docs: add comprehensive doc comments to all Rust source files
Document every public function, struct, field, constant, and non-trivial private function across idfoto-core and idfoto-cli. Module-level docs explain each module's role in the architecture. Comments explain the "why" (crypto choices, algorithm design, data model rationale) not just the "what". Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
adlee-was-taken
@@ -1,3 +1,48 @@
|
||||
//! Argon2id key derivation and XChaCha20-Poly1305 authenticated encryption.
|
||||
//!
|
||||
//! This module implements the low-level "encrypt bytes / decrypt bytes" layer.
|
||||
//! Higher-level typed wrappers (encrypt_entry, encrypt_manifest) live in [`crate::vault`].
|
||||
//!
|
||||
//! ## Why XChaCha20-Poly1305 over AES-GCM
|
||||
//!
|
||||
//! - **192-bit nonce** (vs. 96-bit for AES-GCM): eliminates nonce collision risk
|
||||
//! even with random nonces across billions of encryptions. With AES-GCM's 96-bit
|
||||
//! nonce, birthday-bound collisions become probable around 2^48 messages under
|
||||
//! the same key -- a real concern for a long-lived vault.
|
||||
//! - **Fast on WASM and ARM without AES-NI**: ChaCha20 is a pure arithmetic cipher
|
||||
//! (add/rotate/XOR) with no dependency on hardware AES acceleration. AES-GCM is
|
||||
//! fast *only* with AES-NI; without it, software AES is both slow and vulnerable
|
||||
//! to cache-timing side channels.
|
||||
//!
|
||||
//! ## Binary ciphertext format
|
||||
//!
|
||||
//! Every encrypted blob produced by [`encrypt`] has this layout:
|
||||
//!
|
||||
//! ```text
|
||||
//! [version: 1 byte] [nonce: 24 bytes] [ciphertext + Poly1305 tag: variable]
|
||||
//! ```
|
||||
//!
|
||||
//! - **Version byte** (`0x01`): allows future format changes without ambiguity.
|
||||
//! Decryption rejects any version it does not recognize.
|
||||
//! - **Nonce** (24 bytes): randomly generated per encryption via [`OsRng`].
|
||||
//! Stored alongside the ciphertext so the decryptor does not need out-of-band
|
||||
//! nonce management.
|
||||
//! - **Ciphertext + tag**: the AEAD output. The Poly1305 tag (16 bytes) is
|
||||
//! appended by the cipher implementation; we do not separate it.
|
||||
//!
|
||||
//! ## KDF pipeline
|
||||
//!
|
||||
//! [`derive_master_key`] concatenates the passphrase and image_secret as a single
|
||||
//! password input to Argon2id:
|
||||
//!
|
||||
//! ```text
|
||||
//! password = passphrase_bytes || image_secret (32 bytes)
|
||||
//! master_key = Argon2id(password, salt, params) -> 32 bytes
|
||||
//! ```
|
||||
//!
|
||||
//! Both factors contribute to the derived key -- compromising one without the
|
||||
//! other is insufficient. The salt is vault-specific and stored in `.idfoto/salt`.
|
||||
|
||||
use argon2::{Algorithm, Argon2, Params, Version};
|
||||
use chacha20poly1305::{
|
||||
aead::{Aead, KeyInit},
|
||||
@@ -8,14 +53,35 @@ use serde::{Deserialize, Serialize};
|
||||
|
||||
use crate::error::{IdfotoError, Result};
|
||||
|
||||
/// Current binary format version. Increment this if the ciphertext layout changes.
|
||||
const VERSION_BYTE: u8 = 0x01;
|
||||
|
||||
/// XChaCha20-Poly1305 nonce length: 192 bits = 24 bytes.
|
||||
const NONCE_LEN: usize = 24;
|
||||
|
||||
/// Poly1305 authentication tag length: 128 bits = 16 bytes.
|
||||
/// Used only for minimum-length validation during decryption.
|
||||
const TAG_LEN: usize = 16;
|
||||
|
||||
/// Total header size: version byte + nonce. The ciphertext (including tag)
|
||||
/// follows immediately after the header.
|
||||
const HEADER_LEN: usize = 1 + NONCE_LEN; // version + nonce
|
||||
|
||||
/// Encrypt arbitrary plaintext bytes under a 256-bit key using XChaCha20-Poly1305.
|
||||
///
|
||||
/// Returns the binary blob in the format: `version(1) || nonce(24) || ciphertext+tag`.
|
||||
/// A fresh random nonce is generated for each call via the OS CSPRNG.
|
||||
///
|
||||
/// # Errors
|
||||
///
|
||||
/// Returns [`IdfotoError::Encrypt`] if the underlying AEAD operation fails
|
||||
/// (extremely unlikely in practice).
|
||||
pub fn encrypt(key: &[u8; 32], plaintext: &[u8]) -> Result<Vec<u8>> {
|
||||
let cipher = XChaCha20Poly1305::new(key.into());
|
||||
|
||||
// Generate a fresh random 24-byte nonce for every encryption.
|
||||
// With 192 bits of randomness, nonce reuse probability is negligible
|
||||
// even across billions of encryptions under the same key.
|
||||
let mut nonce_bytes = [0u8; NONCE_LEN];
|
||||
OsRng.fill_bytes(&mut nonce_bytes);
|
||||
let nonce = XNonce::from(nonce_bytes);
|
||||
@@ -33,7 +99,22 @@ pub fn encrypt(key: &[u8; 32], plaintext: &[u8]) -> Result<Vec<u8>> {
|
||||
Ok(output)
|
||||
}
|
||||
|
||||
/// Decrypt a blob produced by [`encrypt`], returning the original plaintext.
