feat: improved xchacha padding and traffic obfsucation

Author: chadsec1

core/constants.py

@@ -19,14 +19,18 @@
 # crypto parameters (bytes)
 CHALLENGE_LEN     = 11264
 
-XCHACHA20POLY1305_NONCE_LEN = 24
-
 OTP_PAD_SIZE        = 11264
 OTP_MAX_BUCKET      = 64
 OTP_MAX_RANDOM_PAD  = 16 
 OTP_SIZE_LENGTH     = 2
 OTP_MAX_MESSAGE_LEN = OTP_PAD_SIZE - OTP_SIZE_LENGTH
 
+XCHACHA20POLY1305_NONCE_LEN      = 24
+XCHACHA20POLY1305_SIZE_LEN       = 3
+XCHACHA20POLY1305_MAX_RANODM_PAD = OTP_PAD_SIZE
+
+
+
 SMP_NONCE_LENGTH      = 64
 SMP_PROOF_LENGTH      = 64
 SMP_ANSWER_OUTPUT_LEN = 64

core/requests.py

@@ -3,7 +3,6 @@
     sha3_512
 )
 import urllib
-import uuid
 import json
 import logging
 import string

core/trad_crypto.py

@@ -3,15 +3,17 @@
 -------
 Provides wrappers for cryptographic primitives:
 - SHA3-512 hashing
-- Argon2id key derivation for AES-256 keys
-- AES-256-GCM encryption and decryption
+- Argon2id key derivation for XChaCha20Poly1305 keys
+- XChaCha20Poly1305 encryption and decryption
 These functions rely on the cryptography library and are intended for use within Coldwire's higher-level protocol logic.
 """
 
 from nacl import pwhash, bindings
 from core.constants import (
     OTP_PAD_SIZE,
     XCHACHA20POLY1305_NONCE_LEN,
+    XCHACHA20POLY1305_SIZE_LEN,
+    XCHACHA20POLY1305_MAX_RANODM_PAD,
     ARGON2_ITERS,
     ARGON2_MEMORY,
     ARGON2_LANES,
@@ -67,20 +69,22 @@ def derive_key_argon2id(password: bytes, salt: bytes = None, output_length: int
     ), salt
 
 
-def encrypt_xchacha20poly1305(key: bytes, plaintext: bytes, nonce: bytes = None, counter: int = None, counter_safety: int = 255) -> tuple[bytes, bytes]:
+def encrypt_xchacha20poly1305(key: bytes, plaintext: bytes, nonce: bytes = None, counter: int = None, counter_safety: int = 255, max_padding: int = XCHACHA20POLY1305_MAX_RANODM_PAD) -> tuple[bytes, bytes]:
     """
-    Encrypt plaintext using ChaCha20Poly1305.
+    Encrypt plaintext using XChaCha20Poly1305.
 
-    A random nonce is generated for each encryption.
+    A random nonce is generated for each encryption unless you specify one.
 
     Args:
-        key: A 32-byte ChaCha20Poly1305 key.
+        key: A 32-byte XChaCha20Poly1305 key.
         plaintext: Data to encrypt.
+        nonce: An (optional) nonce to be used.
         counter: an (optional) number to add to nonce
-
+        counter_safety: an (optional) max counter number, to prevent counter overflow.
+        max_padding: an (optional) maximum padding limit number to message. Cannot be larger than what `XCHACHA20POLY1305_MAX_RANODM_PAD` could store. Set to 0 for no padding.
     Returns:
         A tuple (nonce, ciphertext) where:
-        - nonce: The randomly generated AES-GCM nonce.
+        - nonce: The randomly generated nonce or the same given nonce.
         - ciphertext: The encrypted data including the authentication tag.
     """
     if nonce is None:
@@ -92,26 +96,46 @@ def encrypt_xchacha20poly1305(key: bytes, plaintext: bytes, nonce: bytes = None,
 
         nonce = nonce[:XCHACHA20POLY1305_NONCE_LEN - 1] + counter.to_bytes(1, "big")
 
-    ciphertext = bindings.crypto_aead_xchacha20poly1305_ietf_encrypt(plaintext, None, nonce, key) 
+    if max_padding < 0:
+        raise ValueError(f"Max_padding is less than 0! ({max_padding})")
+
+    if max_padding > 2 ** (XCHACHA20POLY1305_SIZE_LEN * 8) - 1:
+        raise ValueError(f"Max_padding is more than ``XCHACHA20POLY1305_SIZE_LEN`! ({max_padding})")
+
+    padding = secrets.token_bytes(secrets.randbelow(max_padding + 1))
+    padding_length_bytes = len(padding).to_bytes(XCHACHA20POLY1305_SIZE_LEN, "big")
+
+    padded_plaintext = padding_length_bytes + plaintext + padding
+
+
+    ciphertext = bindings.crypto_aead_xchacha20poly1305_ietf_encrypt(padded_plaintext, None, nonce, key) 
 
     return nonce, ciphertext
 
 
 def decrypt_xchacha20poly1305(key: bytes, nonce: bytes, ciphertext: bytes) -> bytes:
     """
-    Decrypt ciphertext using ChaCha20Poly1305.
+    Decrypt ciphertext using XChaCha20Poly1305.
 
     Raises an exception if authentication fails.
 
     Args:
-        key: The 32-byte ChaCha20Poly1305 key used for encryption.
+        key: The 32-byte XChaCha20Poly1305 key used for encryption.
         nonce: The nonce used during encryption.
         ciphertext: The encrypted data including the authentication tag.
 
     Returns:
-        The decrypted plaintext bytes.
+        The decrypted plaintext bytes with no padding.
     """
 
-    return bindings.crypto_aead_xchacha20poly1305_ietf_decrypt(ciphertext, None, nonce, key)
+    padded_plaintext = bindings.crypto_aead_xchacha20poly1305_ietf_decrypt(ciphertext, None, nonce, key)
+
+    padding_length = int.from_bytes(padded_plaintext[:XCHACHA20POLY1305_SIZE_LEN], "big")
+
+    if padding_length < 0:
+        raise ValueError(f"Negative padding length ({padding_length}), ciphertext likely corrupted, or key is invalid!")
+
+    return padded_plaintext[XCHACHA20POLY1305_SIZE_LEN : -padding_length]
+
 
 

logic/background_worker.py

@@ -13,13 +13,11 @@
 )
 from core.crypto import random_number_range
 from core.trad_crypto import (
-        encrypt_xchacha20poly1305,
         decrypt_xchacha20poly1305
 )
 from base64 import b64decode
 import copy
 import logging
-import json
 
 logger = logging.getLogger(__name__)
 

logic/pfs.py

@@ -111,7 +111,8 @@ def send_new_ephemeral_keys(user_data: dict, user_data_lock: threading.Lock, con
     _, ciphertext_blob = encrypt_xchacha20poly1305(
             our_strand_key, 
             PFS_TYPE + our_new_strand_nonce + publickeys_hashchain_signature + publickeys_hashchain,
-            nonce = our_next_strand_nonce 
+            nonce = our_next_strand_nonce,
+            max_padding = 1024
         )
 
     try: