[PM-15096] Implement xchacha20-poly1305 cipher functions (#150)

## 🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-15096

## 📔 Objective

Implements xchacha20-poly1305
(https://libsodium.gitbook.io/doc/secret-key_cryptography/aead/chacha20-poly1305/xchacha20-poly1305_construction)
as a new encryption type.

Further, this introduces a dependency patch override (to
https://github.com/bitwarden/rustcrypto-formats.git at revision
2b27c63034217dd126bbf5ed874da51b84f8c705) for rustcrypto formats, until
this gets updated upstream to fix a type incompatibility when building
on WASM and with chacha as a dependency.

These functions are unused until a follow-up PR (soon).

## ⏰ Reminders before review

- Contributor guidelines followed
- All formatters and local linters executed and passed
- Written new unit and / or integration tests where applicable
- Protected functional changes with optionality (feature flags)
- Used internationalization (i18n) for all UI strings
- CI builds passed
- Communicated to DevOps any deployment requirements
- Updated any necessary documentation (Confluence, contributing docs) or
informed the documentation
  team

## 🦮 Reviewer guidelines

<!-- Suggested interactions but feel free to use (or not) as you desire!
-->

- 👍 (`:+1:`) or similar for great changes
- 📝 (`:memo:`) or ℹ️ (`:information_source:`) for notes or general info
- ❓ (`:question:`) for questions
- 🤔 (`:thinking:`) or 💭 (`:thought_balloon:`) for more open inquiry
that's not quite a confirmed
  issue and could potentially benefit from discussion
- 🎨 (`:art:`) for suggestions / improvements
- ❌ (`:x:`) or ⚠️ (`:warning:`) for more significant problems or
concerns needing attention
- 🌱 (`:seedling:`) or ♻️ (`:recycle:`) for future improvements or
indications of technical debt
- ⛏ (`:pick:`) for minor or nitpick changes

Author: quexten

Cargo.lock

@@ -29,6 +29,7 @@ argon2 = { version = ">=0.5.0, <0.6", features = [
 base64 = ">=0.22.1, <0.23"
 bitwarden-error = { workspace = true }
 cbc = { version = ">=0.1.2, <0.2", features = ["alloc", "zeroize"] }
+chacha20poly1305 = { version = "0.10.1" }
 generic-array = { version = ">=0.14.7, <1.0", features = ["zeroize"] }
 hkdf = ">=0.12.3, <0.13"
 hmac = ">=0.12.1, <0.13"

crates/bitwarden-crypto/Cargo.toml

@@ -91,6 +91,7 @@ pub use wordlist::EFF_LONG_WORD_LIST;
 mod store;
 pub use store::{KeyStore, KeyStoreContext};
 mod traits;
+mod xchacha20;
 pub use traits::{Decryptable, Encryptable, IdentifyKey, KeyId, KeyIds};
 pub use zeroizing_alloc::ZeroAlloc as ZeroizingAllocator;
 

