8b1e0c1050499d1815f5ab16d04f0959b233085fb31653fbfc9d98f9"
[[package]]
name = "colorchoice"
version = "1.0.0"
version = "1.0.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "acbf1af155f9b9ef647e42cdc158db4b64a1b61f743629225fde6f3e0be2a7c7"
checksum = "1d07550c9036bf2ae0c684c4297d503f838287c83c53686d05370d0e139ae570"
[[package]]
name = "cpufeatures"
version = "0.2.12"
version = "0.2.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "53fe5e26ff1b7aef8bca9c6080520cfb8d9333c7568e1829cef191a9723e5504"
checksum = "59ed5838eebb26a2bb2e58f6d5b5316989ae9d08bab10e0e6d103e656d1b0280"
dependencies = [
"libc",
]
[[package]]
name = "crypto-common"
version = "0.1.6"
version = "0.1.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1bfb12502f3fc46cca1bb51ac28df9d618d813cdc3d2f25b9fe775a34af26bb3"
checksum = "78c8292055d1c1df0cce5d180393dc8cce0abec0a7102adb6c7b1eef6016d60a"
dependencies = [
"generic-array",
"rand_core",
@@ -168,12 +238,53 @@ dependencies = [
]
[[package]]
name = "fcry"
version = "0.9.0"
name = "difflib"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6184e33543162437515c2e2b48714794e37845ec9851711914eec9d308f6ebe8"
[[package]]
name = "digest"
version = "0.10.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
dependencies = [
"block-buffer",
"crypto-common",
"subtle",
]
[[package]]
name = "errno"
version = "0.3.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
dependencies = [
"libc",
"windows-sys 0.61.2",
]
[[package]]
name = "fastrand"
version = "2.4.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9f1f227452a390804cdb637b74a86990f2a7d7ba4b7d5693aac9b4dd6defd8d6"
[[package]]
name = "fcry"
version = "0.10.0"
dependencies = [
"argon2",
"assert_cmd",
"chacha20poly1305",
"clap",
"rand",
"getrandom 0.3.4",
"libc",
"rlimit",
"secrets",
"tempfile",
"windows-sys 0.59.0",
"zeroize",
]
[[package]]
@@ -188,9 +299,9 @@ dependencies = [
[[package]]
name = "getrandom"
version = "0.2.12"
version = "0.2.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "190092ea657667030ac6a35e305e62fc4dd69fd98ac98631e5d3a2b1575a12b5"
checksum = "ff2abc00be7fca6ebc474524697ae276ad847ad0a6b3faa4bcb027e9a4614ad0"
dependencies = [
"cfg-if",
"libc",
@@ -198,31 +309,100 @@ dependencies = [
]
[[package]]
name = "heck"
version = "0.4.1"
name = "getrandom"
version = "0.3.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "95505c38b4572b2d910cecb0281560f54b440a19336cbbcb27bf6ce6adc6f5a8"
checksum = "899def5c37c4fd7b2664648c28120ecec138e4d395b459e5ca34f9cce2dd77fd"
dependencies = [
"cfg-if",
"libc",
"r-efi",
"wasip2",
]
[[package]]
name = "heck"
version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "2304e00983f87ffb38b55b444b5e3b60a884b5d30c0fca7d82fe33449bbe55ea"
[[package]]
name = "inout"
version = "0.1.3"
version = "0.1.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a0c10553d664a4d0bcff9f4215d0aac67a639cc68ef660840afe309b807bc9f5"
checksum = "879f10e63c20629ecabbb64a8010319738c66a5cd0c29b02d63d272b03751d01"
dependencies = [
"generic-array",
]
[[package]]
name = "libc"
version = "0.2.153"
name = "is_terminal_polyfill"
version = "1.70.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9c198f91728a82281a64e1f4f9eeb25d82cb32a5de251c6bd1b5154d63a8e7bd"
checksum = "a6cb138bb79a146c1bd460005623e142ef0181e3d0219cb493e02f7d08a35695"
[[package]]
name = "libc"
version = "0.2.186"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "68ab91017fe16c622486840e4c83c9a37afeff978bd239b5293d61ece587de66"
[[package]]
name = "linux-raw-sys"
version = "0.12.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "32a66949e030da00e8c7d4434b251670a91556f4144941d37452769c25d58a53"
[[package]]
name = "memchr"
version = "2.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f8ca58f447f06ed17d5fc4043ce1b10dd205e060fb3ce5b979b8ed8e59ff3f79"
[[package]]
name = "once_cell"
version = "1.21.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9f7c3e4beb33f85d45ae3e3a1792185706c8e16d043238c593331cc7cd313b50"
[[package]]
name = "once_cell_polyfill"
version = "1.70.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "384b8ab6d37215f3c5301a95a4accb5d64aa607f1fcb26a11b5303878451b4fe"
[[package]]
name = "opaque-debug"
version = "0.3.0"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "624a8340c38c1b80fd549087862da4ba43e08858af025b236e509b6649fc13d5"
checksum = "c08d65885ee38876c4f86fa503fb49d7b507c2b62552df7c70b2fce627e06381"
[[package]]
name = "page_size"
version = "0.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "30d5b2194ed13191c1999ae0704b7839fb18384fa22e49b57eeaa97d79ce40da"
dependencies = [
"libc",
"winapi",
]
[[package]]
name = "password-hash"
version = "0.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "346f04948ba92c43e8469c1ee6736c7563d71012b17d40745260fe106aac2166"
dependencies = [
"base64ct",
"rand_core",
"subtle",
]
[[package]]
name = "pkg-config"
version = "0.3.33"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "19f132c84eca552bf34cab8ec81f1c1dcc229b811638f9d283dceabe58c5569e"
[[package]]
name = "poly1305"
@@ -236,49 +416,55 @@ dependencies = [
]
[[package]]
name = "ppv-lite86"
version = "0.2.17"
name = "predicates"
version = "3.1.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5b40af805b3121feab8a3c29f04d8ad262fa8e0561883e7653e024ae4479e6de"
checksum = "ada8f2932f28a27ee7b70dd6c1c39ea0675c55a36879ab92f3a715eaa1e63cfe"
dependencies = [
"anstyle",
"difflib",
"predicates-core",
]
[[package]]
name = "predicates-core"
version = "1.0.10"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cad38746f3166b4031b1a0d39ad9f954dd291e7854fcc0eed52ee41a0b50d144"
[[package]]
name = "predicates-tree"
version = "1.0.13"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d0de1b847b39c8131db0467e9df1ff60e6d0562ab8e9a16e568ad0fdb372e2f2"
dependencies = [
"predicates-core",
"termtree",
]
[[package]]
name = "proc-macro2"
version = "1.0.78"
version = "1.0.106"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e2422ad645d89c99f8f3e6b88a9fdeca7fabeac836b1002371c4367c8f984aae"
checksum = "8fd00f0bb2e90d81d1044c2b32617f68fcb9fa3bb7640c23e9c748e53fb30934"
dependencies = [
"unicode-ident",
]
[[package]]
name = "quote"
version = "1.0.35"
version = "1.0.45"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "291ec9ab5efd934aaf503a6466c5d5251535d108ee747472c3977cc5acc868ef"
checksum = "41f2619966050689382d2b44f664f4bc593e129785a36d6ee376ddf37259b924"
dependencies = [
"proc-macro2",
]
[[package]]
name = "rand"
version = "0.8.5"
name = "r-efi"
version = "5.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "34af8d1a0e25924bc5b7c43c079c942339d8f0a8b57c39049bef581b46327404"
dependencies = [
"libc",
"rand_chacha",
"rand_core",
]
[[package]]
name = "rand_chacha"
version = "0.3.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "e6c10a63a0fa32252be49d21e7709d4d4baf8d231c2dbce1eaa8141b9b127d88"
dependencies = [
"ppv-lite86",
"rand_core",
]
checksum = "69cdb34c158ceb288df11e18b4bd39de994f6657d83847bdffdbd7f346754b0f"
[[package]]
name = "rand_core"
@@ -286,26 +472,95 @@ version = "0.6.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ec0be4795e2f6a28069bec0b5ff3e2ac9bafc99e6a9a7dc3547996c5c816922c"
dependencies = [
"getrandom",
"getrandom 0.2.17",
]
[[package]]
name = "regex-automata"
version = "0.4.14"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "6e1dd4122fc1595e8162618945476892eefca7b88c52820e74af6262213cae8f"
[[package]]
name = "rlimit"
version = "0.10.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7043b63bd0cd1aaa628e476b80e6d4023a3b50eb32789f2728908107bd0c793a"
dependencies = [
"libc",
]
[[package]]
name = "rustix"
version = "1.1.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b6fe4565b9518b83ef4f91bb47ce29620ca828bd32cb7e408f0062e9930ba190"
dependencies = [
"bitflags",
"errno",
"libc",
"linux-raw-sys",
"windows-sys 0.61.2",
]
[[package]]
name = "secrets"
version = "1.3.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "71f5325144404085953b8078fa4a0b4d224d13f17ee3854534260ad7ff3dfb5c"
dependencies = [
"libc",
"page_size",
"pkg-config",
"vcpkg",
]
[[package]]
name = "serde"
version = "1.0.228"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e"
dependencies = [
"serde_core",
]
[[package]]
name = "serde_core"
version = "1.0.228"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad"
dependencies = [
"serde_derive",
]
[[package]]
