KDF code

7 files changed, 349 insertions, 28 deletions

diff --git a/src/core/gnunet-service-core.c b/src/core/gnunet-service-core.c
index 9496d2209..8ceb92ac6 100644
--- a/src/core/gnunet-service-core.c
+++ b/src/core/gnunet-service-core.c
@@ -2122,10 +2122,11 @@ process_plaintext_neighbour_queue (struct Neighbour *n)
   em->header.type = htons (GNUNET_MESSAGE_TYPE_CORE_ENCRYPTED_MESSAGE);
   em->iv_seed = ph->iv_seed;
   esize = used - ENCRYPTED_HEADER_SIZE;
-  GNUNET_CRYPTO_hmac (&n->encrypt_key,
-                      &ph->sequence_number,
-                      esize - sizeof (GNUNET_HashCode), 
-                      &ph->hmac);
+// FIXME NILS
+//  GNUNET_CRYPTO_hmac (&n->encrypt_key,
+//                    &ph->sequence_number,
+//                    esize - sizeof (GNUNET_HashCode),
+//                    &ph->hmac);
   GNUNET_CRYPTO_hash (&ph->iv_seed, sizeof (uint32_t), &iv);
 #if DEBUG_HANDSHAKE
   GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
@@ -3356,24 +3357,25 @@ handle_encrypted_message (struct Neighbour *n,
     return;
   pt = (struct EncryptedMessage *) buf;
   /* validate hash */
-  GNUNET_CRYPTO_hmac (&n->decrypt_key,
-                      &pt->sequence_number,
-                      size - ENCRYPTED_HEADER_SIZE - sizeof (GNUNET_HashCode), &ph);
-#if DEBUG_HANDSHAKE 
-  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
-              "V-Hashed %u bytes of plaintext (`%s') using IV `%d'\n",
-              (unsigned int) (size - ENCRYPTED_HEADER_SIZE - sizeof (GNUNET_HashCode)),
-              GNUNET_h2s (&ph),
-              (int) m->iv_seed);
-#endif
-  if (0 != memcmp (&ph, 
-                   &pt->hmac, 
-                   sizeof (GNUNET_HashCode)))
-    {
-      /* checksum failed */
-      GNUNET_break_op (0);
-      return;
-    }
+// FIXME NILS
+//  GNUNET_CRYPTO_hmac (&n->decrypt_key,
+//                    &pt->sequence_number,
+//                      size - ENCRYPTED_HEADER_SIZE - sizeof (GNUNET_HashCode), &ph);
+//#if DEBUG_HANDSHAKE
+//  GNUNET_log (GNUNET_ERROR_TYPE_DEBUG,
+//              "V-Hashed %u bytes of plaintext (`%s') using IV `%d'\n",
+//            (unsigned int) (size - ENCRYPTED_HEADER_SIZE - sizeof (GNUNET_HashCode)),
+//            GNUNET_h2s (&ph),
+//            (int) m->iv_seed);
+//#endif
+//  if (0 != memcmp (&ph,
+//                 &pt->hmac,
+//                 sizeof (GNUNET_HashCode)))
+//    {
+//      /* checksum failed */
+//      GNUNET_break_op (0);
+//      return;
+//    }
 
   /* validate sequence number */
   snum = ntohl (pt->sequence_number);
diff --git a/src/include/gnunet_crypto_lib.h b/src/include/gnunet_crypto_lib.h
index 126c599b9..baea6859a 100644
--- a/src/include/gnunet_crypto_lib.h
+++ b/src/include/gnunet_crypto_lib.h
@@ -57,7 +57,12 @@ enum GNUNET_CRYPTO_Quality
   /**
    * High-quality operations are desired.
    */
-  GNUNET_CRYPTO_QUALITY_STRONG
+  GNUNET_CRYPTO_QUALITY_STRONG,
+
+  /**
+   * Randomness for IVs etc. is required.
+   */
+  GNUNET_CRYPTO_QUALITY_NONCE
 };
 
