nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-11 13:43:47 +01:00
Code Issues Packages Projects Releases Wiki Activity
563bb1ad81
tor/src/common/crypto_curve25519.c

286 lines
8.8 KiB
C
Raw Normal View History

Add another year to our copyright dates. Because in 95 years, we or our successors will surely care about enforcing the BSD license terms on this code. Right?
2014-10-28 20:28:14 +01:00
/* Copyright (c) 2012-2014, The Tor Project, Inc. */
Add a wrapper around, and test and build support for, curve25519. We want to use donna-c64 when we have a GCC with support for 64x64->uint128_t multiplying. If not, we want to use libnacl if we can, unless it's giving us the unsafe "ref" implementation. And if that isn't going to work, we'd like to use the portable-and-safe-but-slow 32-bit "donna" implementation. We might need more library searching for the correct libnacl, especially once the next libnacl release is out -- it's likely to have bunches of better curve25519 implementations. I also define a set of curve25519 wrapper functions, though it really shouldn't be necessary. We should eventually make the -donna*.c files get build with -fomit-frame-pointer, since that can make a difference.
2012-12-03 21:44:21 +01:00
/* See LICENSE for licensing information */
/* Wrapper code for a curve25519 implementation. */
#define CRYPTO_CURVE25519_PRIVATE
#include "orconfig.h"
Move curve25519 keypair type to src/common; give it functions This patch moves curve25519_keypair_t from src/or/onion_ntor.h to src/common/crypto_curve25519.h, and adds new functions to generate, load, and store keypairs.
2012-12-04 21:57:16 +01:00
#ifdef HAVE_SYS_STAT_H
#include <sys/stat.h>
#endif
Support for writing ed25519 public/private components to disk. This refactors the "== type:tag ==" code from crypto_curve25519.c
2013-10-18 19:25:00 +02:00
#include "container.h"
Add a wrapper around, and test and build support for, curve25519. We want to use donna-c64 when we have a GCC with support for 64x64->uint128_t multiplying. If not, we want to use libnacl if we can, unless it's giving us the unsafe "ref" implementation. And if that isn't going to work, we'd like to use the portable-and-safe-but-slow 32-bit "donna" implementation. We might need more library searching for the correct libnacl, especially once the next libnacl release is out -- it's likely to have bunches of better curve25519 implementations. I also define a set of curve25519 wrapper functions, though it really shouldn't be necessary. We should eventually make the -donna*.c files get build with -fomit-frame-pointer, since that can make a difference.
2012-12-03 21:44:21 +01:00
#include "crypto.h"
#include "crypto_curve25519.h"
#include "util.h"
Move curve25519 keypair type to src/common; give it functions This patch moves curve25519_keypair_t from src/or/onion_ntor.h to src/common/crypto_curve25519.h, and adds new functions to generate, load, and store keypairs.
2012-12-04 21:57:16 +01:00
#include "torlog.h"
Add a wrapper around, and test and build support for, curve25519. We want to use donna-c64 when we have a GCC with support for 64x64->uint128_t multiplying. If not, we want to use libnacl if we can, unless it's giving us the unsafe "ref" implementation. And if that isn't going to work, we'd like to use the portable-and-safe-but-slow 32-bit "donna" implementation. We might need more library searching for the correct libnacl, especially once the next libnacl release is out -- it's likely to have bunches of better curve25519 implementations. I also define a set of curve25519 wrapper functions, though it really shouldn't be necessary. We should eventually make the -donna*.c files get build with -fomit-frame-pointer, since that can make a difference.
2012-12-03 21:44:21 +01:00
/* ==============================
Part 1: wrap a suitable curve25519 implementation as curve25519_impl
============================== */
#ifdef USE_CURVE25519_DONNA
int curve25519_donna(uint8_t *mypublic,
const uint8_t *secret, const uint8_t *basepoint);
#endif
#ifdef USE_CURVE25519_NACL
Check for nacl headers in nacl/ subdir Fix for bug 7972
2013-01-16 16:29:11 +01:00
#ifdef HAVE_CRYPTO_SCALARMULT_CURVE25519_H
Add a wrapper around, and test and build support for, curve25519. We want to use donna-c64 when we have a GCC with support for 64x64->uint128_t multiplying. If not, we want to use libnacl if we can, unless it's giving us the unsafe "ref" implementation. And if that isn't going to work, we'd like to use the portable-and-safe-but-slow 32-bit "donna" implementation. We might need more library searching for the correct libnacl, especially once the next libnacl release is out -- it's likely to have bunches of better curve25519 implementations. I also define a set of curve25519 wrapper functions, though it really shouldn't be necessary. We should eventually make the -donna*.c files get build with -fomit-frame-pointer, since that can make a difference.
