2015-01-02 20:27:39 +01:00
|
|
|
/* Copyright (c) 2012-2015, The Tor Project, Inc. */
|
2012-12-03 21:44:21 +01:00
|
|
|
/* See LICENSE for licensing information */
|
|
|
|
|
|
|
|
/* Wrapper code for a curve25519 implementation. */
|
|
|
|
|
|
|
|
#define CRYPTO_CURVE25519_PRIVATE
|
|
|
|
#include "orconfig.h"
|
2012-12-04 21:57:16 +01:00
|
|
|
#ifdef HAVE_SYS_STAT_H
|
|
|
|
#include <sys/stat.h>
|
|
|
|
#endif
|
2013-10-18 19:25:00 +02:00
|
|
|
#include "container.h"
|
2012-12-03 21:44:21 +01:00
|
|
|
#include "crypto.h"
|
|
|
|
#include "crypto_curve25519.h"
|
|
|
|
#include "util.h"
|
2012-12-04 21:57:16 +01:00
|
|
|
#include "torlog.h"
|
2012-12-03 21:44:21 +01:00
|
|
|
|
|
|
|
/* ==============================
|
|
|
|
Part 1: wrap a suitable curve25519 implementation as curve25519_impl
|
|
|
|
============================== */
|
|
|
|
|
|
|
|
#ifdef USE_CURVE25519_DONNA
|
|
|
|
int curve25519_donna(uint8_t *mypublic,
|
|
|
|
const uint8_t *secret, const uint8_t *basepoint);
|
|
|
|
#endif
|
|
|
|
#ifdef USE_CURVE25519_NACL
|
2013-01-16 16:29:11 +01:00
|
|
|
#ifdef HAVE_CRYPTO_SCALARMULT_CURVE25519_H
|
2012-12-03 21:44:21 +01:00
|
|
|
#include <crypto_scalarmult_curve25519.h>
|
2013-01-16 16:29:11 +01:00
|
|
|
#elif defined(HAVE_NACL_CRYPTO_SCALARMULT_CURVE25519_H)
|
|
|
|
#include <nacl/crypto_scalarmult_curve25519.h>
|
|
|
|
#endif
|
2012-12-03 21:44:21 +01:00
|
|
|
#endif
|
|
|
|
|
2013-06-06 23:58:28 +02:00
|
|
|
STATIC int
|
2012-12-03 21:44:21 +01:00
|
|
|
curve25519_impl(uint8_t *output, const uint8_t *secret,
|
|
|
|
const uint8_t *basepoint)
|
|
|
|
{
|
2013-02-04 18:50:01 +01:00
|
|
|
uint8_t bp[CURVE25519_PUBKEY_LEN];
|
|
|
|
int r;
|
|
|
|
memcpy(bp, basepoint, CURVE25519_PUBKEY_LEN);
|
|
|
|
/* Clear the high bit, in case our backend foolishly looks at it. */
|
|
|
|
bp[31] &= 0x7f;
|
2012-12-03 21:44:21 +01:00
|
|
|
#ifdef USE_CURVE25519_DONNA
|
2013-02-04 18:50:01 +01:00
|
|
|
r = curve25519_donna(output, secret, bp);
|
2012-12-03 21:44:21 +01:00
|
|
|
#elif defined(USE_CURVE25519_NACL)
|
2013-02-04 18:50:01 +01:00
|
|
|
r = crypto_scalarmult_curve25519(output, secret, bp);
|
2012-12-03 21:44:21 +01:00
|
|
|
#else
|
|
|
|
#error "No implementation of curve25519 is available."
|
|
|
|
#endif
|
2013-02-04 18:50:01 +01:00
|
|
|
memwipe(bp, 0, sizeof(bp));
|
|
|
|
return r;
|
2012-12-03 21:44:21 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
/* ==============================
|
|
|
|
Part 2: Wrap curve25519_impl with some convenience types and functions.
|
|
|
|
============================== */
|
|
|
|
|
|
|
|
/**
|
|
|
|
* Return true iff a curve25519_public_key_t seems valid. (It's not necessary
|
|
|
|
* to see if the point is on the curve, since the twist is also secure, but we
|
|
|
|
* do need to make sure that it isn't the point at infinity.) */
|
|
|
|
int
|
|
|
|
curve25519_public_key_is_ok(const curve25519_public_key_t *key)
|
|
|
|
{
|
2012-12-26 04:25:09 +01:00
|
|
|
return !safe_mem_is_zero(key->public_key, CURVE25519_PUBKEY_LEN);
|
2012-12-03 21:44:21 +01:00
|
|
|
}
|
|
|
|
|
2013-09-29 19:30:24 +02:00
|
|
|
/**
|
|
|
|
* Generate CURVE25519_SECKEY_LEN random bytes in <b>out</b>. If
|
|
|
|
* <b>extra_strong</b> is true, this key is possibly going to get used more
|
|
|
|
* than once, so use a better-than-usual RNG. Return 0 on success, -1 on
|
|
|
|
* failure.