 
@@ -87,6 +92,11 @@ enum GNUNET_CRYPTO_Quality
 
 
 /**
+ * Length of a hash value
+ */
+#define GNUNET_CRYPTO_HASH_LENGTH 512/8
+
+/**
  * The private information of an RSA key pair.
  */
 struct GNUNET_CRYPTO_RsaPrivateKey;
@@ -201,6 +211,15 @@ struct GNUNET_CRYPTO_AesInitializationVector
 };
 
 
+/**
+ * @brief type for (message) authentication keys
+ */
+struct GNUNET_CRYPTO_AuthKey
+{
+  unsigned char key[GNUNET_CRYPTO_HASH_LENGTH];
+};
+
+
 /* **************** Functions and Macros ************* */
 
 
@@ -257,7 +276,6 @@ unsigned int *GNUNET_CRYPTO_random_permute (enum GNUNET_CRYPTO_Quality mode,
 void GNUNET_CRYPTO_aes_create_session_key (struct GNUNET_CRYPTO_AesSessionKey
                                            *key);
 
-
 /**
  * Check that a new session key is well-formed.
  *
@@ -306,6 +324,34 @@ ssize_t GNUNET_CRYPTO_aes_decrypt (const void *block,
 
 
 /**
+ * @brief Derive an IV
+ * @param iv initialization vector
+ * @param skey session key
+ * @param salt salt for the derivation
+ * @param salt_len size of the salt
+ * @param ... pairs of void * & size_t for context chunks, terminated by NULL
+ */
+void
+GNUNET_CRYPTO_aes_derive_iv (struct GNUNET_CRYPTO_AesInitializationVector *iv,
+    const struct GNUNET_CRYPTO_AesSessionKey *skey, void *salt,
+    size_t salt_len, ...);
+
+
+/**
+ * @brief Derive an IV
+ * @param iv initialization vector
+ * @param skey session key
+ * @param salt salt for the derivation
+ * @param salt_len size of the salt
+ * @param argp pairs of void * & size_t for context chunks, terminated by NULL
+ */
+void
+GNUNET_CRYPTO_aes_derive_iv_v (struct GNUNET_CRYPTO_AesInitializationVector *iv,
+    const struct GNUNET_CRYPTO_AesSessionKey *skey, void *salt,
+    size_t salt_len, va_list argp);
+
+
+/**
  * Convert hash to ASCII encoding.
  * @param block the hash code
  * @param result where to store the encoding (struct GNUNET_CRYPTO_HashAsciiEncoded can be
@@ -362,7 +408,7 @@ void GNUNET_CRYPTO_hash (const void *block,
  * @param hmac where to store the hmac
  */
 void 
-GNUNET_CRYPTO_hmac (const struct GNUNET_CRYPTO_AesSessionKey *key,
+GNUNET_CRYPTO_hmac (const struct GNUNET_CRYPTO_AuthKey *key,
                     const void *plaintext,
                     size_t plaintext_len,
                     GNUNET_HashCode *hmac);
@@ -526,6 +572,37 @@ int GNUNET_CRYPTO_hash_xorcmp (const GNUNET_HashCode * h1,
 
 
 /**
+ * @brief Derive an authentication key
+ * @param key authentication key
+ * @param rkey root key
+ * @param salt salt
+ * @param salt_len size of the salt
+ * @param argp pair of void * & size_t for context chunks, terminated by NULL
+ */
+void
+GNUNET_CRYPTO_hmac_derive_key_v(struct GNUNET_CRYPTO_AuthKey *key,
+                                const struct GNUNET_CRYPTO_AesSessionKey *rkey,
+                                const void *salt,
+                                const size_t salt_len,
+                                const va_list argp);
+
+
+/**
+ * @brief Derive an authentication key
+ * @param key authentication key
+ * @param rkey root key
+ * @param salt salt
+ * @param salt_len size of the salt
+ * @param ... pair of void * & size_t for context chunks, terminated by NULL
+ */
+void
+GNUNET_CRYPTO_hmac_derive_key(struct GNUNET_CRYPTO_AuthKey *key,
+                              const struct GNUNET_CRYPTO_AesSessionKey *rkey,
+                              const void *salt,
+                              const size_t salt_len,
+                              ...);
+
+/**
  * @brief Derive key
  * @param result buffer for the derived key, allocated by caller
  * @param out_len desired length of the derived key
@@ -546,6 +623,59 @@ GNUNET_CRYPTO_hkdf (void *result, const unsigned long long out_len,
 
