udp communicator: ECDH with elligatordev/pedram/elligator

4 files changed, 89 insertions, 31 deletions

diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h
index 4af95af0f..a19e1e519 100644
--- a/src/include/gnunet_crypto_lib.h
+++ b/src/include/gnunet_crypto_lib.h
@@ -2692,7 +2692,7 @@ bool
 GNUNET_CRYPTO_ecdhe_elligator_decoding (struct
                                         GNUNET_CRYPTO_EcdhePublicKey *point,
                                         bool *high_y,
-                                        struct
+                                        const struct
                                         GNUNET_CRYPTO_ElligatorRepresentative *
                                         seriliazed_representative);
 
@@ -2749,10 +2749,10 @@ GNUNET_CRYPTO_ecdhe_elligator_key_create (
 
 /**
  * @ingroup crypto
- * Carries out ecdh encapsulation with given public key and a freshly created ephemeral key pair. Ephemeral public key is given as a representative.
+ * Carries out ecdh encapsulation with given public key and the private key from a freshly created ephemeral key pair.
  *
  * Following the terminology in https://eprint.iacr.org/2021/509.pdf
- * @param pub receivers edwards curve public key (X)
+ * @param pub given edwards curve public key (X)
  * @param r representative of ephemeral public key A to use for the ECDH (direct_map(r)=A=aG)
  * @param key_material where to write the key material H(aX)=H(x(aG))
  * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
@@ -2767,18 +2767,18 @@ GNUNET_CRYPTO_eddsa_elligator_kem_encaps (const struct
 
 /**
  * @ingroup crypto
- * Carries out ecdh decapsulation with given private key and the representative of received public key.
+ * Carries out ecdh decapsulation with own private key and the representative of the received public key.
  *
  * Following the terminology in https://eprint.iacr.org/2021/509.pdf
  * @param priv own private key (x)
- * @param r received representative (direct_map(r)=A=aG)
+ * @param r received representative r, from which we can obtain the public key A (direct_map(r)=A=aG)
  * @param key_material where to write the key material H(xA)=H(a(xG))
  * @return #GNUNET_SYSERR on error, #GNUNET_OK on success
  */
 enum GNUNET_GenericReturnValue
 GNUNET_CRYPTO_eddsa_elligator_kem_decaps (const struct
                                           GNUNET_CRYPTO_EddsaPrivateKey *priv,
-                                          struct
+                                          const struct
                                           GNUNET_CRYPTO_ElligatorRepresentative
                                           *r,
                                           struct GNUNET_HashCode *key_material);
diff --git a/src/lib/util/crypto_elligator.c b/src/lib/util/crypto_elligator.c
index d7f4bb1dd..5ceebedbe 100644
--- a/src/lib/util/crypto_elligator.c
+++ b/src/lib/util/crypto_elligator.c
@@ -447,11 +447,11 @@ bool
 GNUNET_CRYPTO_ecdhe_elligator_decoding (struct
                                         GNUNET_CRYPTO_EcdhePublicKey *point,
                                         bool *high_y,
-                                        struct
+                                        const struct
                                         GNUNET_CRYPTO_ElligatorRepresentative *
                                         representative)
 {
-  // if sign of direct map transformation not needed whether throw it away
+  // if sign of direct map transformation not needed throw it away
   bool high_y_local;
   bool *high_y_ptr;
   if (NULL == high_y)
@@ -459,11 +459,13 @@ GNUNET_CRYPTO_ecdhe_elligator_decoding (struct
   else
     high_y_ptr = high_y;
 
-  representative->r[31] &= 63;
+  struct GNUNET_CRYPTO_ElligatorRepresentative r_tmp;
+  memcpy (&r_tmp, &representative->r, sizeof(r_tmp.r));
+  r_tmp.r[31] &= 63;
   // GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,"Print high_y\n");
   return GNUNET_CRYPTO_ecdhe_elligator_direct_map ((uint8_t *) point->q_y,
                                                    high_y_ptr,
-                                                   (uint8_t *) representative->r);
+                                                   (uint8_t *) r_tmp.r);
 }
 
 
@@ -630,21 +632,18 @@ GNUNET_CRYPTO_eddsa_elligator_kem_encaps (const struct
                                           *r,
                                           struct GNUNET_HashCode *key_material)
 {
-  struct GNUNET_CRYPTO_EcdhePrivateKey sk_eph;
-  struct GNUNET_CRYPTO_EcdhePublicKey pub_eph;
+  struct GNUNET_CRYPTO_EcdhePrivateKey sk;
 