name = "serde_derive"
version = "1.0.228"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
[[package]]
name = "strsim"
version = "0.11.0"
version = "0.11.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5ee073c9e4cd00e28217186dbe12796d692868f432bf2e97ee73bed0c56dfa01"
checksum = "7da8b5736845d9f2fcb837ea5d9e2628564b3b043a70948a3f0b778838c5fb4f"
[[package]]
name = "subtle"
version = "2.5.0"
version = "2.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "81cdd64d312baedb58e21336b31bc043b77e01cc99033ce76ef539f78e965ebc"
checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
[[package]]
name = "syn"
version = "2.0.49"
version = "2.0.117"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "915aea9e586f80826ee59f8453c1101f9d1c4b3964cd2460185ee8e299ada496"
checksum = "e665b8803e7b1d2a727f4023456bbbbe74da67099c585258af0ad9c5013b9b99"
dependencies = [
"proc-macro2",
"quote",
@@ -313,16 +568,35 @@ dependencies = [
]
[[package]]
name = "typenum"
version = "1.17.0"
name = "tempfile"
version = "3.27.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "42ff0bf0c66b8238c6f3b578df37d0b7848e55df8577b3f74f92a69acceeb825"
checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd"
dependencies = [
"fastrand",
"getrandom 0.3.4",
"once_cell",
"rustix",
"windows-sys 0.61.2",
]
[[package]]
name = "termtree"
version = "0.5.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8f50febec83f5ee1df3015341d8bd429f2d1cc62bcba7ea2076759d315084683"
[[package]]
name = "typenum"
version = "1.20.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "40ce102ab67701b8526c123c1bab5cbe42d7040ccfd0f64af1a385808d2f43de"
[[package]]
name = "unicode-ident"
version = "1.0.12"
version = "1.0.24"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3354b9ac3fae1ff6755cb6db53683adb661634f67557942dea4facebec0fee4b"
checksum = "e6e4313cd5fcd3dad5cafa179702e2b244f760991f45397d14d4ebf38247da75"
[[package]]
name = "universal-hash"
@@ -336,40 +610,102 @@ dependencies = [
[[package]]
name = "utf8parse"
version = "0.2.1"
version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "711b9620af191e0cdc7468a8d14e709c3dcdb115b36f838e601583af800a370a"
checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
[[package]]
name = "vcpkg"
version = "0.2.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "accd4ea62f7bb7a82fe23066fb0957d48ef677f6eeb8215f372f52e48bb32426"
[[package]]
name = "version_check"
version = "0.9.4"
version = "0.9.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "49874b5167b65d7193b8aba1567f5c7d93d001cafc34600cee003eda787e483f"
checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a"
[[package]]
name = "wait-timeout"
version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "09ac3b126d3914f9849036f826e054cbabdc8519970b8998ddaf3b5bd3c65f11"
dependencies = [
"libc",
]
[[package]]
name = "wasi"
version = "0.11.0+wasi-snapshot-preview1"
version = "0.11.1+wasi-snapshot-preview1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423"
checksum = "ccf3ec651a847eb01de73ccad15eb7d99f80485de043efb2f370cd654f4ea44b"
[[package]]
name = "wasip2"
version = "1.0.3+wasi-0.2.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "20064672db26d7cdc89c7798c48a0fdfac8213434a1186e5ef29fd560ae223d6"
dependencies = [
"wit-bindgen",
]
[[package]]
name = "winapi"
version = "0.3.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "5c839a674fcd7a98952e593242ea400abe93992746761e38641405d28b00f419"
dependencies = [
"winapi-i686-pc-windows-gnu",
"winapi-x86_64-pc-windows-gnu",
]
[[package]]
name = "winapi-i686-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ac3b87c63620426dd9b991e5ce0329eff545bccbbb34f3be09ff6fb6ab51b7b6"
[[package]]
name = "winapi-x86_64-pc-windows-gnu"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "712e227841d057c1ee1cd2fb22fa7e5a5461ae8e48fa2ca79ec42cfc1931183f"
[[package]]
name = "windows-link"
version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f0805222e57f7521d6a62e36fa9163bc891acd422f971defe97d64e70d0a4fe5"
[[package]]
name = "windows-sys"
version = "0.52.0"
version = "0.59.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
checksum = "1e38bc4d79ed67fd075bcc251a1c39b32a1776bbe92e5bef1f0bf1f8c531853b"
dependencies = [
"windows-targets",
]
[[package]]
name = "windows-targets"
version = "0.52.0"
name = "windows-sys"
version = "0.61.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "8a18201040b24831fbb9e4eb208f8892e1f50a37feb53cc7ff887feb8f50e7cd"
checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc"
dependencies = [
"windows-link",
]
[[package]]
name = "windows-targets"
version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973"
dependencies = [
"windows_aarch64_gnullvm",
"windows_aarch64_msvc",
"windows_i686_gnu",
"windows_i686_gnullvm",
"windows_i686_msvc",
"windows_x86_64_gnu",
"windows_x86_64_gnullvm",
@@ -378,48 +714,74 @@ dependencies = [
[[package]]
name = "windows_aarch64_gnullvm"
version = "0.52.0"
version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "cb7764e35d4db8a7921e09562a0304bf2f93e0a51bfccee0bd0bb0b666b015ea"
checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
[[package]]
name = "windows_aarch64_msvc"
version = "0.52.0"
version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bbaa0368d4f1d2aaefc55b6fcfee13f41544ddf36801e793edbbfd7d7df075ef"
checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
[[package]]
name = "windows_i686_gnu"
version = "0.52.0"
version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "a28637cb1fa3560a16915793afb20081aba2c92ee8af57b4d5f28e4b3e7df313"
checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b"
[[package]]
name = "windows_i686_gnullvm"
version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
[[package]]
name = "windows_i686_msvc"
version = "0.52.0"
version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ffe5e8e31046ce6230cc7215707b816e339ff4d4d67c65dffa206fd0f7aa7b9a"
checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
[[package]]
name = "windows_x86_64_gnu"
version = "0.52.0"
version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "3d6fa32db2bc4a2f5abeacf2b69f7992cd09dca97498da74a151a3132c26befd"
checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
[[package]]
name = "windows_x86_64_gnullvm"
version = "0.52.0"
version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1a657e1e9d3f514745a572a6846d3c7aa7dbe1658c056ed9c3344c4109a6949e"
checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
[[package]]
name = "windows_x86_64_msvc"
version = "0.52.0"
version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "dff9641d1cd4be8d1a070daf9e3773c5f67e78b4d9d42263020c057706765c04"
checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
[[package]]
name = "wit-bindgen"
version = "0.57.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1ebf944e87a7c253233ad6766e082e3cd714b5d03812acc24c318f549614536e"
[[package]]
name = "zeroize"
version = "1.7.0"
version = "1.8.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "525b4ec142c6b68a2d10f01f7bbf6755599ca3f81ea53b8431b7dd348f5fdb2d"
checksum = "b97154e67e32c85465826e8bcc1c59429aaaf107c1e4a9e53c8d8ccd5eff88d0"
dependencies = [
"zeroize_derive",
]
[[package]]
name = "zeroize_derive"
version = "1.4.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "85a5b4158499876c763cb03bc4e49185d3cccbabb15b33c627f7884f43db852e"
dependencies = [
"proc-macro2",
"quote",
"syn",
]
Cargo.toml
+23 -4
View File
@@ -1,13 +1,32 @@
[package]
authors = ["ddidderr <ddidderr@paul.network>"]
edition = "2021"
edition = "2024"
name = "fcry"
version = "0.9.0"
version = "0.10.0"
[dependencies]
chacha20poly1305 = {version = "0.10", features = ["stream"]}
argon2 = "0.5"
chacha20poly1305 = "0.10"
clap = {version = "4", features = ["derive"]}
rand = {version = "0.8"}
getrandom = {version = "0.3"}
protected-secrets = {package = "secrets", version = "1.3"}
zeroize = {version = "1", features = ["derive"]}
[target.'cfg(unix)'.dependencies]
libc = "0.2"
rlimit = "0.10"
[target.'cfg(windows)'.dependencies]
windows-sys = {version = "0.59", features = [
"Win32_System_Console",
"Win32_Foundation",
"Win32_Storage_FileSystem",
"Win32_Security",
]}
[dev-dependencies]
assert_cmd = "2"
tempfile = "3"
[profile.release]
lto = false
TODO.md
+3 -28
View File
@@ -1,28 +1,3 @@
# Roadmap 1.0
## Summary
Make the program real-world usable and stable.