2012-12-03 21:44:21 +01:00
#include <crypto_scalarmult_curve25519.h>
Check for nacl headers in nacl/ subdir Fix for bug 7972
2013-01-16 16:29:11 +01:00
#elif defined(HAVE_NACL_CRYPTO_SCALARMULT_CURVE25519_H)
#include <nacl/crypto_scalarmult_curve25519.h>
#endif
Add a wrapper around, and test and build support for, curve25519. We want to use donna-c64 when we have a GCC with support for 64x64->uint128_t multiplying. If not, we want to use libnacl if we can, unless it's giving us the unsafe "ref" implementation. And if that isn't going to work, we'd like to use the portable-and-safe-but-slow 32-bit "donna" implementation. We might need more library searching for the correct libnacl, especially once the next libnacl release is out -- it's likely to have bunches of better curve25519 implementations. I also define a set of curve25519 wrapper functions, though it really shouldn't be necessary. We should eventually make the -donna*.c files get build with -fomit-frame-pointer, since that can make a difference.
2012-12-03 21:44:21 +01:00
#endif
Completely refactor how FILENAME_PRIVATE works We previously used FILENAME_PRIVATE identifiers mostly for identifiers exposed only to the unit tests... but also for identifiers exposed to the benchmarker, and sometimes for identifiers exposed to a similar module, and occasionally for no really good reason at all. Now, we use FILENAME_PRIVATE identifiers for identifiers shared by Tor and the unit tests. They should be defined static when we aren't building the unit test, and globally visible otherwise. (The STATIC macro will keep us honest here.) For identifiers used only by the unit tests and never by Tor at all, on the other hand, we wrap them in #ifdef TOR_UNIT_TESTS. This is not the motivating use case for the split test/non-test build system; it's just a test example to see how it works, and to take a chance to clean up the code a little.
2013-06-06 23:58:28 +02:00
STATIC int
Add a wrapper around, and test and build support for, curve25519. We want to use donna-c64 when we have a GCC with support for 64x64->uint128_t multiplying. If not, we want to use libnacl if we can, unless it's giving us the unsafe "ref" implementation. And if that isn't going to work, we'd like to use the portable-and-safe-but-slow 32-bit "donna" implementation. We might need more library searching for the correct libnacl, especially once the next libnacl release is out -- it's likely to have bunches of better curve25519 implementations. I also define a set of curve25519 wrapper functions, though it really shouldn't be necessary. We should eventually make the -donna*.c files get build with -fomit-frame-pointer, since that can make a difference.
2012-12-03 21:44:21 +01:00
curve25519_impl(uint8_t *output, const uint8_t *secret,
const uint8_t *basepoint)
{
Tolerate curve25519 backends where the high bit of the pk isn't ignored Right now, all our curve25519 backends ignore the high bit of the public key. But possibly, others could treat the high bit of the public key as encoding out-of-bounds values, or as something to be preserved. This could be used to distinguish clients with different backends, at the cost of killing a circuit. As a workaround, let's just clear the high bit of each public key indiscriminately before we use it. Fix for bug 8121, reported by rransom. Bugfix on 0.2.4.8-alpha.
2013-02-04 18:50:01 +01:00
uint8_t bp[CURVE25519_PUBKEY_LEN];
int r;
memcpy(bp, basepoint, CURVE25519_PUBKEY_LEN);
/* Clear the high bit, in case our backend foolishly looks at it. */
bp[31] &= 0x7f;
Add a wrapper around, and test and build support for, curve25519. We want to use donna-c64 when we have a GCC with support for 64x64->uint128_t multiplying. If not, we want to use libnacl if we can, unless it's giving us the unsafe "ref" implementation. And if that isn't going to work, we'd like to use the portable-and-safe-but-slow 32-bit "donna" implementation. We might need more library searching for the correct libnacl, especially once the next libnacl release is out -- it's likely to have bunches of better curve25519 implementations. I also define a set of curve25519 wrapper functions, though it really shouldn't be necessary. We should eventually make the -donna*.c files get build with -fomit-frame-pointer, since that can make a difference.
2012-12-03 21:44:21 +01:00
#ifdef USE_CURVE25519_DONNA
Tolerate curve25519 backends where the high bit of the pk isn't ignored Right now, all our curve25519 backends ignore the high bit of the public key. But possibly, others could treat the high bit of the public key as encoding out-of-bounds values, or as something to be preserved. This could be used to distinguish clients with different backends, at the cost of killing a circuit. As a workaround, let's just clear the high bit of each public key indiscriminately before we use it. Fix for bug 8121, reported by rransom. Bugfix on 0.2.4.8-alpha.