-  GNUNET_CRYPTO_ecdhe_elligator_key_create (r, &sk_eph);
-  // TODO: probably makes more sense if key_create outputs ecdhe pub instead of repr because ecdhe pub is needed for ecdh on senders side.
-  GNUNET_CRYPTO_ecdhe_elligator_decoding (&pub_eph, NULL, r);
+  GNUNET_CRYPTO_ecdhe_elligator_key_create (r, &sk);
 
-  return GNUNET_CRYPTO_ecdh_eddsa (&sk_eph, pub, key_material);
+  return GNUNET_CRYPTO_ecdh_eddsa (&sk, pub, key_material);
 }
 
 
 enum GNUNET_GenericReturnValue
 GNUNET_CRYPTO_eddsa_elligator_kem_decaps (const struct
                                           GNUNET_CRYPTO_EddsaPrivateKey *priv,
-                                          struct
+                                          const struct
                                           GNUNET_CRYPTO_ElligatorRepresentative
                                           *r,
                                           struct GNUNET_HashCode *key_material)
diff --git a/src/lib/util/test_crypto_elligator.c b/src/lib/util/test_crypto_elligator.c
index c42e1de3a..bd357a259 100644
--- a/src/lib/util/test_crypto_elligator.c
+++ b/src/lib/util/test_crypto_elligator.c
@@ -226,20 +226,22 @@ testTimeDecoding (void)
 static int
 elligatorKEM ()
 {
-  struct GNUNET_CRYPTO_EddsaPrivateKey pk;
-  struct GNUNET_CRYPTO_EddsaPublicKey pub;
-  GNUNET_CRYPTO_eddsa_key_create (&pk);
-  GNUNET_CRYPTO_eddsa_key_get_public (&pk,&pub);
+  struct GNUNET_CRYPTO_EddsaPrivateKey pk_receiver;
+  struct GNUNET_CRYPTO_EddsaPublicKey pub_receiver;
+  GNUNET_CRYPTO_eddsa_key_create (&pk_receiver);
+  GNUNET_CRYPTO_eddsa_key_get_public (&pk_receiver, &pub_receiver);
 
-  struct GNUNET_CRYPTO_ElligatorRepresentative r;
+  struct GNUNET_CRYPTO_ElligatorRepresentative r_sender;
 
   // Sender side
   struct GNUNET_HashCode key_material_encaps;
-  GNUNET_CRYPTO_eddsa_elligator_kem_encaps (&pub, &r, &key_material_encaps);
+  GNUNET_CRYPTO_eddsa_elligator_kem_encaps (&pub_receiver, &r_sender,
+                                            &key_material_encaps);
 
   // Receiving side
   struct GNUNET_HashCode key_material_decaps;
-  GNUNET_CRYPTO_eddsa_elligator_kem_decaps (&pk,&r,&key_material_decaps);
+  GNUNET_CRYPTO_eddsa_elligator_kem_decaps (&pk_receiver, &r_sender,
+                                            &key_material_decaps);
 
   if (memcmp (&(key_material_encaps.bits),&(key_material_decaps.bits),
               sizeof(key_material_encaps.bits)) != 0)
diff --git a/src/service/transport/gnunet-communicator-udp.c b/src/service/transport/gnunet-communicator-udp.c
index 29beb4e37..48319461e 100644
--- a/src/service/transport/gnunet-communicator-udp.c
+++ b/src/service/transport/gnunet-communicator-udp.c
@@ -198,9 +198,9 @@ struct UdpHandshakeSignature
 struct InitialKX
 {
   /**
-   * Ephemeral key for KX.
+   * Representative of ephemeral key for KX.
    */
-  struct GNUNET_CRYPTO_EcdhePublicKey ephemeral;
+  struct GNUNET_CRYPTO_ElligatorRepresentative representative;
 
   /**
    * HMAC for the following encrypted message, using GCM.  HMAC uses
@@ -1330,6 +1330,27 @@ setup_shared_secret_dec (const struct GNUNET_CRYPTO_EcdhePublicKey *ephemeral)
 