|
|
|
|
*
|
|
|
|
* This function does not adjust the output of the RNG at all; the will caller
|
|
|
|
* will need to clear or set the appropriate bits to make curve25519 work.
|
|
|
|
*/
|
2012-12-26 04:43:01 +01:00
|
|
|
int
|
2013-09-29 19:30:24 +02:00
|
|
|
curve25519_rand_seckey_bytes(uint8_t *out, int extra_strong)
|
2012-12-03 21:44:21 +01:00
|
|
|
{
|
2012-12-04 05:31:07 +01:00
|
|
|
uint8_t k_tmp[CURVE25519_SECKEY_LEN];
|
2012-12-03 21:44:21 +01:00
|
|
|
|
2013-09-29 19:30:24 +02:00
|
|
|
if (crypto_rand((char*)out, CURVE25519_SECKEY_LEN) < 0)
|
2012-12-26 04:43:01 +01:00
|
|
|
return -1;
|
2012-12-04 05:31:07 +01:00
|
|
|
if (extra_strong && !crypto_strongest_rand(k_tmp, CURVE25519_SECKEY_LEN)) {
|
|
|
|
/* If they asked for extra-strong entropy and we have some, use it as an
|
2013-01-31 19:53:29 +01:00
|
|
|
* HMAC key to improve not-so-good entropy rather than using it directly,
|
2012-12-04 05:31:07 +01:00
|
|
|
* just in case the extra-strong entropy is less amazing than we hoped. */
|
2013-09-29 19:30:24 +02:00
|
|
|
crypto_hmac_sha256((char*) out,
|
|
|
|
(const char *)k_tmp, sizeof(k_tmp),
|
|
|
|
(const char *)out, CURVE25519_SECKEY_LEN);
|
2012-12-04 05:31:07 +01:00
|
|
|
}
|
|
|
|
memwipe(k_tmp, 0, sizeof(k_tmp));
|
2013-09-29 19:30:24 +02:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
/** Generate a new keypair and return the secret key. If <b>extra_strong</b>
|
|
|
|
* is true, this key is possibly going to get used more than once, so
|
|
|
|
* use a better-than-usual RNG. Return 0 on success, -1 on failure. */
|
|
|
|
int
|
|
|
|
curve25519_secret_key_generate(curve25519_secret_key_t *key_out,
|
|
|
|
int extra_strong)
|
|
|
|
{
|
|
|
|
if (curve25519_rand_seckey_bytes(key_out->secret_key, extra_strong) < 0)
|
|
|
|
return -1;
|
|
|
|
|
2012-12-03 21:44:21 +01:00
|
|
|
key_out->secret_key[0] &= 248;
|
|
|
|
key_out->secret_key[31] &= 127;
|
|
|
|
key_out->secret_key[31] |= 64;
|
2012-12-26 04:43:01 +01:00
|
|
|
|
|
|
|
return 0;
|
2012-12-03 21:44:21 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
void
|
|
|
|
curve25519_public_key_generate(curve25519_public_key_t *key_out,
|
|
|
|
const curve25519_secret_key_t *seckey)
|
|
|
|
{
|
|
|
|
static const uint8_t basepoint[32] = {9};
|
|
|
|
|
|
|
|
curve25519_impl(key_out->public_key, seckey->secret_key, basepoint);
|
|
|
|
}
|
|
|
|
|
2012-12-26 04:43:01 +01:00
|
|
|
int
|
2012-12-04 21:57:16 +01:00
|
|
|
curve25519_keypair_generate(curve25519_keypair_t *keypair_out,
|
|
|
|
int extra_strong)
|
|
|
|
{
|
2012-12-26 04:43:01 +01:00
|
|
|
if (curve25519_secret_key_generate(&keypair_out->seckey, extra_strong) < 0)
|
|
|
|
return -1;
|
2012-12-04 21:57:16 +01:00
|
|
|
curve25519_public_key_generate(&keypair_out->pubkey, &keypair_out->seckey);
|
2012-12-26 04:43:01 +01:00
|
|
|
return 0;
|
2012-12-04 21:57:16 +01:00
|
|
|
}
|
|
|
|
|
2014-09-25 21:03:55 +02:00
|
|
|
/** Write the <b>datalen</b> bytes from <b>data</b> to the file named
|
|
|
|
* <b>fname</b> in the tagged-data format. This format contains a
|
|
|
|
* 32-byte header, followed by the data itself. The header is the
|
|
|
|
* NUL-padded string "== <b>typestring</b>: <b>tag</b> ==". The length
|
|
|
|
* of <b>typestring</b> and <b>tag</b> must therefore be no more than
|
|
|
|
* 24.