## Knowledge and Design
* understand `encrypt_next_in_place()`'s first argument better
* current understanding:
* associated data is used for parts of the data that cannot be
encrypted but should also be integrity protected by the authentication tag
* since there are no parts that cannot be encrypted in the context of `fcry` it is correct
to pass an empty slice to the first argument of `encrypt_next_in_place()`
* currently `fcry` uses 64 KiB blocks as single AEAD messages
* as stated [here](https://pycryptodome.readthedocs.io/en/latest/src/cipher/chacha20_poly1305.html) (limit of 13 billion messages) would imply a maximum file-size of `64 KiB * 13e9 = 832e9 KiB = 774.86 TiB`. While a file this size could be considered a special (and unsupported) use case anyway, performance is also a consideration. Does performance improve noticably with larger message sizes?
* unit tests
## Features
* password hashing
* configurable algorithm (sane default)
* configurable nr of rounds (sand default)
* a way to enter the password securely in a prompt while still being able to handle `stdin` data
* add usage examples to README.md
# Roadmap 2.0
* parallel processing: use all available (or configurable) CPU cores
# Roadmap later or never
* split into `lib` and `bin`
* other AEAD algorithms
**Deferred to follow-up commits** (in order):
1. Multi-threaded pipeline (worker pool + ordered writer)
2. Length-committed mode + random-access decrypt fast path for files
src/crypto.rs
+126 -54
View File
@@ -1,104 +1,176 @@
// SPDX-License-Identifier: GPL-3.0-only
use chacha20poly1305::{aead::stream, KeyInit, XChaCha20Poly1305};
use rand::{rngs::OsRng, RngCore};
use chacha20poly1305::{KeyInit, XChaCha20Poly1305, XNonce, aead::AeadInPlace};
use std::io::Write;
use crate::error::*;
use crate::reader::ReadInfo;
use crate::utils::BUFSIZE;
use crate::header::{AlgId, Header, KdfParams, NONCE_PREFIX_LEN, TAG_LEN};
use crate::reader::{AheadReader, ReadInfoChunk};
use crate::secrets::{SecretBytes32, SecretVec};
use crate::utils::*;
/// XChaCha20Poly1305 nonce: 24 bytes total. STREAM splits the trailing 5 bytes
/// into a 4-byte big-endian counter and a 1-byte "last block" flag.
const NONCE_LEN: usize = 24;
const COUNTER_LEN: usize = 4;
const _: () = assert!(NONCE_PREFIX_LEN + COUNTER_LEN + 1 == NONCE_LEN);
fn make_nonce(prefix: &[u8; NONCE_PREFIX_LEN], counter: u32, last: bool) -> XNonce {
let mut n = [0u8; NONCE_LEN];
n[..NONCE_PREFIX_LEN].copy_from_slice(prefix);
n[NONCE_PREFIX_LEN..NONCE_PREFIX_LEN + COUNTER_LEN].copy_from_slice(&counter.to_be_bytes());
n[NONCE_LEN - 1] = u8::from(last);
XNonce::from(n)
}
/// Derive (or unwrap) the 32-byte AEAD key from KDF parameters and an optional passphrase.
/// For `KdfParams::Raw`, `raw_key` must be supplied.
/// For `KdfParams::Argon2id`, `passphrase` must be supplied.
pub fn derive_key(
kdf: &KdfParams,
raw_key: Option<&SecretBytes32>,
passphrase: Option<&SecretVec>,
) -> Result<SecretBytes32, FcryError> {
let mut out = SecretBytes32::zeroed();
match kdf {
KdfParams::Raw => {
let raw =
raw_key.ok_or_else(|| FcryError::Format("raw kdf requires --raw-key".into()))?;
raw.with_array(|raw| out.with_mut_array(|out| out.copy_from_slice(raw)));
}
KdfParams::Argon2id {
salt,
m_cost,
t_cost,
p_cost,
} => {
let pw = passphrase
.ok_or_else(|| FcryError::Format("argon2id kdf requires a passphrase".into()))?;
let params = argon2::Params::new(*m_cost, *t_cost, *p_cost, Some(32))?;
let argon =
argon2::Argon2::new(argon2::Algorithm::Argon2id, argon2::Version::V0x13, params);
pw.with_slice(|pw| out.with_mut_array(|out| argon.hash_password_into(pw, salt, out)))?;
}
}
Ok(out)
}
pub fn encrypt<S: AsRef<str>>(
input_file: Option<S>,
output_file: Option<S>,
key: [u8; 32],
key: &SecretBytes32,
chunk_size: u32,
kdf: KdfParams,
) -> Result<(), FcryError> {
let mut f_plain = read_from_file_or_stdin(input_file, BUFSIZE);
let mut f_encrypted = write_to_file_or_stdout(output_file);
let chunk_sz = chunk_size as usize;
let mut f_plain = AheadReader::from(open_input(input_file)?, chunk_sz);
let mut f_encrypted = OutSink::open(output_file)?;
let mut nonce = [0u8; 19];
OsRng.fill_bytes(&mut nonce);
let mut nonce_prefix = [0u8; NONCE_PREFIX_LEN];
getrandom::fill(&mut nonce_prefix)?;
// let key = XChaCha20Poly1305::generate_key(&mut OsRng);
let header = Header {
alg: AlgId::XChaCha20Poly1305,
flags: 0,
chunk_size,
kdf,
nonce_prefix,
};
let aad = header.encode();
f_encrypted.write_all(&aad)?;
f_encrypted.write_all(&nonce)?;
// The AEAD keeps its own unprotected key copy while the loop runs.
// chacha20poly1305 zeroizes that copy on drop.
let aead = key.with_array(|key| XChaCha20Poly1305::new(key.into()));
let aead = XChaCha20Poly1305::new(&key.into());
let mut stream_encryptor = stream::EncryptorBE32::from_aead(aead, &nonce.into());
let mut buf = vec![0; BUFSIZE];
let mut buf = vec![0u8; chunk_sz];
let mut counter: u32 = 0;
loop {
let read_result = f_plain.read_ahead(&mut buf)?;
match read_result {
ReadInfo::NormalChunk(n) => {
assert_eq!(n, BUFSIZE);
assert_eq!(buf.len(), BUFSIZE);
eprintln!("[encrypt]: read normal chunk");
stream_encryptor.encrypt_next_in_place(&[], &mut buf)?;
match f_plain.read_ahead(&mut buf)? {
ReadInfoChunk::Normal(_) => {
let nonce = make_nonce(&nonce_prefix, counter, false);
aead.encrypt_in_place(&nonce, &aad, &mut buf)?;
f_encrypted.write_all(&buf)?;
// buf grows after encrypt_next_in_place because of tag that is added
// we shrink it to the BUFSIZE in order to read the correct size
buf.truncate(BUFSIZE);
buf.truncate(chunk_sz);
counter = counter.checked_add(1).ok_or_else(|| {
FcryError::Format("STREAM counter overflow (input too large)".into())
})?;
}
ReadInfo::LastChunk(n) => {
eprintln!("[encrypt]: read last chunk");
ReadInfoChunk::Last(n) => {
buf.truncate(n);
stream_encryptor.encrypt_last_in_place(&[], &mut buf)?;
let nonce = make_nonce(&nonce_prefix, counter, true);
aead.encrypt_in_place(&nonce, &aad, &mut buf)?;
f_encrypted.write_all(&buf)?;
break;
}
ReadInfo::EmptyChunk => {
eprintln!("[encrypt]: read empty chunk");
panic!("[ERROR] Empty Chunk while reading");
ReadInfoChunk::Empty => {
// Empty plaintext: still emit a final "last" tag so the decryptor
// authenticates the (empty) stream rather than silently producing nothing.
buf.clear();
let nonce = make_nonce(&nonce_prefix, counter, true);
aead.encrypt_in_place(&nonce, &aad, &mut buf)?;
f_encrypted.write_all(&buf)?;
break;
}
}
}
f_encrypted.commit()?;
Ok(())
}
pub fn decrypt<S: AsRef<str>>(
input_file: Option<S>,
output_file: Option<S>,
key: [u8; 32],
raw_key: Option<&SecretBytes32>,
passphrase: Option<&SecretVec>,
) -> Result<(), FcryError> {
let mut f_encrypted = read_from_file_or_stdin(input_file, BUFSIZE + 16);
let mut f_plain = write_to_file_or_stdout(output_file);
let mut reader = open_input(input_file)?;
let header = Header::read(&mut reader)?;
let aad = header.encode();
let mut nonce = [0u8; 19];
f_encrypted.read_exact(&mut nonce)?;
let key = derive_key(&header.kdf, raw_key, passphrase)?;
let aead = XChaCha20Poly1305::new(&key.into());
let mut stream_decryptor = stream::DecryptorBE32::from_aead(aead, &nonce.into());
let chunk_sz = header.chunk_size as usize;
let cipher_chunk = chunk_sz + TAG_LEN;
let mut buf = vec![0; BUFSIZE + 16];
let mut f_encrypted = AheadReader::from(reader, cipher_chunk);
let mut f_plain = OutSink::open(output_file)?;
// The AEAD keeps its own unprotected key copy while the loop runs.