2013-02-04 18:50:01 +01:00
r = curve25519_donna(output, secret, bp);
Add a wrapper around, and test and build support for, curve25519. We want to use donna-c64 when we have a GCC with support for 64x64->uint128_t multiplying. If not, we want to use libnacl if we can, unless it's giving us the unsafe "ref" implementation. And if that isn't going to work, we'd like to use the portable-and-safe-but-slow 32-bit "donna" implementation. We might need more library searching for the correct libnacl, especially once the next libnacl release is out -- it's likely to have bunches of better curve25519 implementations. I also define a set of curve25519 wrapper functions, though it really shouldn't be necessary. We should eventually make the -donna*.c files get build with -fomit-frame-pointer, since that can make a difference.
2012-12-03 21:44:21 +01:00
#elif defined(USE_CURVE25519_NACL)
Tolerate curve25519 backends where the high bit of the pk isn't ignored Right now, all our curve25519 backends ignore the high bit of the public key. But possibly, others could treat the high bit of the public key as encoding out-of-bounds values, or as something to be preserved. This could be used to distinguish clients with different backends, at the cost of killing a circuit. As a workaround, let's just clear the high bit of each public key indiscriminately before we use it. Fix for bug 8121, reported by rransom. Bugfix on 0.2.4.8-alpha.
2013-02-04 18:50:01 +01:00
r = crypto_scalarmult_curve25519(output, secret, bp);
Add a wrapper around, and test and build support for, curve25519. We want to use donna-c64 when we have a GCC with support for 64x64->uint128_t multiplying. If not, we want to use libnacl if we can, unless it's giving us the unsafe "ref" implementation. And if that isn't going to work, we'd like to use the portable-and-safe-but-slow 32-bit "donna" implementation. We might need more library searching for the correct libnacl, especially once the next libnacl release is out -- it's likely to have bunches of better curve25519 implementations. I also define a set of curve25519 wrapper functions, though it really shouldn't be necessary. We should eventually make the -donna*.c files get build with -fomit-frame-pointer, since that can make a difference.
2012-12-03 21:44:21 +01:00
#else
#error "No implementation of curve25519 is available."
#endif
Tolerate curve25519 backends where the high bit of the pk isn't ignored Right now, all our curve25519 backends ignore the high bit of the public key. But possibly, others could treat the high bit of the public key as encoding out-of-bounds values, or as something to be preserved. This could be used to distinguish clients with different backends, at the cost of killing a circuit. As a workaround, let's just clear the high bit of each public key indiscriminately before we use it. Fix for bug 8121, reported by rransom. Bugfix on 0.2.4.8-alpha.
2013-02-04 18:50:01 +01:00
memwipe(bp, 0, sizeof(bp));
return r;
Add a wrapper around, and test and build support for, curve25519. We want to use donna-c64 when we have a GCC with support for 64x64->uint128_t multiplying. If not, we want to use libnacl if we can, unless it's giving us the unsafe "ref" implementation. And if that isn't going to work, we'd like to use the portable-and-safe-but-slow 32-bit "donna" implementation. We might need more library searching for the correct libnacl, especially once the next libnacl release is out -- it's likely to have bunches of better curve25519 implementations. I also define a set of curve25519 wrapper functions, though it really shouldn't be necessary. We should eventually make the -donna*.c files get build with -fomit-frame-pointer, since that can make a difference.
2012-12-03 21:44:21 +01:00
}
/* ==============================
Part 2: Wrap curve25519_impl with some convenience types and functions.
============================== */
/**
* Return true iff a curve25519_public_key_t seems valid. (It's not necessary
* to see if the point is on the curve, since the twist is also secure, but we
* do need to make sure that it isn't the point at infinity.) */
int
curve25519_public_key_is_ok(const curve25519_public_key_t *key)
{
Use safe_mem_is_zero for checking curve25519 output for 0-ness This should make the intent more explicit. Probably needless, though.
2012-12-26 04:25:09 +01:00
return !safe_mem_is_zero(key->public_key, CURVE25519_PUBKEY_LEN);
Add a wrapper around, and test and build support for, curve25519. We want to use donna-c64 when we have a GCC with support for 64x64->uint128_t multiplying. If not, we want to use libnacl if we can, unless it's giving us the unsafe "ref" implementation. And if that isn't going to work, we'd like to use the portable-and-safe-but-slow 32-bit "donna" implementation. We might need more library searching for the correct libnacl, especially once the next libnacl release is out -- it's likely to have bunches of better curve25519 implementations. I also define a set of curve25519 wrapper functions, though it really shouldn't be necessary. We should eventually make the -donna*.c files get build with -fomit-frame-pointer, since that can make a difference.