 
 /**
+ * Setup shared secret for decryption for initial handshake.
+ *
+ * @param representative of ephemeral key we received from the other peer
+ * @return new shared secret
+ */
+static struct SharedSecret *
+setup_initial_shared_secret_dec (const struct
+                                 GNUNET_CRYPTO_ElligatorRepresentative *
+                                 representative)
+{
+  struct SharedSecret *ss;
+
+  ss = GNUNET_new (struct SharedSecret);
+  GNUNET_CRYPTO_eddsa_elligator_kem_decaps (my_private_key, representative,
+                                            &ss->master);
+  calculate_cmac (ss);
+  return ss;
+}
+
+
+/**
  * Setup new shared secret for encryption using KEM.
  *
  * @param[out] ephemeral ephemeral key to be sent to other peer (encapsulated key from KEM)
@@ -1356,6 +1377,35 @@ setup_shared_secret_ephemeral (struct GNUNET_CRYPTO_EcdhePublicKey *ephemeral,
 
 
 /**
+ * Setup new shared secret for encryption using KEM for initial handshake.
+ *
+ * @param[out] representative of ephemeral key to be sent to other peer (encapsulated key from KEM)
+ * @param[in,out] receiver queue to initialize encryption key for
+ * @return new shared secret
+ */
+static struct SharedSecret *
+setup_initial_shared_secret_ephemeral (struct
+                                       GNUNET_CRYPTO_ElligatorRepresentative *
+                                       representative,
+                                       struct ReceiverAddress *receiver)
+{
+  struct SharedSecret *ss;
+  struct GNUNET_HashCode k;
+
+  GNUNET_CRYPTO_eddsa_elligator_kem_encaps (&receiver->target.public_key,
+                                            representative, &k);
+  ss = GNUNET_new (struct SharedSecret);
+  memcpy (&ss->master, &k, sizeof (k));
+  calculate_cmac (ss);
+  ss->receiver = receiver;
+  GNUNET_CONTAINER_DLL_insert (receiver->ss_head, receiver->ss_tail, ss);
+  receiver->num_secrets++;
+  GNUNET_STATISTICS_update (stats, "# Secrets active", 1, GNUNET_NO);
+  return ss;
+}
+
+
+/**
  * Setup the MQ for the @a receiver.  If a queue exists,
  * the existing one is destroyed.  Then the MTU is
  * recalculated and a fresh queue is initialized.
@@ -2072,7 +2122,7 @@ sock_read (void *cls)
       struct SenderAddress *sender;
 
       kx = (const struct InitialKX *) buf;
-      ss = setup_shared_secret_dec (&kx->ephemeral);
+      ss = setup_initial_shared_secret_dec (&kx->representative);
       GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
                   "Before DEC\n");
 
@@ -2097,7 +2147,11 @@ sock_read (void *cls)
                   "Before VERIFY\n");
 
       uc = (const struct UDPConfirmation *) pbuf;
-      if (GNUNET_OK != verify_confirmation (&kx->ephemeral, uc))
+
+      struct GNUNET_CRYPTO_EcdhePublicKey pub_ephemeral;
+      GNUNET_CRYPTO_ecdhe_elligator_decoding (&pub_ephemeral, NULL,
+                                              &kx->representative);
+      if (GNUNET_OK != verify_confirmation (&pub_ephemeral, uc)) // TODO: need ephemeral instead of representative
       {
         GNUNET_break_op (0);
         GNUNET_free (ss);
@@ -2330,8 +2384,10 @@ send_msg_with_kx (const struct GNUNET_MessageHeader *msg, struct
   reschedule_receiver_timeout (receiver);
 
   /* setup key material */
-
-  ss = setup_shared_secret_ephemeral (&uhs.ephemeral, receiver);
+  struct GNUNET_CRYPTO_ElligatorRepresentative repr;
+  ss = setup_initial_shared_secret_ephemeral (&repr, receiver);
+  GNUNET_CRYPTO_ecdhe_elligator_decoding (&uhs.ephemeral, NULL,
+                                          &repr);
 
   if (receiver->num_secrets > MAX_SECRETS)
   {
@@ -2371,7 +2427,7 @@ send_msg_with_kx (const struct GNUNET_MessageHeader *msg, struct
   dpos += msize;
   do_pad (out_cipher, &dgram[dpos], sizeof(dgram) - dpos);
   /* Datagram starts with kx */
-  kx.ephemeral = uhs.ephemeral;
+  kx.representative = repr;
   GNUNET_assert (
     0 == gcry_cipher_gettag (out_cipher, kx.gcm_tag, sizeof(kx.gcm_tag)));
   gcry_cipher_close (out_cipher);
@@ -3466,6 +3522,7 @@ run (void *cls,
 int
 main (int argc, char *const *argv)
 {
+  GNUNET_CRYPTO_ecdhe_elligator_initialize ();
   static const struct GNUNET_GETOPT_CommandLineOption options[] = {
     GNUNET_GETOPT_OPTION_END
   };