|
||||
///
|
||||
/// Validates the version byte and minimum blob length before attempting
|
||||
/// authenticated decryption. If the key is wrong or the data has been
|
||||
/// tampered with, the Poly1305 tag verification fails and [`IdfotoError::Decrypt`]
|
||||
/// is returned -- with no information about which bytes were wrong (preventing
|
||||
/// padding oracle / chosen-ciphertext attacks).
|
||||
///
|
||||
/// # Errors
|
||||
///
|
||||
/// - [`IdfotoError::Format`] if the data is too short or has an unknown version byte.
|
||||
/// - [`IdfotoError::Decrypt`] if the AEAD tag verification fails (wrong key or
|
||||
/// tampered data).
|
||||
pub fn decrypt(key: &[u8; 32], data: &[u8]) -> Result<Vec<u8>> {
|
||||
// Minimum valid blob: 1 (version) + 24 (nonce) + 16 (tag) = 41 bytes.
|
||||
// A zero-length plaintext produces exactly 41 bytes of output.
|
||||
if data.len() < HEADER_LEN + TAG_LEN {
|
||||
return Err(IdfotoError::Format(
|
||||
"data too short to be valid ciphertext".into(),
|
||||
@@ -59,13 +140,36 @@ pub fn decrypt(key: &[u8; 32], data: &[u8]) -> Result<Vec<u8>> {
|
||||
Ok(plaintext)
|
||||
}
|
||||
|
||||
/// Tunable parameters for the Argon2id key derivation function.
|
||||
///
|
||||
/// These are stored in the vault's `.idfoto/params.json` so that every client
|
||||
/// derives the same master key from the same inputs. Making them configurable
|
||||
/// lets tests use fast params (m=256, t=1, p=1) while production uses strong
|
||||
/// params (m=64MiB, t=3, p=4).
|
||||
///
|
||||
/// The parameters follow Argon2id naming conventions:
|
||||
/// - `argon2_m`: memory cost in KiB
|
||||
/// - `argon2_t`: time cost (number of iterations)
|
||||
/// - `argon2_p`: parallelism degree (number of lanes)
|
||||
#[derive(Debug, Clone, Serialize, Deserialize)]
|
||||
pub struct KdfParams {
|
||||
/// Memory cost in KiB. Default is 65536 (64 MiB), which makes GPU/ASIC
|
||||
/// brute-force attacks expensive. Tests use 256 KiB for speed.
|
||||
pub argon2_m: u32,
|
||||
/// Time cost (iteration count). Default is 3. Higher values increase CPU
|
||||
/// time linearly. Combined with high memory cost, this makes each key
|
||||
/// derivation take ~1 second on modern hardware.
|
||||
pub argon2_t: u32,
|
||||
/// Parallelism degree. Default is 4. Sets the number of independent lanes
|
||||
/// in the Argon2id memory-hard computation.
|
||||
pub argon2_p: u32,
|
||||
}
|
||||
|
||||
/// Production-strength default parameters: 64 MiB memory, 3 iterations, 4 lanes.
|
||||
///
|
||||
/// These are calibrated to take roughly 0.5-1 second on a modern desktop CPU,
|
||||
/// making brute-force attacks impractical while keeping interactive unlock fast
|
||||
/// enough for daily use.
|
||||
impl Default for KdfParams {
|
||||
fn default() -> Self {
|
||||
Self {
|
||||
@@ -76,6 +180,28 @@ impl Default for KdfParams {
|
||||
}
|
||||
}
|
||||
|
||||
/// Derive a 256-bit master key from the user's passphrase and reference image secret.
|
||||
///
|
||||
/// The two factors (passphrase + image_secret) are concatenated into a single
|
||||
/// password input to Argon2id. This means both factors contribute entropy to
|
||||
/// the derived key -- compromising one factor alone is insufficient.
|
||||
///
|
||||
/// # Arguments
|
||||
///
|
||||
/// - `passphrase`: the user's passphrase as raw UTF-8 bytes.
|
||||
/// - `image_secret`: the 32-byte secret extracted from the reference JPEG via
|
||||
/// [`crate::imgsecret::extract`].
|
||||
/// - `salt`: a 32-byte vault-specific salt (stored in `.idfoto/salt`).
|
||||
/// - `params`: the Argon2id tuning parameters (stored in `.idfoto/params.json`).
|
||||
///
|
||||
/// # Returns
|
||||
///
|
||||
/// A 32-byte master key suitable for use with [`encrypt`] and [`decrypt`].
|
||||
///
|
||||
/// # Errors
|
||||
///
|
||||
/// Returns [`IdfotoError::Kdf`] if the Argon2id parameters are invalid (e.g.,
|
||||
/// memory cost below the library's minimum).
|
||||
pub fn derive_master_key(
|
||||
passphrase: &[u8],
|
||||
image_secret: &[u8; 32],
|
||||
@@ -92,7 +218,10 @@ pub fn derive_master_key(
|
||||
|
||||
let argon2 = Argon2::new(Algorithm::Argon2id, Version::V0x13, argon2_params);
|
||||
|
||||
// Concatenate passphrase + image_secret as the password input
|
||||
// Concatenate passphrase + image_secret as the password input.
|
||||
// This ensures both factors contribute to the derived key: knowing only
|
||||
// the passphrase (without the reference image) or only the image secret
|
||||
// (without the passphrase) is insufficient to derive the correct master key.
|
||||
let mut password = Vec::with_capacity(passphrase.len() + 32);
|
||||
password.extend_from_slice(passphrase);
|
||||
password.extend_from_slice(image_secret);
|
||||
|
||||
Reference in New Issue
Block a user