crates/bitwarden-crypto/src/lib.rs

@@ -0,0 +1,149 @@
+//! # XChaCha20Poly1305 operations
+//!
+//! Contains low level XChaCha20Poly1305 operations used by the rest of the crate.
+//!
+//! In most cases you should use the [EncString][crate::EncString] with
+//! [KeyEncryptable][crate::KeyEncryptable] & [KeyDecryptable][crate::KeyDecryptable] instead.
+//!
+//! Note:
+//! XChaCha20Poly1305 encrypts data, and authenticates both the cipher text and associated
+//! data. This does not provide key-commitment, and assumes there can only be one key.
+//!
+//! If multiple keys are possible, a key-committing cipher such as
+//! XChaCha20Poly1305Blake3CTX should be used: `https://github.com/bitwarden/sdk-internal/pull/41` to prevent invisible-salamander style attacks.
+//! `https://eprint.iacr.org/2019/016.pdf`
+//! `https://soatok.blog/2024/09/10/invisible-salamanders-are-not-what-you-think/`
+
+use chacha20poly1305::{AeadCore, AeadInPlace, KeyInit, XChaCha20Poly1305};
+use generic_array::GenericArray;
+use rand::{CryptoRng, RngCore};
+
+use crate::CryptoError;
+
+#[allow(unused)]
+pub(crate) struct XChaCha20Poly1305Ciphertext {
+    nonce: GenericArray<u8, <XChaCha20Poly1305 as AeadCore>::NonceSize>,
+    ciphertext: Vec<u8>,
+}
+
+#[allow(unused)]
+fn encrypt_xchacha20_poly1305(
+    key: &[u8; 32],
+    plaintext_secret_data: &[u8],
+    associated_data: &[u8],
+) -> XChaCha20Poly1305Ciphertext {
+    let mut rng = rand::thread_rng();
+    encrypt_xchacha20_poly1305_internal(rng, key, plaintext_secret_data, associated_data)
+}
+
+fn encrypt_xchacha20_poly1305_internal(
+    rng: impl RngCore + CryptoRng,
+    key: &[u8; 32],
+    plaintext_secret_data: &[u8],
+    associated_data: &[u8],
+) -> XChaCha20Poly1305Ciphertext {
+    let nonce = &XChaCha20Poly1305::generate_nonce(rng);
+    // This buffer contains the plaintext, that will be encrypted in-place
+    let mut buffer = plaintext_secret_data.to_vec();
+    XChaCha20Poly1305::new(GenericArray::from_slice(key))
+        .encrypt_in_place(nonce, associated_data, &mut buffer)
+        .expect("encryption failed");
+
+    XChaCha20Poly1305Ciphertext {
+        nonce: *nonce,
+        ciphertext: buffer,
+    }
+}
+
+#[allow(unused)]
+pub(crate) fn decrypt_xchacha20_poly1305(
+    nonce: &[u8; 24],
+    key: &[u8; 32],
+    ciphertext: &[u8],
+    associated_data: &[u8],
+) -> Result<Vec<u8>, CryptoError> {
+    let mut buffer = ciphertext.to_vec();
+    XChaCha20Poly1305::new(GenericArray::from_slice(key))
+        .decrypt_in_place(
+            GenericArray::from_slice(nonce),
+            associated_data,
+            &mut buffer,
+        )
+        .map_err(|_| CryptoError::KeyDecrypt)?;
+    Ok(buffer)
+}
+
+mod tests {
+    #[cfg(test)]
+    use crate::xchacha20::*;
+
+    #[test]
+    fn test_encrypt_decrypt_xchacha20() {
+        let key = [0u8; 32];
+        let plaintext_secret_data = b"My secret data";
+        let authenticated_data = b"My authenticated data";
+        let encrypted = encrypt_xchacha20_poly1305(&key, plaintext_secret_data, authenticated_data);
+        let decrypted = decrypt_xchacha20_poly1305(
+            &encrypted.nonce.into(),
+            &key,
+            &encrypted.ciphertext,
+            authenticated_data,
+        )
+        .unwrap();
+        assert_eq!(plaintext_secret_data, decrypted.as_slice());
+    }
+
+    #[test]
+    fn test_fails_when_ciphertext_changed() {
+        let key = [0u8; 32];
+        let plaintext_secret_data = b"My secret data";
+        let authenticated_data = b"My authenticated data";
+
+        let mut encrypted =
+            encrypt_xchacha20_poly1305(&key, plaintext_secret_data, authenticated_data);
+        encrypted.ciphertext[0] = encrypted.ciphertext[0].wrapping_add(1);
+        let result = decrypt_xchacha20_poly1305(
+            &encrypted.nonce.into(),
+            &key,
+            &encrypted.ciphertext,
+            authenticated_data,
+        );
+        assert!(result.is_err());
+    }
+
+    #[test]
+    fn test_fails_when_associated_data_changed() {
+        let key = [0u8; 32];
+        let plaintext_secret_data = b"My secret data";
+        let mut authenticated_data = b"My authenticated data".to_vec();
+
+        let encrypted =
+            encrypt_xchacha20_poly1305(&key, plaintext_secret_data, authenticated_data.as_slice());
+        authenticated_data[0] = authenticated_data[0].wrapping_add(1);
+        let result = decrypt_xchacha20_poly1305(
+            &encrypted.nonce.into(),
+            &key,
+            &encrypted.ciphertext,
+            authenticated_data.as_slice(),
+        );
+        assert!(result.is_err());
+    }
+
+    #[test]
+    fn test_fails_when_nonce_changed() {
+        let key = [0u8; 32];
+        let plaintext_secret_data = b"My secret data";
+        let authenticated_data = b"My authenticated data";
+
+        let mut encrypted =
+            encrypt_xchacha20_poly1305(&key, plaintext_secret_data, authenticated_data);
+        encrypted.nonce[0] = encrypted.nonce[0].wrapping_add(1);
+        let result = decrypt_xchacha20_poly1305(
+            &encrypted.nonce.into(),
+            &key,
+            &encrypted.ciphertext,
+            authenticated_data,
+        );
+        assert!(result.is_err());
+    }
+}

crates/bitwarden-crypto/src/xchacha20.rs

@@ -23,9 +23,9 @@ fi
 # 1. It is required for wasm2js support
 # 2. While webpack supports it, it has some compatibility issues that lead to strange results
 # Note that this requirest build-std which is an unstable feature,
-# this normally requires a nightly build, but we can also use the 
+# this normally requires a nightly build, but we can also use the
 # RUSTC_BOOTSTRAP hack to use the same stable version as the normal build
-RUSTFLAGS=-Ctarget-cpu=mvp RUSTC_BOOTSTRAP=1 cargo build -p bitwarden-wasm-internal -Zbuild-std=panic_abort,std --target wasm32-unknown-unknown ${RELEASE_FLAG}
+RUSTFLAGS=-Ctarget-cpu=mvp RUSTC_BOOTSTRAP=1 cargo build -p bitwarden-wasm-internal -Zbuild-std=panic_abort,std --target wasm32-unknown-unknown ${RELEASE_FLAG} --config 'patch.crates-io.pkcs5.git="https://github.com/bitwarden/rustcrypto-formats.git"' --config 'patch.crates-io.pkcs5.rev="2b27c63034217dd126bbf5ed874da51b84f8c705"'
 wasm-bindgen --target bundler --out-dir crates/bitwarden-wasm-internal/npm ./target/wasm32-unknown-unknown/${BUILD_FOLDER}/bitwarden_wasm_internal.wasm
 wasm-bindgen --target nodejs --out-dir crates/bitwarden-wasm-internal/npm/node ./target/wasm32-unknown-unknown/${BUILD_FOLDER}/bitwarden_wasm_internal.wasm