enricobuehler
a913042367
Ground-up low-latency streaming stack per docs/implementation-plan.md. M1 is
complete and tested; Linux host backends are cfg-gated stubs to be filled in on
real hardware (M0/M2).
lumen-core (built + tested on macOS/aarch64 — 21 tests):
- fec: ErasureCoder over GF(2^8) (reed-solomon-erasure, Moonlight-compatible)
and GF(2^16) Leopard-RS (reed-solomon-simd, the >1 Gbps wall-breaker); proptested
- packet: zero-copy #[repr(C)] framing, multi-block, FEC-aware reassembly
- crypto: AES-128-GCM with per-direction nonce salts + sequence-as-AAD
- session: host submit / client poll hot paths + input; loopback & UDP transports
- abi: opaque handles, versioned LumenConfig, panic guards; cbindgen-generated header
- acceptance: Rust loopback+proptest and a C harness that links the staticlib
Scaffold (compiles green on all platforms): lumen-host (vdisplay/capture/encode/
inject/web/pipeline seams under cfg(linux)), lumen-client-rs, tools/{loss-harness,
latency-probe}, Apple/Android client stubs, Gitea CI, docs.
Hardened against a multi-agent adversarial review (13 verified findings fixed,
regression-tested): reassembler memory-DoS bounds + block-consistency validation,
GCM nonce-reuse direction separation, ABI struct_size guard + range checks, FEC
shard-length guards, shard_payload datagram bound, key zeroization + Debug redaction.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
150 lines
5.3 KiB
Rust
150 lines
5.3 KiB
Rust
//! AES-128-GCM session sealing, matching GameStream's video crypto in P1.
|
|
//!
|
|
//! ## Nonce uniqueness (the GCM safety requirement)
|
|
//!
|
|
//! The 96-bit nonce is `salt (4 bytes) || sequence (8 bytes, big-endian)`. Reusing a
|
|
//! `(key, nonce)` pair under AES-GCM is catastrophic, so two precautions apply:
|
|
//!
|
|
//! 1. **Per-direction salts.** Host and client share one `key` and `salt`, and each
|
|
//! counts its sequence from 0. To stop the host's video stream and the client's input
|
|
//! stream from colliding on `(key, nonce)`, the top bit of `salt[0]` is set to the
|
|
//! sender's direction — so the two directions occupy disjoint nonce spaces.
|
|
//! 2. **Per-session key+salt.** The pairing layer MUST hand each session a fresh
|
|
//! `(key, salt)`; reusing them across sessions reintroduces nonce reuse. `Config`'s
|
|
//! all-zero key with `encrypt = true` is rejected by `Config::validate` to catch the
|
|
//! obvious footgun.
|
|
//!
|
|
//! The sequence number is also passed as AEAD associated data, so tampering with the
|
|
//! on-wire sequence is detected (the tag check fails) rather than silently shifting the
|
|
//! nonce. Note: this layer does not provide anti-replay — see `Session`.
|
|
|
|
use crate::config::Role;
|
|
use crate::error::{LumenError, Result};
|
|
use aes_gcm::aead::{Aead, KeyInit, Payload};
|
|
use aes_gcm::{Aes128Gcm, Key, Nonce};
|
|
|
|
/// 16-byte AEAD authentication tag appended by GCM.
|
|
pub const TAG_LEN: usize = 16;
|
|
|
|
pub struct SessionCrypto {
|
|
cipher: Aes128Gcm,
|
|
/// Salt for nonces we seal with (our direction).
|
|
send_salt: [u8; 4],
|
|
/// Salt for nonces we open with (the peer's direction).
|
|
recv_salt: [u8; 4],
|
|
}
|
|
|
|
impl SessionCrypto {
|
|
pub fn new(key: &[u8; 16], salt: [u8; 4], role: Role) -> Self {
|
|
let key = Key::<Aes128Gcm>::from_slice(key);
|
|
let own = direction(role);
|
|
SessionCrypto {
|
|
cipher: Aes128Gcm::new(key),
|
|
send_salt: dir_salt(salt, own),
|
|
recv_salt: dir_salt(salt, own ^ 1),
|
|
}
|
|
}
|
|
|
|
/// Seal `plaintext` for sequence `seq`, returning `ciphertext || tag`. `seq` is
|
|
/// authenticated as associated data.