// chacha20poly1305 zeroizes that copy on drop.
let aead = key.with_array(|key| XChaCha20Poly1305::new(key.into()));
let mut buf = vec![0u8; cipher_chunk];
let mut counter: u32 = 0;
loop {
let read_result = f_encrypted.read_ahead(&mut buf)?;
match read_result {
ReadInfo::NormalChunk(n) => {
assert_eq!(n, BUFSIZE + 16);
eprintln!("[decrypt]: read normal chunk");
stream_decryptor.decrypt_next_in_place(&[], &mut buf)?;
match f_encrypted.read_ahead(&mut buf)? {
ReadInfoChunk::Normal(_) => {
let nonce = make_nonce(&header.nonce_prefix, counter, false);
aead.decrypt_in_place(&nonce, &aad, &mut buf)?;
f_plain.write_all(&buf)?;
buf.resize(BUFSIZE + 16, 0);
buf.resize(cipher_chunk, 0);
counter = counter
.checked_add(1)
.ok_or_else(|| FcryError::Format("STREAM counter overflow".into()))?;
}
ReadInfo::LastChunk(n) => {
eprintln!("[decrypt]: read last chunk");
ReadInfoChunk::Last(n) => {
buf.truncate(n);
stream_decryptor.decrypt_last_in_place(&[], &mut buf)?;
let nonce = make_nonce(&header.nonce_prefix, counter, true);
aead.decrypt_in_place(&nonce, &aad, &mut buf)?;
f_plain.write_all(&buf)?;
break;
}
ReadInfo::EmptyChunk => {
eprintln!("[decrypt]: read empty chunk");
panic!("Empty Chunk while reading");
ReadInfoChunk::Empty => {
return Err(FcryError::Format(
"truncated ciphertext: missing final chunk".into(),
));
}
}
}
f_plain.commit()?;
Ok(())
}
src/error.rs
+13 -3
View File
@@ -3,11 +3,15 @@
use chacha20poly1305::aead;
use std::io;
#[allow(dead_code)]
#[derive(Debug)]
pub enum FcryError {
Io(io::Error),
Crypto(aead::Error),
Rng(rand::Error),
Rng(getrandom::Error),
Format(String),
Kdf(String),
Passphrase(String),
}
impl From<io::Error> for FcryError {
@@ -22,8 +26,14 @@ impl From<aead::Error> for FcryError {
}
}
impl From<rand::Error> for FcryError {
fn from(e: rand::Error) -> Self {
impl From<getrandom::Error> for FcryError {
fn from(e: getrandom::Error) -> Self {
FcryError::Rng(e)
}
}
impl From<argon2::Error> for FcryError {
fn from(e: argon2::Error) -> Self {
FcryError::Kdf(e.to_string())
}
}
src/header.rs
+223
View File
@@ -0,0 +1,223 @@
// SPDX-License-Identifier: GPL-3.0-only
//! On-disk file format for fcry.
//!
//! Layout:
//! ```text
//! magic "fcry" 4 bytes
//! version u8 1
//! alg_id u8 1
//! flags u8 1
//! reserved u8 1 (must be 0)
//! chunk_size u32 LE 4 (plaintext bytes per chunk)
//! kdf_id u8 1
//! kdf_params variable (depends on kdf_id)
//! nonce_prefix [u8; 19] 19 (STREAM nonce prefix)
//! --- end of header ---
//! chunk[0..N] each chunk_size + 16 bytes,
//! last may be shorter
//! ```
//!
//! The full encoded header is fed as AAD to every chunk, so any tampering
//! with chunk_size, nonce_prefix, kdf params, etc. causes authentication
//! failure on every chunk.
use std::io::Read;
use crate::error::FcryError;
const MAGIC: [u8; 4] = *b"fcry";
const VERSION: u8 = 1;
pub const NONCE_PREFIX_LEN: usize = 19;
pub const TAG_LEN: usize = 16;
#[repr(u8)]
#[derive(Copy, Clone, Debug, PartialEq, Eq)]
pub enum AlgId {
XChaCha20Poly1305 = 1,
}
impl AlgId {
fn from_u8(v: u8) -> Result<Self, FcryError> {
match v {
1 => Ok(Self::XChaCha20Poly1305),
_ => Err(FcryError::Format(format!("unknown alg id: {v}"))),
}
}
}
pub const ARGON2_SALT_LEN: usize = 16;
/// Key-derivation parameters stored in the header.
///
/// `Raw` means the key was supplied directly (no KDF). `Argon2id` carries
/// the salt and cost parameters needed to redo derivation on decrypt.
#[derive(Clone, Debug)]
pub enum KdfParams {
Raw,
Argon2id {
salt: [u8; ARGON2_SALT_LEN],
m_cost: u32,
t_cost: u32,
p_cost: u32,
},
}
impl KdfParams {
fn id(&self) -> u8 {
match self {
Self::Raw => 0,
Self::Argon2id { .. } => 1,
}
}
fn write_into(&self, out: &mut Vec<u8>) {
match self {
Self::Raw => {}
Self::Argon2id {
salt,
m_cost,
t_cost,
p_cost,
} => {
out.extend_from_slice(salt);
out.extend_from_slice(&m_cost.to_le_bytes());
out.extend_from_slice(&t_cost.to_le_bytes());
out.extend_from_slice(&p_cost.to_le_bytes());
}
}
}
fn read_from(id: u8, r: &mut impl Read) -> Result<Self, FcryError> {
match id {
0 => Ok(Self::Raw),
1 => {
let mut salt = [0u8; ARGON2_SALT_LEN];
r.read_exact(&mut salt)?;
let mut buf = [0u8; 4];
r.read_exact(&mut buf)?;
let m_cost = u32::from_le_bytes(buf);
r.read_exact(&mut buf)?;
let t_cost = u32::from_le_bytes(buf);
r.read_exact(&mut buf)?;
let p_cost = u32::from_le_bytes(buf);
Ok(Self::Argon2id {
salt,
m_cost,
t_cost,
p_cost,
})
}
_ => Err(FcryError::Format(format!("unknown kdf id: {id}"))),
}
}
}
#[derive(Clone, Debug)]
pub struct Header {
pub alg: AlgId,
pub flags: u8,
pub chunk_size: u32,
pub kdf: KdfParams,
pub nonce_prefix: [u8; NONCE_PREFIX_LEN],
}
impl Header {
pub fn encode(&self) -> Vec<u8> {
let mut out = Vec::with_capacity(64);
out.extend_from_slice(&MAGIC);
out.push(VERSION);
out.push(self.alg as u8);
out.push(self.flags);
out.push(0); // reserved
out.extend_from_slice(&self.chunk_size.to_le_bytes());
out.push(self.kdf.id());
self.kdf.write_into(&mut out);
out.extend_from_slice(&self.nonce_prefix);
out
}
pub fn read(r: &mut impl Read) -> Result<Self, FcryError> {
let mut magic = [0u8; 4];
r.read_exact(&mut magic)?;
if magic != MAGIC {
return Err(FcryError::Format("not an fcry file (bad magic)".into()));
}
let mut fixed = [0u8; 4];
r.read_exact(&mut fixed)?;
let [version, alg_id, flags, reserved] = fixed;
if version != VERSION {
return Err(FcryError::Format(format!("unsupported version: {version}")));
}
if reserved != 0 {
return Err(FcryError::Format("reserved byte must be zero".into()));
}
let alg = AlgId::from_u8(alg_id)?;
let mut chunk_size_bytes = [0u8; 4];
r.read_exact(&mut chunk_size_bytes)?;
let chunk_size = u32::from_le_bytes(chunk_size_bytes);
if chunk_size == 0 {
return Err(FcryError::Format("chunk_size must be > 0".into()));
}
let mut kdf_id = [0u8; 1];
r.read_exact(&mut kdf_id)?;
let kdf = KdfParams::read_from(kdf_id[0], r)?;
let mut nonce_prefix = [0u8; NONCE_PREFIX_LEN];
r.read_exact(&mut nonce_prefix)?;
Ok(Self {
alg,
flags,
chunk_size,
kdf,
nonce_prefix,
})
}
}
#[cfg(test)]
mod tests {
use super::*;
use std::io::Cursor;
#[test]
fn roundtrip() {
let h = Header {
alg: AlgId::XChaCha20Poly1305,
flags: 0,
chunk_size: 1024 * 1024,
kdf: KdfParams::Raw,
nonce_prefix: [7u8; NONCE_PREFIX_LEN],
};
let bytes = h.encode();
let mut cur = Cursor::new(&bytes);
let parsed = Header::read(&mut cur).unwrap();
assert_eq!(parsed.alg, h.alg);
assert_eq!(parsed.flags, h.flags);
assert_eq!(parsed.chunk_size, h.chunk_size);
assert_eq!(parsed.nonce_prefix, h.nonce_prefix);
assert_eq!(cur.position() as usize, bytes.len());
}
#[test]
fn rejects_bad_magic() {
let mut bytes = Header {
alg: AlgId::XChaCha20Poly1305,
flags: 0,
chunk_size: 4096,
kdf: KdfParams::Raw,
nonce_prefix: [0u8; NONCE_PREFIX_LEN],
}
.encode();
bytes[0] ^= 1;
assert!(matches!(
Header::read(&mut Cursor::new(&bytes)),
Err(FcryError::Format(_))
));
}
}
src/main.rs
+150 -13
View File
@@ -2,13 +2,19 @@
mod crypto;
mod error;
mod header;
mod reader;
mod secrets;
mod utils;
use crypto::*;
use error::FcryError;
use header::{ARGON2_SALT_LEN, KdfParams};
use secrets::{SecretBytes32, SecretVec, read_passphrase_tty};
use utils::DEFAULT_CHUNK_SIZE;
use clap::Parser;
use zeroize::Zeroizing;
/// fcry - [f]ile[cry]pt: A file en-/decryption tool for easy use
#[derive(Parser, Debug)]
@@ -27,33 +33,164 @@ struct Cli {
#[clap(short, long)]
output_file: Option<String>,
/// The raw bytes of the crypto key.