|
|
|
|
**/
|
2012-12-04 21:57:16 +01:00
|
|
|
int
|
2013-10-18 19:25:00 +02:00
|
|
|
crypto_write_tagged_contents_to_file(const char *fname,
|
|
|
|
const char *typestring,
|
|
|
|
const char *tag,
|
|
|
|
const uint8_t *data,
|
|
|
|
size_t datalen)
|
2012-12-04 21:57:16 +01:00
|
|
|
{
|
2013-10-18 19:25:00 +02:00
|
|
|
char header[32];
|
|
|
|
smartlist_t *chunks = smartlist_new();
|
|
|
|
sized_chunk_t ch0, ch1;
|
|
|
|
int r = -1;
|
2012-12-04 21:57:16 +01:00
|
|
|
|
2013-10-18 19:25:00 +02:00
|
|
|
memset(header, 0, sizeof(header));
|
|
|
|
if (tor_snprintf(header, sizeof(header),
|
|
|
|
"== %s: %s ==", typestring, tag) < 0)
|
|
|
|
goto end;
|
|
|
|
ch0.bytes = header;
|
|
|
|
ch0.len = 32;
|
|
|
|
ch1.bytes = (const char*) data;
|
|
|
|
ch1.len = datalen;
|
|
|
|
smartlist_add(chunks, &ch0);
|
|
|
|
smartlist_add(chunks, &ch1);
|
2012-12-04 21:57:16 +01:00
|
|
|
|
2013-10-18 19:25:00 +02:00
|
|
|
r = write_chunks_to_file(fname, chunks, 1, 0);
|
2012-12-04 21:57:16 +01:00
|
|
|
|
2013-10-18 19:25:00 +02:00
|
|
|
end:
|
|
|
|
smartlist_free(chunks);
|
2012-12-04 21:57:16 +01:00
|
|
|
return r;
|
|
|
|
}
|
|
|
|
|
2014-09-25 21:03:55 +02:00
|
|
|
/** Read a tagged-data file from <b>fname</b> into the
|
|
|
|
* <b>data_out_len</b>-byte buffer in <b>data_out</b>. Check that the
|
|
|
|
* typestring matches <b>typestring</b>; store the tag into a newly allocated
|
|
|
|
* string in <b>tag_out</b>. Return -1 on failure, and the number of bytes of
|
|
|
|
* data on success. */
|
2013-10-18 19:25:00 +02:00
|
|
|
ssize_t
|
|
|
|
crypto_read_tagged_contents_from_file(const char *fname,
|
|
|
|
const char *typestring,
|
|
|
|
char **tag_out,
|
|
|
|
uint8_t *data_out,
|
|
|
|
ssize_t data_out_len)
|
2012-12-04 21:57:16 +01:00
|
|
|
{
|
|
|
|
char prefix[33];
|
2013-10-18 19:25:00 +02:00
|
|
|
char *content = NULL;
|
2012-12-04 21:57:16 +01:00
|
|
|
struct stat st;
|
2013-10-18 19:25:00 +02:00
|
|
|
ssize_t r = -1;
|
2014-09-25 23:59:10 +02:00
|
|
|
size_t st_size = 0;
|
2012-12-04 21:57:16 +01:00
|
|
|
|
|
|
|
*tag_out = NULL;
|
|
|
|
st.st_size = 0;
|
|
|
|
content = read_file_to_str(fname, RFTS_BIN|RFTS_IGNORE_MISSING, &st);
|
|
|
|
if (! content)
|
|
|
|
goto end;
|
2013-10-18 19:25:00 +02:00
|
|
|
if (st.st_size < 32 || st.st_size > 32 + data_out_len)
|
2012-12-04 21:57:16 +01:00
|
|
|
goto end;
|
2014-09-25 23:50:13 +02:00
|
|
|
st_size = (size_t)st.st_size;
|
2012-12-04 21:57:16 +01:00
|
|
|
|
|
|
|
memcpy(prefix, content, 32);
|
2013-10-18 19:25:00 +02:00
|
|
|
prefix[32] = 0;
|
|
|
|
/* Check type, extract tag. */
|
|
|
|
if (strcmpstart(prefix, "== ") || strcmpend(prefix, " ==") ||
|
|
|
|
! tor_mem_is_zero(prefix+strlen(prefix), 32-strlen(prefix)))
|
2012-12-04 21:57:16 +01:00
|
|
|
goto end;
|
|
|
|
|
2013-10-18 19:25:00 +02:00
|
|
|
if (strcmpstart(prefix+3, typestring) ||
|
|
|
|
3+strlen(typestring) >= 32 ||
|
|
|
|