2012-12-03 21:44:21 +01:00
}
Add Ed25519 support, wrappers, and tests. Taken from earlier ed25519 branch based on floodyberry's ed25519-donna. Tweaked so that it applies to ref10 instead.
2013-09-29 19:30:24 +02:00
/**
* Generate CURVE25519_SECKEY_LEN random bytes in <b>out</b>. If
* <b>extra_strong</b> is true, this key is possibly going to get used more
* than once, so use a better-than-usual RNG. Return 0 on success, -1 on
* failure.
*
* This function does not adjust the output of the RNG at all; the will caller
* will need to clear or set the appropriate bits to make curve25519 work.
*/
Check all crypto_rand return values for ntor.
2012-12-26 04:43:01 +01:00
int
Add Ed25519 support, wrappers, and tests. Taken from earlier ed25519 branch based on floodyberry's ed25519-donna. Tweaked so that it applies to ref10 instead.
2013-09-29 19:30:24 +02:00
curve25519_rand_seckey_bytes(uint8_t *out, int extra_strong)
Add a wrapper around, and test and build support for, curve25519. We want to use donna-c64 when we have a GCC with support for 64x64->uint128_t multiplying. If not, we want to use libnacl if we can, unless it's giving us the unsafe "ref" implementation. And if that isn't going to work, we'd like to use the portable-and-safe-but-slow 32-bit "donna" implementation. We might need more library searching for the correct libnacl, especially once the next libnacl release is out -- it's likely to have bunches of better curve25519 implementations. I also define a set of curve25519 wrapper functions, though it really shouldn't be necessary. We should eventually make the -donna*.c files get build with -fomit-frame-pointer, since that can make a difference.
2012-12-03 21:44:21 +01:00
{
Refactor strong os-RNG into its own function Previously, we only used the strong OS entropy source as part of seeding OpenSSL's RNG. But with curve25519, we'll have occasion to want to generate some keys using extremely-good entopy, as well as the means to do so. So let's! This patch refactors the OS-entropy wrapper into its own crypto_strongest_rand() function, and makes our new curve25519_secret_key_generate function try it as appropriate.
2012-12-04 05:31:07 +01:00
uint8_t k_tmp[CURVE25519_SECKEY_LEN];
Add a wrapper around, and test and build support for, curve25519. We want to use donna-c64 when we have a GCC with support for 64x64->uint128_t multiplying. If not, we want to use libnacl if we can, unless it's giving us the unsafe "ref" implementation. And if that isn't going to work, we'd like to use the portable-and-safe-but-slow 32-bit "donna" implementation. We might need more library searching for the correct libnacl, especially once the next libnacl release is out -- it's likely to have bunches of better curve25519 implementations. I also define a set of curve25519 wrapper functions, though it really shouldn't be necessary. We should eventually make the -donna*.c files get build with -fomit-frame-pointer, since that can make a difference.
2012-12-03 21:44:21 +01:00
Add Ed25519 support, wrappers, and tests. Taken from earlier ed25519 branch based on floodyberry's ed25519-donna. Tweaked so that it applies to ref10 instead.
2013-09-29 19:30:24 +02:00
if (crypto_rand((char*)out, CURVE25519_SECKEY_LEN) < 0)
Check all crypto_rand return values for ntor.
2012-12-26 04:43:01 +01:00
return -1;
Refactor strong os-RNG into its own function Previously, we only used the strong OS entropy source as part of seeding OpenSSL's RNG. But with curve25519, we'll have occasion to want to generate some keys using extremely-good entopy, as well as the means to do so. So let's! This patch refactors the OS-entropy wrapper into its own crypto_strongest_rand() function, and makes our new curve25519_secret_key_generate function try it as appropriate.
2012-12-04 05:31:07 +01:00
if (extra_strong && !crypto_strongest_rand(k_tmp, CURVE25519_SECKEY_LEN)) {
/* If they asked for extra-strong entropy and we have some, use it as an
typo in crypto_curve25519.c comment, spotted by rransom
2013-01-31 19:53:29 +01:00
* HMAC key to improve not-so-good entropy rather than using it directly,
Refactor strong os-RNG into its own function Previously, we only used the strong OS entropy source as part of seeding OpenSSL's RNG. But with curve25519, we'll have occasion to want to generate some keys using extremely-good entopy, as well as the means to do so. So let's! This patch refactors the OS-entropy wrapper into its own crypto_strongest_rand() function, and makes our new curve25519_secret_key_generate function try it as appropriate.