/// Has to be exactly 32 bytes
/// *** DANGEROUS, use for testing purposes only! ***
/// The raw bytes of the crypto key. Has to be exactly 32 bytes.
/// *** DANGEROUS: visible in process listings (ps/proc). Testing only. ***
#[clap(short, long, conflicts_with_all = ["passphrase", "passphrase_env"])]
raw_key: Option<Zeroizing<String>>,
/// Read passphrase interactively (terminal). Implies argon2id KDF on encrypt.
#[clap(short, long)]
raw_key: String,
passphrase: bool,
/// Read passphrase from the named environment variable (for non-interactive use).
/// Implies argon2id KDF on encrypt. Mutually exclusive with --passphrase.
#[clap(long, conflicts_with = "passphrase")]
passphrase_env: Option<String>,
/// Plaintext chunk size in bytes (encryption only; decryption reads it from the header).
#[clap(long, default_value_t = DEFAULT_CHUNK_SIZE)]
chunk_size: u32,
/// Argon2id memory in MiB (encryption only). Default: 1024 (= 1 GiB).
#[clap(long, default_value_t = 1024)]
argon_memory: u32,
/// Argon2id passes / iterations (encryption only).
#[clap(long, default_value_t = 2)]
argon_passes: u32,
/// Argon2id parallelism / lanes (encryption only).
#[clap(long, default_value_t = 4)]
argon_parallelism: u32,
}
fn run(cli: Cli) -> Result<(), FcryError> {
let input_file = cli.input_file;
let output_file = cli.output_file;
fn parse_raw_key(s: &str) -> Result<SecretBytes32, FcryError> {
let raw = s.as_bytes();
if raw.len() != 32 {
return Err(FcryError::Format(format!(
"raw_key must be exactly 32 bytes, got {}",
raw.len()
)));
}
let mut key = SecretBytes32::zeroed();
key.with_mut_array(|key| key.copy_from_slice(raw));
Ok(key)
}
let mut key = [0u8; 32];
dbg!(&cli.raw_key);
key.clone_from_slice(cli.raw_key.as_bytes());
/// Source of a passphrase: either the terminal or a named env var.
enum PassphraseSource {
Tty,
EnvVar(String),
}
if cli.decrypt {
decrypt(input_file, output_file, key)?
fn read_passphrase(src: &PassphraseSource, confirm: bool) -> Result<SecretVec, FcryError> {
match src {
PassphraseSource::EnvVar(var) => {
// Take the env value, then immediately copy it into upstream
// protected storage. The source Vec is zeroed after the copy.
// Note: a copy still exists in the process `environ` table; that is
// a known and accepted leak for the env-var path.
let v = std::env::var(var).map_err(|_| {
FcryError::Passphrase(format!("environment variable {var} not set or not unicode"))
})?;
Ok(SecretVec::from_vec(v.into_bytes()))
}
PassphraseSource::Tty => {
let pw = read_passphrase_tty("Passphrase: ")
.map_err(|e| FcryError::Passphrase(e.to_string()))?;
if confirm {
let pw2 = read_passphrase_tty("Confirm passphrase: ")
.map_err(|e| FcryError::Passphrase(e.to_string()))?;
if pw != pw2 {
return Err(FcryError::Passphrase("passphrases do not match".into()));
}
// pw2 dropped here -> zeroized + unlocked by the upstream crate.
}
Ok(pw)
}
}
}
/// Best-effort: prevent secrets from landing in a core dump.
#[cfg(unix)]
fn disable_core_dumps() {
use rlimit::Resource;
let _ = rlimit::setrlimit(Resource::CORE, 0, 0);
}
#[cfg(not(unix))]
fn disable_core_dumps() {
// Windows doesn't have rlimit-style core dumps. WER (Windows Error Reporting)
// and minidumps would be the analogue; disabling those requires per-machine
// policy and is intentionally not done here.
}
fn run(mut cli: Cli) -> Result<(), FcryError> {
// Move the secret-bearing fields out of `Cli` immediately so they don't
// sit in the parsed struct for the rest of the function.
let raw_key_str: Option<Zeroizing<String>> = cli.raw_key.take();
let pw_src: Option<PassphraseSource> = if cli.passphrase {
Some(PassphraseSource::Tty)
} else {
encrypt(input_file, output_file, key)?
cli.passphrase_env.take().map(PassphraseSource::EnvVar)
};
let decrypt_mode = cli.decrypt;
let input = cli.input_file.take();
let output = cli.output_file.take();
let chunk_size = cli.chunk_size;
let argon_memory = cli.argon_memory;
let argon_passes = cli.argon_passes;
let argon_parallelism = cli.argon_parallelism;
drop(cli);
if pw_src.is_none() && raw_key_str.is_none() {
return Err(FcryError::Format(
"must provide one of --raw-key, --passphrase, --passphrase-env".into(),
));
}
if decrypt_mode {
let raw_key = match raw_key_str.as_deref() {
Some(s) => Some(parse_raw_key(s)?),
None => None,
};
let pw = match &pw_src {
Some(src) => Some(read_passphrase(src, false)?),
None => None,
};
decrypt(input, output, raw_key.as_ref(), pw.as_ref())?;
} else {
let (key, kdf) = if let Some(src) = &pw_src {
let mut salt = [0u8; ARGON2_SALT_LEN];
getrandom::fill(&mut salt)?;
let m_cost_kib = argon_memory.checked_mul(1024).ok_or_else(|| {
FcryError::Format("argon-memory too large (overflow when converting to KiB)".into())
})?;
let kdf = KdfParams::Argon2id {
salt,
m_cost: m_cost_kib,
t_cost: argon_passes,
p_cost: argon_parallelism,
};
let pw = read_passphrase(src, true)?;
let key = derive_key(&kdf, None, Some(&pw))?;
(key, kdf)
} else {
let key = parse_raw_key(raw_key_str.as_deref().unwrap())?;
(key, KdfParams::Raw)
};
encrypt(input, output, &key, chunk_size, kdf)?;
}
Ok(())
}
fn main() {
disable_core_dumps();
let cli = Cli::parse();
if let Err(e) = run(cli) {
eprintln!("Error: {:?}", e);
std::process::exit(1);
}
}
src/reader.rs
+12 -21
View File
@@ -3,10 +3,10 @@
use std::io;
use std::io::{BufRead, Read};
pub enum ReadInfo {
NormalChunk(usize),
LastChunk(usize),
EmptyChunk,
pub enum ReadInfoChunk {
Normal(#[allow(dead_code)] usize),
Last(usize),
Empty,
}
pub struct AheadReader {
@@ -46,27 +46,18 @@ impl AheadReader {
Ok(total)
}
pub fn read_ahead(&mut self, userbuf: &mut [u8]) -> io::Result<ReadInfo> {
// 1st read
pub fn read_ahead(&mut self, userbuf: &mut [u8]) -> io::Result<ReadInfoChunk> {
if self.bufsz == 0 {
eprintln!("[reader] first read");
return self.first_read(userbuf);
}
eprintln!("[reader] normal read");
// normal read (not the 1st one)
self.normal_read(userbuf)
}
pub fn read_exact(&mut self, userbuf: &mut [u8]) -> io::Result<()> {
self.inner.read_exact(userbuf)
}
fn first_read(&mut self, userbuf: &mut [u8]) -> io::Result<ReadInfo> {
fn first_read(&mut self, userbuf: &mut [u8]) -> io::Result<ReadInfoChunk> {
// 1st read directly to userbuf (we have no cached data yet)
let n = self.read_until_full(userbuf)?;
if n == 0 {
return Ok(ReadInfo::EmptyChunk);
return Ok(ReadInfoChunk::Empty);
}
// 2nd read directly into our internal buf
@@ -75,13 +66,13 @@ impl AheadReader {
self.buf = tmp;
self.bufsz = n2;
if n2 == 0 {
return Ok(ReadInfo::LastChunk(n));
return Ok(ReadInfoChunk::Last(n));
}
Ok(ReadInfo::NormalChunk(n))
Ok(ReadInfoChunk::Normal(n))
}
fn normal_read(&mut self, userbuf: &mut [u8]) -> io::Result<ReadInfo> {
fn normal_read(&mut self, userbuf: &mut [u8]) -> io::Result<ReadInfoChunk> {
// copy internal buf to userbuf
userbuf.copy_from_slice(&self.buf);
let userbuf_sz = self.bufsz;
@@ -92,9 +83,9 @@ impl AheadReader {
self.buf = tmp;
self.bufsz = n2;
if n2 == 0 {
return Ok(ReadInfo::LastChunk(userbuf_sz));
return Ok(ReadInfoChunk::Last(userbuf_sz));
}
Ok(ReadInfo::NormalChunk(userbuf_sz))
Ok(ReadInfoChunk::Normal(userbuf_sz))
}
}
src/secrets.rs
+260
View File
@@ -0,0 +1,260 @@
// SPDX-License-Identifier: GPL-3.0-only
//! Secret-handling primitives.