 
 /**
+ * @brief Derive key
+ * @param result buffer for the derived key, allocated by caller
+ * @param out_len desired length of the derived key
+ * @param xtr_algo hash algorithm for the extraction phase, GCRY_MD_...
+ * @param prf_algo hash algorithm for the expansion phase, GCRY_MD_...
+ * @param xts salt
+ * @param xts_len length of xts
+ * @param skm source key material
+ * @param skm_len length of skm
+ * @param argp va_list of void * & size_t pairs for context chunks
+ * @return GNUNET_YES on success
+ */
+int
+GNUNET_CRYPTO_hkdf_v (void *result, const unsigned long long out_len,
+    int xtr_algo, int prf_algo, const void *xts, const size_t xts_len,
+    const void *skm, const size_t skm_len, va_list argp);
+
+
+/**
+ * @brief Derive key
+ * @param result buffer for the derived key, allocated by caller
+ * @param out_len desired length of the derived key
+ * @param xts salt
+ * @param xts_len length of xts
+ * @param skm source key material
+ * @param skm_len length of skm
+ * @param argp va_list of void * & size_t pairs for context chunks
+ * @return GNUNET_YES on success
+ */
+int
+GNUNET_CRYPTO_kdf_v (void *result, const unsigned long long out_len,
+    const void *xts, const size_t xts_len, const void *skm,
+    const size_t skm_len, va_list argp);
+
+
+/**
+ * @brief Derive key
+ * @param result buffer for the derived key, allocated by caller
+ * @param out_len desired length of the derived key
+ * @param xts salt
+ * @param xts_len length of xts
+ * @param skm source key material
+ * @param skm_len length of skm
+ * @param ... void * & size_t pairs for context chunks
+ * @return GNUNET_YES on success
+ */
+int
+GNUNET_CRYPTO_kdf (void *result, const unsigned long long out_len,
+    const void *xts, const size_t xts_len, const void *skm,
+    const size_t skm_len, ...);
+
+
+/**
  * Create a new private key. Caller must free return value.
  *
  * @return fresh private key
diff --git a/src/util/Makefile.am b/src/util/Makefile.am
index 2f7edd301..7975c5da1 100644
--- a/src/util/Makefile.am
+++ b/src/util/Makefile.am
@@ -41,6 +41,7 @@ libgnunetutil_la_SOURCES = \
   crypto_crc.c \
   crypto_hash.c \
   crypto_hkdf.c \
+  crypto_kdf.c \
   crypto_ksk.c \
   crypto_random.c \
   crypto_rsa.c \
diff --git a/src/util/crypto_aes.c b/src/util/crypto_aes.c
index a44c2d133..bf618ffc3 100644
--- a/src/util/crypto_aes.c
+++ b/src/util/crypto_aes.c
@@ -148,4 +148,41 @@ GNUNET_CRYPTO_aes_decrypt (const void *block,
   return size;
 }
 