2012-12-04 05:31:07 +01:00
* just in case the extra-strong entropy is less amazing than we hoped. */
Add Ed25519 support, wrappers, and tests. Taken from earlier ed25519 branch based on floodyberry's ed25519-donna. Tweaked so that it applies to ref10 instead.
2013-09-29 19:30:24 +02:00
crypto_hmac_sha256((char*) out,
(const char *)k_tmp, sizeof(k_tmp),
(const char *)out, CURVE25519_SECKEY_LEN);
Refactor strong os-RNG into its own function Previously, we only used the strong OS entropy source as part of seeding OpenSSL's RNG. But with curve25519, we'll have occasion to want to generate some keys using extremely-good entopy, as well as the means to do so. So let's! This patch refactors the OS-entropy wrapper into its own crypto_strongest_rand() function, and makes our new curve25519_secret_key_generate function try it as appropriate.
2012-12-04 05:31:07 +01:00
}
memwipe(k_tmp, 0, sizeof(k_tmp));
Add Ed25519 support, wrappers, and tests. Taken from earlier ed25519 branch based on floodyberry's ed25519-donna. Tweaked so that it applies to ref10 instead.
2013-09-29 19:30:24 +02:00
return 0;
}
/** Generate a new keypair and return the secret key. If <b>extra_strong</b>
* is true, this key is possibly going to get used more than once, so
* use a better-than-usual RNG. Return 0 on success, -1 on failure. */
int
curve25519_secret_key_generate(curve25519_secret_key_t *key_out,
int extra_strong)
{
if (curve25519_rand_seckey_bytes(key_out->secret_key, extra_strong) < 0)
return -1;
Add a wrapper around, and test and build support for, curve25519. We want to use donna-c64 when we have a GCC with support for 64x64->uint128_t multiplying. If not, we want to use libnacl if we can, unless it's giving us the unsafe "ref" implementation. And if that isn't going to work, we'd like to use the portable-and-safe-but-slow 32-bit "donna" implementation. We might need more library searching for the correct libnacl, especially once the next libnacl release is out -- it's likely to have bunches of better curve25519 implementations. I also define a set of curve25519 wrapper functions, though it really shouldn't be necessary. We should eventually make the -donna*.c files get build with -fomit-frame-pointer, since that can make a difference.
2012-12-03 21:44:21 +01:00
key_out->secret_key[0] &= 248;
key_out->secret_key[31] &= 127;
key_out->secret_key[31] |= 64;
Check all crypto_rand return values for ntor.
2012-12-26 04:43:01 +01:00
return 0;
Add a wrapper around, and test and build support for, curve25519. We want to use donna-c64 when we have a GCC with support for 64x64->uint128_t multiplying. If not, we want to use libnacl if we can, unless it's giving us the unsafe "ref" implementation. And if that isn't going to work, we'd like to use the portable-and-safe-but-slow 32-bit "donna" implementation. We might need more library searching for the correct libnacl, especially once the next libnacl release is out -- it's likely to have bunches of better curve25519 implementations. I also define a set of curve25519 wrapper functions, though it really shouldn't be necessary. We should eventually make the -donna*.c files get build with -fomit-frame-pointer, since that can make a difference.
2012-12-03 21:44:21 +01:00
}
void
curve25519_public_key_generate(curve25519_public_key_t *key_out,
const curve25519_secret_key_t *seckey)
{
static const uint8_t basepoint[32] = {9};
curve25519_impl(key_out->public_key, seckey->secret_key, basepoint);
}
Check all crypto_rand return values for ntor.
2012-12-26 04:43:01 +01:00
int
Move curve25519 keypair type to src/common; give it functions This patch moves curve25519_keypair_t from src/or/onion_ntor.h to src/common/crypto_curve25519.h, and adds new functions to generate, load, and store keypairs.
2012-12-04 21:57:16 +01:00
curve25519_keypair_generate(curve25519_keypair_t *keypair_out,
int extra_strong)
{
Check all crypto_rand return values for ntor.
2012-12-26 04:43:01 +01:00
if (curve25519_secret_key_generate(&keypair_out->seckey, extra_strong) < 0)
return -1;
Move curve25519 keypair type to src/common; give it functions This patch moves curve25519_keypair_t from src/or/onion_ntor.h to src/common/crypto_curve25519.h, and adds new functions to generate, load, and store keypairs.