//!
//! Thin local adapters around the upstream `secrets` crate plus a
//! cross-platform passphrase reader:
//!
//! * [`SecretBytes32`] — heap-allocated 32-byte buffer protected by
//! `secrets::SecretBox`.
//! * [`SecretVec`] — fixed-allocation byte buffer protected by
//! `secrets::SecretVec`, with a separate logical length so tty input can be
//! appended without reallocations.
//! * [`read_passphrase_tty`] — direct tty reader (Linux/macOS termios,
//! Windows Console API). Reads into a pre-reserved `SecretVec` so no
//! reallocation can leave stale unzeroed copies on the heap.
use std::io;
use protected_secrets::{SecretBox as ProtectedSecretBox, SecretVec as ProtectedSecretVec};
/// Maximum passphrase length we accept on the tty.
/// Pre-reserved so the underlying Vec never reallocates while reading.
pub const MAX_PASSPHRASE_LEN: usize = 1024;
/// Heap-allocated 32-byte secret protected by the upstream `secrets` crate.
pub struct SecretBytes32 {
inner: ProtectedSecretBox<[u8; 32]>,
}
impl SecretBytes32 {
pub fn zeroed() -> Self {
Self {
inner: ProtectedSecretBox::zero(),
}
}
pub fn with_array<R>(&self, f: impl FnOnce(&[u8; 32]) -> R) -> R {
let inner = self.inner.borrow();
f(&inner)
}
pub fn with_mut_array<R>(&mut self, f: impl FnOnce(&mut [u8; 32]) -> R) -> R {
let mut inner = self.inner.borrow_mut();
f(&mut inner)
}
}
/// Heap-allocated byte buffer with **fixed capacity** protected by upstream
/// `secrets::SecretVec`.
///
/// Upstream `SecretVec` is fixed-length, so this adapter stores a separate
/// logical length. Bytes after `len` remain zero-filled padding and are never
/// exposed through [`SecretVec::with_slice`].
pub struct SecretVec {
inner: ProtectedSecretVec<u8>,
len: usize,
}
impl SecretVec {
/// Allocate a protected buffer with fixed `capacity`.
pub fn with_capacity(capacity: usize) -> Self {
Self {
inner: ProtectedSecretVec::zero(capacity),
len: 0,
}
}
/// Copy bytes from an already-allocated `Vec<u8>` into protected storage.
/// The upstream conversion zeroes the source bytes after copying; the
/// allocation itself is then released normally when the Vec is dropped.
pub fn from_vec(mut v: Vec<u8>) -> Self {
let len = v.len();
Self {
inner: ProtectedSecretVec::from(&mut v[..]),
len,
}
}
pub fn push(&mut self, b: u8) -> io::Result<()> {
if self.len >= self.inner.len() {
return Err(io::Error::new(
io::ErrorKind::InvalidInput,
"secret buffer full",
));
}
{
let mut inner = self.inner.borrow_mut();
inner[self.len] = b;
}
self.len += 1;
Ok(())
}
pub fn with_slice<R>(&self, f: impl FnOnce(&[u8]) -> R) -> R {
let inner = self.inner.borrow();
f(&inner[..self.len])
}
}
impl PartialEq for SecretVec {
fn eq(&self, other: &Self) -> bool {
// Constant-time-ish: length still leaks, but contents do not early-out.
if self.len != other.len {
return false;
}
let a = self.inner.borrow();
let b = other.inner.borrow();
let mut diff: u8 = 0;
for (x, y) in a[..self.len].iter().zip(b[..other.len].iter()) {
diff |= x ^ y;
}
diff == 0
}
}
// ============================================================================
// tty passphrase reader
// ============================================================================
/// Read a passphrase from the controlling terminal with echo disabled.
///
/// Bytes go directly into a pre-reserved `SecretVec` so no reallocation can
/// leave stale heap copies. CR is skipped, LF terminates the line.
/// Returns an error if the input exceeds `MAX_PASSPHRASE_LEN` bytes.
pub fn read_passphrase_tty(prompt: &str) -> io::Result<SecretVec> {
imp::read_passphrase_tty(prompt)
}
#[cfg(unix)]
mod imp {
use super::{MAX_PASSPHRASE_LEN, SecretVec};
use std::fs::OpenOptions;
use std::io::{self, Read, Write};
use std::os::unix::io::AsRawFd;
/// RAII guard that restores the original termios on drop.
struct TermiosGuard {
fd: i32,
orig: libc::termios,
}
impl Drop for TermiosGuard {
fn drop(&mut self) {
unsafe {
libc::tcsetattr(self.fd, libc::TCSANOW, &self.orig);
}
}
}
pub fn read_passphrase_tty(prompt: &str) -> io::Result<SecretVec> {
let mut tty = OpenOptions::new().read(true).write(true).open("/dev/tty")?;
let fd = tty.as_raw_fd();
let mut orig: libc::termios = unsafe { std::mem::zeroed() };
if unsafe { libc::tcgetattr(fd, &mut orig) } != 0 {
return Err(io::Error::last_os_error());
}
let mut new = orig;
// Disable echo of typed characters; keep ECHONL so the final newline
// is shown when the user presses Enter (cosmetic).
new.c_lflag &= !libc::ECHO;
new.c_lflag |= libc::ECHONL;
if unsafe { libc::tcsetattr(fd, libc::TCSANOW, &new) } != 0 {
return Err(io::Error::last_os_error());
}
let _guard = TermiosGuard { fd, orig };
write!(tty, "{prompt}")?;
tty.flush()?;
let mut buf = SecretVec::with_capacity(MAX_PASSPHRASE_LEN);
let mut byte = [0u8; 1];
loop {
match tty.read(&mut byte) {
Ok(0) => break, // EOF
Ok(_) => match byte[0] {
b'\n' => break,
b'\r' => continue,
b => buf.push(b)?,
},
Err(e) if e.kind() == io::ErrorKind::Interrupted => continue,
Err(e) => return Err(e),
}
}
Ok(buf)
}
}
#[cfg(windows)]
mod imp {
use super::{MAX_PASSPHRASE_LEN, SecretVec};
use std::fs::OpenOptions;
use std::io::{self, Read, Write};
use std::os::windows::io::AsRawHandle;
use windows_sys::Win32::Foundation::HANDLE;
use windows_sys::Win32::System::Console::{
ENABLE_ECHO_INPUT, ENABLE_LINE_INPUT, ENABLE_PROCESSED_INPUT, GetConsoleMode,
SetConsoleMode,
};
struct ConsoleModeGuard {
handle: HANDLE,
orig: u32,
}
impl Drop for ConsoleModeGuard {
fn drop(&mut self) {
unsafe {
SetConsoleMode(self.handle, self.orig);
}
}
}
pub fn read_passphrase_tty(prompt: &str) -> io::Result<SecretVec> {
let mut tty_in = OpenOptions::new().read(true).write(true).open("CONIN$")?;
let mut tty_out = OpenOptions::new().write(true).open("CONOUT$")?;
let h_in = tty_in.as_raw_handle() as HANDLE;
let mut orig_mode: u32 = 0;
if unsafe { GetConsoleMode(h_in, &mut orig_mode) } == 0 {
return Err(io::Error::last_os_error());
}
let new_mode =
(orig_mode | ENABLE_LINE_INPUT | ENABLE_PROCESSED_INPUT) & !ENABLE_ECHO_INPUT;
if unsafe { SetConsoleMode(h_in, new_mode) } == 0 {
return Err(io::Error::last_os_error());
}
let _guard = ConsoleModeGuard {
handle: h_in,
orig: orig_mode,
};
write!(tty_out, "{prompt}")?;
tty_out.flush()?;
let mut buf = SecretVec::with_capacity(MAX_PASSPHRASE_LEN);
let mut byte = [0u8; 1];
loop {
match tty_in.read(&mut byte) {
Ok(0) => break,
Ok(_) => match byte[0] {
b'\n' => break,
b'\r' => continue,
b => buf.push(b)?,
},
Err(e) if e.kind() == io::ErrorKind::Interrupted => continue,
Err(e) => return Err(e),
}
}
// Echo was off, so emit a newline so the next shell prompt is on a fresh line.