|
|
pub fn seal(&self, seq: u64, plaintext: &[u8]) -> Result<Vec<u8>> {
|
|
let nonce = nonce(self.send_salt, seq);
|
|
self.cipher
|
|
.encrypt(
|
|
Nonce::from_slice(&nonce),
|
|
Payload {
|
|
msg: plaintext,
|
|
aad: &seq.to_be_bytes(),
|
|
},
|
|
)
|
|
.map_err(|_| LumenError::Crypto)
|
|
}
|
|
|
|
/// Open `ciphertext || tag` for sequence `seq` (also bound as associated data).
|
|
pub fn open(&self, seq: u64, ciphertext: &[u8]) -> Result<Vec<u8>> {
|
|
let nonce = nonce(self.recv_salt, seq);
|
|
self.cipher
|
|
.decrypt(
|
|
Nonce::from_slice(&nonce),
|
|
Payload {
|
|
msg: ciphertext,
|
|
aad: &seq.to_be_bytes(),
|
|
},
|
|
)
|
|
.map_err(|_| LumenError::Crypto)
|
|
}
|
|
}
|
|
|
|
fn direction(role: Role) -> u8 {
|
|
match role {
|
|
Role::Host => 0,
|
|
Role::Client => 1,
|
|
}
|
|
}
|
|
|
|
/// Fold a 1-bit direction into the salt (top bit of `salt[0]`) so the two directions of
|
|
/// a session never share a nonce under the same key.
|
|
fn dir_salt(mut salt: [u8; 4], dir: u8) -> [u8; 4] {
|
|
salt[0] = (salt[0] & 0x7f) | (dir << 7);
|
|
salt
|
|
}
|
|
|
|
fn nonce(salt: [u8; 4], seq: u64) -> [u8; 12] {
|
|
let mut n = [0u8; 12];
|
|
n[..4].copy_from_slice(&salt);
|
|
n[4..].copy_from_slice(&seq.to_be_bytes());
|
|
n
|
|
}
|
|
|
|
/// Generate a fresh random AES-128 session key (control-plane / pairing use).
|
|
pub fn random_key() -> [u8; 16] {
|
|
let mut k = [0u8; 16];
|
|
rand::RngCore::fill_bytes(&mut rand::rng(), &mut k);
|
|
k
|
|
}
|
|
|
|
/// Generate a fresh random per-session nonce salt.
|
|
pub fn random_salt() -> [u8; 4] {
|
|
let mut s = [0u8; 4];
|
|
rand::RngCore::fill_bytes(&mut rand::rng(), &mut s);
|
|
s
|
|
}
|
|
|
|
#[cfg(test)]
|
|
mod tests {
|
|
use super::*;
|
|
|
|
#[test]
|
|
fn seal_open_roundtrip_cross_direction() {
|
|
let key = random_key();
|
|
let salt = random_salt();
|
|
let host = SessionCrypto::new(&key, salt, Role::Host);
|
|
let client = SessionCrypto::new(&key, salt, Role::Client);
|
|
|
|
let msg = b"the quick brown fox";
|
|
let sealed = host.seal(42, msg).unwrap(); // host -> client (video direction)
|
|
assert_ne!(&sealed[..msg.len()], &msg[..]); // actually encrypted
|
|
assert_eq!(sealed.len(), msg.len() + TAG_LEN);
|
|
assert_eq!(client.open(42, &sealed).unwrap(), msg);
|
|
|
|
// Wrong sequence (nonce + AAD) → authentication failure.
|
|
assert!(client.open(43, &sealed).is_err());
|
|
// Direction separation: the host opens with the peer (client) salt, so it cannot
|
|
// open its own outbound packet → distinct nonce spaces per direction.
|
|
assert!(host.open(42, &sealed).is_err());
|
|
}
|
|
|
|
#[test]
|
|
fn directions_use_distinct_nonce_spaces() {
|
|
let key = random_key();
|
|
let salt = [0u8; 4]; // even an all-zero base salt must separate the directions
|
|
let host = SessionCrypto::new(&key, salt, Role::Host);
|
|
let client = SessionCrypto::new(&key, salt, Role::Client);
|
|
// Same seq, same key, opposite directions → different ciphertext (no reuse).
|
|
assert_ne!(
|
|
host.seal(0, b"abc").unwrap(),
|
|
client.seal(0, b"abc").unwrap()
|
|
);
|
|
}
|
|
}
|