2012-12-04 21:57:16 +01:00
curve25519_public_key_generate(&keypair_out->pubkey, &keypair_out->seckey);
Check all crypto_rand return values for ntor.
2012-12-26 04:43:01 +01:00
return 0;
Move curve25519 keypair type to src/common; give it functions This patch moves curve25519_keypair_t from src/or/onion_ntor.h to src/common/crypto_curve25519.h, and adds new functions to generate, load, and store keypairs.
2012-12-04 21:57:16 +01:00
}
Comments and tweaks based on review by asn Add some documentation Rename "derive" -> "blind" Check for failure on randombytes().
2014-09-25 21:03:55 +02:00
/** Write the <b>datalen</b> bytes from <b>data</b> to the file named
* <b>fname</b> in the tagged-data format. This format contains a
* 32-byte header, followed by the data itself. The header is the
* NUL-padded string "== <b>typestring</b>: <b>tag</b> ==". The length
* of <b>typestring</b> and <b>tag</b> must therefore be no more than
* 24.
**/
Move curve25519 keypair type to src/common; give it functions This patch moves curve25519_keypair_t from src/or/onion_ntor.h to src/common/crypto_curve25519.h, and adds new functions to generate, load, and store keypairs.
2012-12-04 21:57:16 +01:00
int
Support for writing ed25519 public/private components to disk. This refactors the "== type:tag ==" code from crypto_curve25519.c
2013-10-18 19:25:00 +02:00
crypto_write_tagged_contents_to_file(const char *fname,
const char *typestring,
const char *tag,
const uint8_t *data,
size_t datalen)
Move curve25519 keypair type to src/common; give it functions This patch moves curve25519_keypair_t from src/or/onion_ntor.h to src/common/crypto_curve25519.h, and adds new functions to generate, load, and store keypairs.
2012-12-04 21:57:16 +01:00
{
Support for writing ed25519 public/private components to disk. This refactors the "== type:tag ==" code from crypto_curve25519.c
2013-10-18 19:25:00 +02:00
char header[32];
smartlist_t *chunks = smartlist_new();
sized_chunk_t ch0, ch1;
int r = -1;
Move curve25519 keypair type to src/common; give it functions This patch moves curve25519_keypair_t from src/or/onion_ntor.h to src/common/crypto_curve25519.h, and adds new functions to generate, load, and store keypairs.
2012-12-04 21:57:16 +01:00
Support for writing ed25519 public/private components to disk. This refactors the "== type:tag ==" code from crypto_curve25519.c
2013-10-18 19:25:00 +02:00
memset(header, 0, sizeof(header));
if (tor_snprintf(header, sizeof(header),
"== %s: %s ==", typestring, tag) < 0)
goto end;
ch0.bytes = header;
ch0.len = 32;
ch1.bytes = (const char*) data;
ch1.len = datalen;
smartlist_add(chunks, &ch0);
smartlist_add(chunks, &ch1);
Move curve25519 keypair type to src/common; give it functions This patch moves curve25519_keypair_t from src/or/onion_ntor.h to src/common/crypto_curve25519.h, and adds new functions to generate, load, and store keypairs.
2012-12-04 21:57:16 +01:00
Support for writing ed25519 public/private components to disk. This refactors the "== type:tag ==" code from crypto_curve25519.c
2013-10-18 19:25:00 +02:00
r = write_chunks_to_file(fname, chunks, 1, 0);
Move curve25519 keypair type to src/common; give it functions This patch moves curve25519_keypair_t from src/or/onion_ntor.h to src/common/crypto_curve25519.h, and adds new functions to generate, load, and store keypairs.
2012-12-04 21:57:16 +01:00
Support for writing ed25519 public/private components to disk. This refactors the "== type:tag ==" code from crypto_curve25519.c
2013-10-18 19:25:00 +02:00
end:
smartlist_free(chunks);
Move curve25519 keypair type to src/common; give it functions This patch moves curve25519_keypair_t from src/or/onion_ntor.h to src/common/crypto_curve25519.h, and adds new functions to generate, load, and store keypairs.
2012-12-04 21:57:16 +01:00
return r;
}
Comments and tweaks based on review by asn Add some documentation Rename "derive" -> "blind" Check for failure on randombytes().
