enricobuehler
f6490f4c28
The file moves (docs/ → design/, docs/api/openapi.json → api/openapi.json) landed
in d01a8fd, but the matching reference updates did not — so mgmt.rs's drift-test
`include_str!("../../../docs/api/openapi.json")` pointed at a path that no longer
exists and the host failed to build. This restores it and updates every reference:
- mgmt.rs include_str! → ../../../api/openapi.json (fixes the build)
- web/orval.config.ts codegen target, web/Dockerfile, .dockerignore
- deb/rpm/Arch packaging install paths
- CLAUDE.md, the .gitea CI workflows, code doc-comments, design-doc cross-links
docs-site route URLs (/docs/...) untouched.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
67 lines
2.3 KiB
Rust
67 lines
2.3 KiB
Rust
//! Pairing crypto primitives (control plane only — distinct from `punktfunk_core`'s AES-GCM
|
|
//! data-plane sealing). GameStream pairing uses: AES-128-**ECB** with **no padding**,
|
|
//! SHA-256 (host appversion major ≥ 7), and RSA-PKCS1v15-SHA256 signatures. See the
|
|
//! `serverinfo + pairing` section of `design/research/gamestream-protocol-research.json`.
|
|
|
|
use aes::cipher::generic_array::GenericArray;
|
|
use aes::cipher::{BlockDecrypt, BlockEncrypt, KeyInit};
|
|
use aes::Aes128;
|
|
use rand::RngCore;
|
|
use sha2::{Digest, Sha256};
|
|
|
|
/// `n` cryptographically-random bytes.
|
|
pub fn random<const N: usize>() -> [u8; N] {
|
|
let mut b = [0u8; N];
|
|
rand::thread_rng().fill_bytes(&mut b);
|
|
b
|
|
}
|
|
|
|
/// SHA-256 over the concatenation of `parts`.
|
|
pub fn sha256(parts: &[&[u8]]) -> [u8; 32] {
|
|
let mut h = Sha256::new();
|
|
for p in parts {
|
|
h.update(p);
|
|
}
|
|
h.finalize().into()
|
|
}
|
|
|
|
/// Constant-time byte-slice equality — no early exit, so a timing side-channel can't probe the
|
|
/// expected value byte-by-byte. Returns false on a length mismatch (the length isn't secret here).
|
|
pub fn ct_eq(a: &[u8], b: &[u8]) -> bool {
|
|
a.len() == b.len() && a.iter().zip(b).fold(0u8, |acc, (x, y)| acc | (x ^ y)) == 0
|
|
}
|
|
|
|
/// The PIN-derived AES-128 key: `SHA-256(salt || pin)[..16]` (salt first, PIN as ASCII).
|
|
pub fn pin_key(salt: &[u8; 16], pin: &str) -> [u8; 16] {
|
|
let d = sha256(&[salt, pin.as_bytes()]);
|
|
let mut k = [0u8; 16];
|
|
k.copy_from_slice(&d[..16]);
|
|
k
|
|
}
|
|
|
|
/// AES-128-ECB encrypt, no padding: input is zero-extended to a 16-byte multiple.
|
|
pub fn ecb_encrypt(key: &[u8; 16], data: &[u8]) -> Vec<u8> {
|
|
let cipher = Aes128::new(GenericArray::from_slice(key));
|
|
let mut out = data.to_vec();
|
|
let rem = out.len() % 16;
|
|
if rem != 0 {
|
|
out.resize(out.len() + (16 - rem), 0);
|
|
}
|
|
for chunk in out.chunks_mut(16) {
|
|
cipher.encrypt_block(GenericArray::from_mut_slice(chunk));
|
|
}
|
|
out
|
|
}
|
|
|
|
/// AES-128-ECB decrypt, no padding: trailing bytes past the last whole block are ignored.
|
|
pub fn ecb_decrypt(key: &[u8; 16], data: &[u8]) -> Vec<u8> {
|
|
let cipher = Aes128::new(GenericArray::from_slice(key));
|
|
let mut out = Vec::with_capacity(data.len());
|
|
for chunk in data.chunks_exact(16) {
|
|
let mut block = *GenericArray::from_slice(chunk);
|
|
cipher.decrypt_block(&mut block);
|
|
out.extend_from_slice(&block);
|
|
}
|
|
out
|
|
}
|