let _ = writeln!(tty_out);
let _ = tty_out.flush();
Ok(buf)
}
}
src/utils.rs
+105 -21
View File
@@ -1,31 +1,115 @@
// SPDX-License-Identifier: GPL-3.0-only
use crate::reader::AheadReader;
use std::fs::{self, File};
use std::io::{self, BufRead, BufReader, Write};
use std::path::PathBuf;
use std::io::BufReader;
use std::{
fs::File,
io::{self, Write},
};
/// Default plaintext chunk size: 1 MiB.
///
/// Stored in the header per file, so callers may override via CLI without
/// breaking older files (the decryptor reads the size from the header).
pub const DEFAULT_CHUNK_SIZE: u32 = 1024 * 1024;
pub const BUFSIZE: usize = 64 * 1024; // 64 KiB
pub(crate) fn open_input<S: AsRef<str>>(input_file: Option<S>) -> io::Result<Box<dyn BufRead>> {
Ok(match input_file {
Some(f) => Box::new(BufReader::new(File::open(f.as_ref())?)),
None => Box::new(io::stdin().lock()),
})
}
pub(crate) fn read_from_file_or_stdin<S: AsRef<str>>(
input_file: Option<S>,
bufsz: usize,
) -> AheadReader {
match input_file {
Some(f) => AheadReader::from(
Box::new(BufReader::new(File::open(f.as_ref()).unwrap())),
bufsz,
),
None => AheadReader::from(Box::new(io::stdin().lock()), bufsz),
/// Output sink that supports atomic file replacement.
///
/// For file outputs: bytes are written to `<path>.tmp`. On `commit()`, the
/// temp file is renamed into place. If dropped without commit (panic, error,
/// process exit), the temp file is deleted so a partial/garbage file does
/// not replace any existing target.
///
/// For stdout: behaves as a passthrough; `commit()` is a no-op.
pub enum OutSink {
Stdout(io::Stdout),
File {
tmp_path: PathBuf,
final_path: PathBuf,
file: Option<File>,
committed: bool,
},
}
impl OutSink {
pub fn open<S: AsRef<str>>(output_file: Option<S>) -> io::Result<Self> {
match output_file {
None => Ok(Self::Stdout(io::stdout())),
Some(f) => {
let final_path = PathBuf::from(f.as_ref());
let mut tmp_path = final_path.clone();
let name = tmp_path
.file_name()
.map(|n| n.to_os_string())
.unwrap_or_default();
let mut tmp_name = name;
tmp_name.push(".tmp");
tmp_path.set_file_name(tmp_name);
let file = File::create(&tmp_path)?;
Ok(Self::File {
tmp_path,
final_path,
file: Some(file),
committed: false,
})
}
}
}
pub fn commit(mut self) -> io::Result<()> {
if let Self::File {
tmp_path,
final_path,
file,
committed,
} = &mut self
{
if let Some(mut f) = file.take() {
f.flush()?;
f.sync_all()?;
}
fs::rename(&*tmp_path, &*final_path)?;
*committed = true;
}
Ok(())
}
}
pub(crate) fn write_to_file_or_stdout<S: AsRef<str>>(output_file: Option<S>) -> Box<dyn Write> {
match output_file {
Some(f) => Box::new(File::create(f.as_ref()).unwrap()),
None => Box::new(io::stdout()),
impl Write for OutSink {
fn write(&mut self, buf: &[u8]) -> io::Result<usize> {
match self {
Self::Stdout(s) => s.write(buf),
Self::File { file, .. } => file.as_mut().expect("file taken before commit").write(buf),
}
}
fn flush(&mut self) -> io::Result<()> {
match self {
Self::Stdout(s) => s.flush(),
Self::File { file, .. } => match file.as_mut() {
Some(f) => f.flush(),
None => Ok(()),
},
}
}
}
impl Drop for OutSink {
fn drop(&mut self) {
if let Self::File {
tmp_path,
committed,
file,
..
} = self
&& !*committed
{
file.take(); // close the file before unlink
let _ = fs::remove_file(tmp_path);
}
}
}
tests/roundtrip.rs
+438
View File
@@ -0,0 +1,438 @@
// SPDX-License-Identifier: GPL-3.0-only
//
// Integration tests for the `fcry` binary.
//
// These exercise the CLI as a black box: encrypt then decrypt and check that
// plaintext bytes are preserved, plus a handful of failure cases (tampering,
// wrong key, truncation, bad magic).
use std::fs;
use std::io::Write;
use std::process::{Command, Stdio};
use assert_cmd::cargo::CommandCargoExt;
use tempfile::TempDir;
const KEY: &[u8; 32] = b"0123456789abcdef0123456789abcdef";
const KEY_STR: &str = "0123456789abcdef0123456789abcdef";
fn fcry() -> Command {
Command::cargo_bin("fcry").unwrap()
}
/// Deterministic pseudo-random plaintext of `n` bytes (xorshift, seedable).
/// We avoid `/dev/urandom` so tests are reproducible on failure.
fn pseudo_random(seed: u64, n: usize) -> Vec<u8> {
let mut s = seed.wrapping_add(0x9E3779B97F4A7C15);
let mut out = Vec::with_capacity(n);
while out.len() < n {
s ^= s << 13;
s ^= s >> 7;
s ^= s << 17;
out.extend_from_slice(&s.to_le_bytes());
}
out.truncate(n);
out
}
fn encrypt_file(plain: &std::path::Path, ct: &std::path::Path, chunk_size: Option<u32>) {
let mut cmd = fcry();
cmd.arg("-i")
.arg(plain)
.arg("-o")
.arg(ct)
.arg("--raw-key")
.arg(KEY_STR);
if let Some(cs) = chunk_size {
cmd.arg("--chunk-size").arg(cs.to_string());
}
let out = cmd.output().unwrap();
assert!(
out.status.success(),
"encrypt failed: {}",
String::from_utf8_lossy(&out.stderr)
);
}
fn decrypt_file(ct: &std::path::Path, rt: &std::path::Path) {
let out = fcry()
.arg("-d")
.arg("-i")
.arg(ct)
.arg("-o")
.arg(rt)
.arg("--raw-key")
.arg(KEY_STR)
.output()
.unwrap();
assert!(
out.status.success(),
"decrypt failed: {}",
String::from_utf8_lossy(&out.stderr)
);
}
fn roundtrip_with_size(plaintext_size: usize, chunk_size: Option<u32>) {
let dir = TempDir::new().unwrap();
let plain = dir.path().join("plain.bin");
let ct = dir.path().join("ct.bin");
let rt = dir.path().join("rt.bin");
let data = pseudo_random(plaintext_size as u64, plaintext_size);
fs::write(&plain, &data).unwrap();
encrypt_file(&plain, &ct, chunk_size);
decrypt_file(&ct, &rt);
let got = fs::read(&rt).unwrap();
assert_eq!(got, data, "roundtrip mismatch at size {plaintext_size}");
}
#[test]
fn roundtrip_empty() {
roundtrip_with_size(0, None);
}
#[test]
fn roundtrip_one_byte() {
roundtrip_with_size(1, None);
}
#[test]
fn roundtrip_smaller_than_chunk() {
roundtrip_with_size(100, None);
}
#[test]
fn roundtrip_exactly_one_chunk() {
roundtrip_with_size(1024 * 1024, None);
}
#[test]
fn roundtrip_just_over_one_chunk() {
roundtrip_with_size(1024 * 1024 + 1, None);
}
#[test]
fn roundtrip_multi_chunk() {
roundtrip_with_size(5 * 1024 * 1024 + 12345, None);
}
#[test]
fn roundtrip_custom_small_chunk_size() {
// forces many chunks for a small input
roundtrip_with_size(50_000, Some(4096));
}
#[test]
fn roundtrip_chunk_size_one_byte() {
// pathological but should still work
roundtrip_with_size(257, Some(1));
}
#[test]
fn roundtrip_pipe_stdin_stdout() {
let data = pseudo_random(42, 200_000);
let mut enc = fcry()
.arg("--raw-key")
.arg(KEY_STR)
.stdin(Stdio::piped())
.stdout(Stdio::piped())
.stderr(Stdio::piped())
.spawn()
.unwrap();
enc.stdin.as_mut().unwrap().write_all(&data).unwrap();
let enc_out = enc.wait_with_output().unwrap();
assert!(
enc_out.status.success(),
"pipe encrypt failed: {}",
String::from_utf8_lossy(&enc_out.stderr)
);
let mut dec = fcry()
.arg("-d")
.arg("--raw-key")
.arg(KEY_STR)
.stdin(Stdio::piped())
.stdout(Stdio::piped())
.stderr(Stdio::piped())
.spawn()
.unwrap();
dec.stdin
.as_mut()
.unwrap()
.write_all(&enc_out.stdout)
.unwrap();
let dec_out = dec.wait_with_output().unwrap();
assert!(
dec_out.status.success(),
"pipe decrypt failed: {}",
String::from_utf8_lossy(&dec_out.stderr)
);
assert_eq!(dec_out.stdout, data);
}
#[test]
fn rejects_wrong_key() {
let dir = TempDir::new().unwrap();
let plain = dir.path().join("p.bin");
let ct = dir.path().join("c.bin");
fs::write(&plain, pseudo_random(1, 1000)).unwrap();
encrypt_file(&plain, &ct, None);
let wrong = "ffffffffffffffffffffffffffffffff";
assert_ne!(wrong.as_bytes(), KEY);
let out = fcry()
.arg("-d")
.arg("-i")
.arg(&ct)
.arg("-o")
.arg(dir.path().join("rt.bin"))
.arg("--raw-key")
.arg(wrong)
.output()
.unwrap();
assert!(!out.status.success(), "decrypt with wrong key should fail");
}
#[test]
fn rejects_tampered_header() {
let dir = TempDir::new().unwrap();
let plain = dir.path().join("p.bin");
let ct = dir.path().join("c.bin");
fs::write(&plain, pseudo_random(2, 1000)).unwrap();
encrypt_file(&plain, &ct, None);
// Flip a byte in the chunk_size field of the header (offset 8: 4 magic + 4 fixed).