2014-09-25 21:03:55 +02:00
/** Read a tagged-data file from <b>fname</b> into the
* <b>data_out_len</b>-byte buffer in <b>data_out</b>. Check that the
* typestring matches <b>typestring</b>; store the tag into a newly allocated
* string in <b>tag_out</b>. Return -1 on failure, and the number of bytes of
* data on success. */
Support for writing ed25519 public/private components to disk. This refactors the "== type:tag ==" code from crypto_curve25519.c
2013-10-18 19:25:00 +02:00
ssize_t
crypto_read_tagged_contents_from_file(const char *fname,
const char *typestring,
char **tag_out,
uint8_t *data_out,
ssize_t data_out_len)
Move curve25519 keypair type to src/common; give it functions This patch moves curve25519_keypair_t from src/or/onion_ntor.h to src/common/crypto_curve25519.h, and adds new functions to generate, load, and store keypairs.
2012-12-04 21:57:16 +01:00
{
char prefix[33];
Support for writing ed25519 public/private components to disk. This refactors the "== type:tag ==" code from crypto_curve25519.c
2013-10-18 19:25:00 +02:00
char *content = NULL;
Move curve25519 keypair type to src/common; give it functions This patch moves curve25519_keypair_t from src/or/onion_ntor.h to src/common/crypto_curve25519.h, and adds new functions to generate, load, and store keypairs.
2012-12-04 21:57:16 +01:00
struct stat st;
Support for writing ed25519 public/private components to disk. This refactors the "== type:tag ==" code from crypto_curve25519.c
2013-10-18 19:25:00 +02:00
ssize_t r = -1;
Fix on that last fix.
2014-09-25 23:59:10 +02:00
size_t st_size = 0;
Move curve25519 keypair type to src/common; give it functions This patch moves curve25519_keypair_t from src/or/onion_ntor.h to src/common/crypto_curve25519.h, and adds new functions to generate, load, and store keypairs.
2012-12-04 21:57:16 +01:00
*tag_out = NULL;
st.st_size = 0;
content = read_file_to_str(fname, RFTS_BIN|RFTS_IGNORE_MISSING, &st);
if (! content)
goto end;
Support for writing ed25519 public/private components to disk. This refactors the "== type:tag ==" code from crypto_curve25519.c
2013-10-18 19:25:00 +02:00
if (st.st_size < 32 || st.st_size > 32 + data_out_len)
Move curve25519 keypair type to src/common; give it functions This patch moves curve25519_keypair_t from src/or/onion_ntor.h to src/common/crypto_curve25519.h, and adds new functions to generate, load, and store keypairs.
2012-12-04 21:57:16 +01:00
goto end;
Fix warnings on 32-bit builds. When size_t is the most memory you can have, make sure that things referring to real parts of memory are size_t, not uint64_t or off_t. But not on any released Tor.
2014-09-25 23:50:13 +02:00
st_size = (size_t)st.st_size;
Move curve25519 keypair type to src/common; give it functions This patch moves curve25519_keypair_t from src/or/onion_ntor.h to src/common/crypto_curve25519.h, and adds new functions to generate, load, and store keypairs.
2012-12-04 21:57:16 +01:00
memcpy(prefix, content, 32);
Support for writing ed25519 public/private components to disk. This refactors the "== type:tag ==" code from crypto_curve25519.c
2013-10-18 19:25:00 +02:00
prefix[32] = 0;
/* Check type, extract tag. */
if (strcmpstart(prefix, "== ") || strcmpend(prefix, " ==") ||
! tor_mem_is_zero(prefix+strlen(prefix), 32-strlen(prefix)))
Move curve25519 keypair type to src/common; give it functions This patch moves curve25519_keypair_t from src/or/onion_ntor.h to src/common/crypto_curve25519.h, and adds new functions to generate, load, and store keypairs.
2012-12-04 21:57:16 +01:00
goto end;
Support for writing ed25519 public/private components to disk. This refactors the "== type:tag ==" code from crypto_curve25519.c
2013-10-18 19:25:00 +02:00
if (strcmpstart(prefix+3, typestring) ||
3+strlen(typestring) >= 32 ||
strcmpstart(prefix+3+strlen(typestring), ": "))
goto end;
*tag_out = tor_strndup(prefix+5+strlen(typestring),
strlen(prefix)-8-strlen(typestring));
Fix warnings on 32-bit builds. When size_t is the most memory you can have, make sure that things referring to real parts of memory are size_t, not uint64_t or off_t. But not on any released Tor.
2014-09-25 23:50:13 +02:00
memcpy(data_out, content+32, st_size-32);
r = st_size - 32;
Support for writing ed25519 public/private components to disk. This refactors the "== type:tag ==" code from crypto_curve25519.c
2013-10-18 19:25:00 +02:00
end:
if (content)
Fix warnings on 32-bit builds. When size_t is the most memory you can have, make sure that things referring to real parts of memory are size_t, not uint64_t or off_t. But not on any released Tor.