strcmpstart(prefix+3+strlen(typestring), ": "))
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
*tag_out = tor_strndup(prefix+5+strlen(typestring),
|
|
|
|
strlen(prefix)-8-strlen(typestring));
|
|
|
|
|
2014-09-25 23:50:13 +02:00
|
|
|
memcpy(data_out, content+32, st_size-32);
|
|
|
|
r = st_size - 32;
|
2013-10-18 19:25:00 +02:00
|
|
|
|
|
|
|
end:
|
|
|
|
if (content)
|
2014-09-25 23:50:13 +02:00
|
|
|
memwipe(content, 0, st_size);
|
2013-10-18 19:25:00 +02:00
|
|
|
tor_free(content);
|
|
|
|
return r;
|
|
|
|
}
|
|
|
|
|
|
|
|
/** DOCDOC */
|
|
|
|
int
|
|
|
|
curve25519_keypair_write_to_file(const curve25519_keypair_t *keypair,
|
|
|
|
const char *fname,
|
|
|
|
const char *tag)
|
|
|
|
{
|
|
|
|
uint8_t contents[CURVE25519_SECKEY_LEN + CURVE25519_PUBKEY_LEN];
|
|
|
|
int r;
|
2012-12-04 21:57:16 +01:00
|
|
|
|
2013-10-18 19:25:00 +02:00
|
|
|
memcpy(contents, keypair->seckey.secret_key, CURVE25519_SECKEY_LEN);
|
|
|
|
memcpy(contents+CURVE25519_SECKEY_LEN,
|
|
|
|
keypair->pubkey.public_key, CURVE25519_PUBKEY_LEN);
|
|
|
|
|
|
|
|
r = crypto_write_tagged_contents_to_file(fname,
|
|
|
|
"c25519v1",
|
|
|
|
tag,
|
|
|
|
contents,
|
|
|
|
sizeof(contents));
|
|
|
|
|
|
|
|
memwipe(contents, 0, sizeof(contents));
|
|
|
|
return r;
|
|
|
|
}
|
|
|
|
|
|
|
|
/** DOCDOC */
|
|
|
|
int
|
|
|
|
curve25519_keypair_read_from_file(curve25519_keypair_t *keypair_out,
|
|
|
|
char **tag_out,
|
|
|
|
const char *fname)
|
|
|
|
{
|
|
|
|
uint8_t content[CURVE25519_SECKEY_LEN + CURVE25519_PUBKEY_LEN];
|
|
|
|
ssize_t len;
|
|
|
|
int r = -1;
|
|
|
|
|
|
|
|
len = crypto_read_tagged_contents_from_file(fname, "c25519v1", tag_out,
|
|
|
|
content, sizeof(content));
|
|
|
|
if (len != sizeof(content))
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
memcpy(keypair_out->seckey.secret_key, content, CURVE25519_SECKEY_LEN);
|
2012-12-04 21:57:16 +01:00
|
|
|
curve25519_public_key_generate(&keypair_out->pubkey, &keypair_out->seckey);
|
|
|
|
if (tor_memneq(keypair_out->pubkey.public_key,
|
2013-10-18 19:25:00 +02:00
|
|
|
content + CURVE25519_SECKEY_LEN,
|
2012-12-04 21:57:16 +01:00
|
|
|
CURVE25519_PUBKEY_LEN))
|
|
|
|
goto end;
|
|
|
|
|
|
|
|
r = 0;
|
|
|
|
|
|
|
|
end:
|
2013-10-18 19:25:00 +02:00
|
|
|
memwipe(content, 0, sizeof(content));
|
2012-12-04 21:57:16 +01:00
|
|
|
if (r != 0) {
|
|
|
|
memset(keypair_out, 0, sizeof(*keypair_out));
|
|
|
|
tor_free(*tag_out);
|
|
|
|
}
|
|
|
|
return r;
|
|
|
|
}
|
|
|
|
|
2012-12-03 21:44:21 +01:00
|
|
|
/** Perform the curve25519 ECDH handshake with <b>skey</b> and <b>pkey</b>,
|
|
|
|
* writing CURVE25519_OUTPUT_LEN bytes of output into <b>output</b>. */
|
|
|
|
void
|
|
|
|
curve25519_handshake(uint8_t *output,
|
|
|
|
const curve25519_secret_key_t *skey,
|
|
|
|
const curve25519_public_key_t *pkey)
|
|
|
|
{
|
|
|
|
curve25519_impl(output, skey->secret_key, pkey->public_key);
|
|
|
|
}
|
|
|
|
|