let mut bytes = fs::read(&ct).unwrap();
bytes[8] ^= 0xff;
fs::write(&ct, &bytes).unwrap();
let out = fcry()
.arg("-d")
.arg("-i")
.arg(&ct)
.arg("-o")
.arg(dir.path().join("rt.bin"))
.arg("--raw-key")
.arg(KEY_STR)
.output()
.unwrap();
assert!(
!out.status.success(),
"decrypt with tampered header should fail"
);
}
#[test]
fn rejects_tampered_ciphertext() {
let dir = TempDir::new().unwrap();
let plain = dir.path().join("p.bin");
let ct = dir.path().join("c.bin");
fs::write(&plain, pseudo_random(3, 5000)).unwrap();
encrypt_file(&plain, &ct, None);
// Flip a byte well past the header (in the first ciphertext chunk).
let mut bytes = fs::read(&ct).unwrap();
let off = bytes.len() / 2;
bytes[off] ^= 0x01;
fs::write(&ct, &bytes).unwrap();
let out = fcry()
.arg("-d")
.arg("-i")
.arg(&ct)
.arg("-o")
.arg(dir.path().join("rt.bin"))
.arg("--raw-key")
.arg(KEY_STR)
.output()
.unwrap();
assert!(
!out.status.success(),
"decrypt of tampered ciphertext should fail"
);
}
#[test]
fn rejects_truncated_ciphertext() {
let dir = TempDir::new().unwrap();
let plain = dir.path().join("p.bin");
let ct = dir.path().join("c.bin");
fs::write(&plain, pseudo_random(4, 3 * 1024 * 1024)).unwrap();
encrypt_file(&plain, &ct, None);
// Drop the trailing 16-byte tag of the last chunk (and then some).
let mut bytes = fs::read(&ct).unwrap();
bytes.truncate(bytes.len() - 32);
fs::write(&ct, &bytes).unwrap();
let out = fcry()
.arg("-d")
.arg("-i")
.arg(&ct)
.arg("-o")
.arg(dir.path().join("rt.bin"))
.arg("--raw-key")
.arg(KEY_STR)
.output()
.unwrap();
assert!(
!out.status.success(),
"decrypt of truncated ciphertext should fail"
);
}
#[test]
fn rejects_bad_magic() {
let dir = TempDir::new().unwrap();
let bogus = dir.path().join("bogus.bin");
fs::write(&bogus, b"NOPE\x01\x01\x00\x00\x00\x10\x00\x00\x00").unwrap();
let out = fcry()
.arg("-d")
.arg("-i")
.arg(&bogus)
.arg("-o")
.arg(dir.path().join("rt.bin"))
.arg("--raw-key")
.arg(KEY_STR)
.output()
.unwrap();
assert!(
!out.status.success(),
"decrypt of file with bad magic should fail"
);
assert!(
String::from_utf8_lossy(&out.stderr).contains("magic"),
"expected 'magic' in stderr, got: {}",
String::from_utf8_lossy(&out.stderr)
);
}
#[test]
fn rejects_short_raw_key() {
let dir = TempDir::new().unwrap();
let plain = dir.path().join("p.bin");
fs::write(&plain, b"hello").unwrap();
let out = fcry()
.arg("-i")
.arg(&plain)
.arg("-o")
.arg(dir.path().join("c.bin"))
.arg("--raw-key")
.arg("tooshort")
.output()
.unwrap();
assert!(
!out.status.success(),
"encrypt with short raw_key should fail"
);
}
#[test]
fn roundtrip_passphrase_argon2id() {
let dir = TempDir::new().unwrap();
let plain = dir.path().join("p.bin");
let ct = dir.path().join("c.bin");
let rt = dir.path().join("r.bin");
let data = pseudo_random(7, 100_000);
fs::write(&plain, &data).unwrap();
// Use cheap argon2 params so the test stays fast.
let enc = fcry()
.arg("-i")
.arg(&plain)
.arg("-o")
.arg(&ct)
.arg("--passphrase-env")
.arg("FCRY_TEST_PW")
.arg("--argon-memory")
.arg("8")
.arg("--argon-passes")
.arg("1")
.env("FCRY_TEST_PW", "correct horse battery staple")
.output()
.unwrap();
assert!(
enc.status.success(),
"passphrase encrypt failed: {}",
String::from_utf8_lossy(&enc.stderr)
);
let dec = fcry()
.arg("-d")
.arg("-i")
.arg(&ct)
.arg("-o")
.arg(&rt)
.arg("--passphrase-env")
.arg("FCRY_TEST_PW")
.env("FCRY_TEST_PW", "correct horse battery staple")
.output()
.unwrap();
assert!(
dec.status.success(),
"passphrase decrypt failed: {}",
String::from_utf8_lossy(&dec.stderr)
);
assert_eq!(fs::read(&rt).unwrap(), data);
// Wrong passphrase must fail.
let bad = fcry()
.arg("-d")
.arg("-i")
.arg(&ct)
.arg("-o")
.arg(dir.path().join("bad.bin"))
.arg("--passphrase-env")
.arg("FCRY_TEST_PW")
.env("FCRY_TEST_PW", "wrong passphrase")
.output()
.unwrap();
assert!(!bad.status.success(), "wrong passphrase should fail");
}
#[test]
fn atomic_output_no_stale_tmp_on_failure() {
// A failed decrypt (wrong key) should not leave the output file behind.
let dir = TempDir::new().unwrap();
let plain = dir.path().join("p.bin");
let ct = dir.path().join("c.bin");
let rt = dir.path().join("r.bin");
fs::write(&plain, b"hello world").unwrap();
encrypt_file(&plain, &ct, None);
let wrong = "ffffffffffffffffffffffffffffffff";
let out = fcry()
.arg("-d")
.arg("-i")
.arg(&ct)
.arg("-o")
.arg(&rt)
.arg("--raw-key")
.arg(wrong)
.output()
.unwrap();
assert!(!out.status.success());
assert!(!rt.exists(), "final output must not exist after failure");
let mut tmp = rt.clone();
tmp.set_file_name("r.bin.tmp");
assert!(!tmp.exists(), "temp file must be cleaned up");
}
#[test]
fn header_chunk_size_is_authoritative_on_decrypt() {
// Encrypt with a non-default chunk size; decrypt without specifying one.
// The decryptor must read chunk_size from the header.
let dir = TempDir::new().unwrap();
let plain = dir.path().join("p.bin");
let ct = dir.path().join("c.bin");
let rt = dir.path().join("r.bin");
let data = pseudo_random(5, 100_000);
fs::write(&plain, &data).unwrap();
encrypt_file(&plain, &ct, Some(7919)); // prime, deliberately weird
decrypt_file(&ct, &rt);
assert_eq!(fs::read(&rt).unwrap(), data);
}