2014-09-25 23:50:13 +02:00
memwipe(content, 0, st_size);
Support for writing ed25519 public/private components to disk. This refactors the "== type:tag ==" code from crypto_curve25519.c
2013-10-18 19:25:00 +02:00
tor_free(content);
return r;
}
/** DOCDOC */
int
curve25519_keypair_write_to_file(const curve25519_keypair_t *keypair,
const char *fname,
const char *tag)
{
uint8_t contents[CURVE25519_SECKEY_LEN + CURVE25519_PUBKEY_LEN];
int r;
Move curve25519 keypair type to src/common; give it functions This patch moves curve25519_keypair_t from src/or/onion_ntor.h to src/common/crypto_curve25519.h, and adds new functions to generate, load, and store keypairs.
2012-12-04 21:57:16 +01:00
Support for writing ed25519 public/private components to disk. This refactors the "== type:tag ==" code from crypto_curve25519.c
2013-10-18 19:25:00 +02:00
memcpy(contents, keypair->seckey.secret_key, CURVE25519_SECKEY_LEN);
memcpy(contents+CURVE25519_SECKEY_LEN,
keypair->pubkey.public_key, CURVE25519_PUBKEY_LEN);
r = crypto_write_tagged_contents_to_file(fname,
"c25519v1",
tag,
contents,
sizeof(contents));
memwipe(contents, 0, sizeof(contents));
return r;
}
/** DOCDOC */
int
curve25519_keypair_read_from_file(curve25519_keypair_t *keypair_out,
char **tag_out,
const char *fname)
{
uint8_t content[CURVE25519_SECKEY_LEN + CURVE25519_PUBKEY_LEN];
ssize_t len;
int r = -1;
len = crypto_read_tagged_contents_from_file(fname, "c25519v1", tag_out,
content, sizeof(content));
if (len != sizeof(content))
goto end;
memcpy(keypair_out->seckey.secret_key, content, CURVE25519_SECKEY_LEN);
Move curve25519 keypair type to src/common; give it functions This patch moves curve25519_keypair_t from src/or/onion_ntor.h to src/common/crypto_curve25519.h, and adds new functions to generate, load, and store keypairs.
2012-12-04 21:57:16 +01:00
curve25519_public_key_generate(&keypair_out->pubkey, &keypair_out->seckey);
if (tor_memneq(keypair_out->pubkey.public_key,
Support for writing ed25519 public/private components to disk. This refactors the "== type:tag ==" code from crypto_curve25519.c
2013-10-18 19:25:00 +02:00
content + CURVE25519_SECKEY_LEN,
Move curve25519 keypair type to src/common; give it functions This patch moves curve25519_keypair_t from src/or/onion_ntor.h to src/common/crypto_curve25519.h, and adds new functions to generate, load, and store keypairs.
2012-12-04 21:57:16 +01:00
CURVE25519_PUBKEY_LEN))
goto end;
r = 0;
end:
Support for writing ed25519 public/private components to disk. This refactors the "== type:tag ==" code from crypto_curve25519.c
2013-10-18 19:25:00 +02:00
memwipe(content, 0, sizeof(content));
Move curve25519 keypair type to src/common; give it functions This patch moves curve25519_keypair_t from src/or/onion_ntor.h to src/common/crypto_curve25519.h, and adds new functions to generate, load, and store keypairs.
2012-12-04 21:57:16 +01:00
if (r != 0) {
memset(keypair_out, 0, sizeof(*keypair_out));
tor_free(*tag_out);
}
return r;
}
Add a wrapper around, and test and build support for, curve25519. We want to use donna-c64 when we have a GCC with support for 64x64->uint128_t multiplying. If not, we want to use libnacl if we can, unless it's giving us the unsafe "ref" implementation. And if that isn't going to work, we'd like to use the portable-and-safe-but-slow 32-bit "donna" implementation. We might need more library searching for the correct libnacl, especially once the next libnacl release is out -- it's likely to have bunches of better curve25519 implementations. I also define a set of curve25519 wrapper functions, though it really shouldn't be necessary. We should eventually make the -donna*.c files get build with -fomit-frame-pointer, since that can make a difference.
2012-12-03 21:44:21 +01:00
/** Perform the curve25519 ECDH handshake with <b>skey</b> and <b>pkey</b>,
* writing CURVE25519_OUTPUT_LEN bytes of output into <b>output</b>. */
void
curve25519_handshake(uint8_t *output,
const curve25519_secret_key_t *skey,
const curve25519_public_key_t *pkey)
{
curve25519_impl(output, skey->secret_key, pkey->public_key);
}
Reference in New Issue Copy Permalink