+/**
+ * @brief Derive an IV
+ * @param iv initialization vector
+ * @param skey session key
+ * @param salt salt for the derivation
+ * @param salt_len size of the salt
+ * @param ... pairs of void * & size_t for context chunks, terminated by NULL
+ */
+void
+GNUNET_CRYPTO_aes_derive_iv (struct GNUNET_CRYPTO_AesInitializationVector *iv,
+    const struct GNUNET_CRYPTO_AesSessionKey *skey, void *salt,
+    size_t salt_len, ...)
+{
+  va_list argp;
+
+  va_start (argp, salt_len);
+  GNUNET_CRYPTO_aes_derive_iv_v (iv, skey, salt, salt_len, argp);
+  va_end (argp);
+}
+
+/**
+ * @brief Derive an IV
+ * @param iv initialization vector
+ * @param skey session key
+ * @param salt salt for the derivation
+ * @param salt_len size of the salt
+ * @param argp pairs of void * & size_t for context chunks, terminated by NULL
+ */
+void
+GNUNET_CRYPTO_aes_derive_iv_v (struct GNUNET_CRYPTO_AesInitializationVector *iv,
+    const struct GNUNET_CRYPTO_AesSessionKey *skey, void *salt,
+    size_t salt_len, va_list argp)
+{
+  GNUNET_CRYPTO_kdf_v (iv->iv, sizeof(iv->iv), salt, salt_len, skey->key,
+      sizeof(skey->key), argp);
+}
+
 /* end of crypto_aes.c */
diff --git a/src/util/crypto_hash.c b/src/util/crypto_hash.c
index 0fb2451b2..db911aa5f 100644
--- a/src/util/crypto_hash.c
+++ b/src/util/crypto_hash.c
@@ -832,6 +832,48 @@ GNUNET_CRYPTO_hash_xorcmp (const GNUNET_HashCode * h1,
 
 
 /**
+ * @brief Derive an authentication key
+ * @param key authentication key
+ * @param rkey root key
+ * @param salt salt
+ * @param salt_len size of the salt
+ * @param ... pair of void * & size_t for context chunks, terminated by NULL
+ */
+void
+GNUNET_CRYPTO_hmac_derive_key(struct GNUNET_CRYPTO_AuthKey *key,
+                              const struct GNUNET_CRYPTO_AesSessionKey *rkey,
+                              const void *salt,
+                              const size_t salt_len,
+                              ...)
+{
+  va_list argp;
+
+  va_start (argp, salt_len);
+  GNUNET_CRYPTO_hmac_derive_key_v (key, rkey, salt, salt_len, argp);
+  va_end (argp);
+}
+
+
+/**
+ * @brief Derive an authentication key
+ * @param key authentication key
+ * @param rkey root key
+ * @param salt salt
+ * @param salt_len size of the salt
+ * @param argp pair of void * & size_t for context chunks, terminated by NULL
+ */
+void
+GNUNET_CRYPTO_hmac_derive_key_v(struct GNUNET_CRYPTO_AuthKey *key,
+                                const struct GNUNET_CRYPTO_AesSessionKey *rkey,
+                                const void *salt,
+                                const size_t salt_len,
+                                const va_list argp)
+{
+  GNUNET_CRYPTO_kdf_v (key->key, sizeof(key->key), salt, salt_len, rkey->key,
+      sizeof(rkey->key), argp);
+}
+
+/**
  * Calculate HMAC of a message (RFC 2104)
  *
  * @param key secret key
@@ -840,7 +882,7 @@ GNUNET_CRYPTO_hash_xorcmp (const GNUNET_HashCode * h1,
  * @param hmac where to store the hmac
  */
 void 
-GNUNET_CRYPTO_hmac (const struct GNUNET_CRYPTO_AesSessionKey *key,
+GNUNET_CRYPTO_hmac (const struct GNUNET_CRYPTO_AuthKey *key,
                     const void *plaintext,
                     size_t plaintext_len,
                     GNUNET_HashCode *hmac)
@@ -852,8 +894,7 @@ GNUNET_CRYPTO_hmac (const struct GNUNET_CRYPTO_AesSessionKey *key,
   struct sha512_ctx sctx;
 
   memset (&kh, 0, sizeof (kh));
-  GNUNET_assert (sizeof (GNUNET_HashCode) > sizeof (struct GNUNET_CRYPTO_AesSessionKey));
-  memcpy (&kh, key, sizeof (struct GNUNET_CRYPTO_AesSessionKey));                               
+  memcpy (&kh, key->key, sizeof (struct GNUNET_CRYPTO_AuthKey));
   memset (&ipad, 0x5c, sizeof (ipad));
   memset (&opad, 0x36, sizeof (opad));
   GNUNET_CRYPTO_hash_xor (&ipad, &kh, &ipad);
diff --git a/src/util/crypto_kdf.c b/src/util/crypto_kdf.c
new file mode 100644
index 000000000..785603c8c
--- /dev/null
+++ b/src/util/crypto_kdf.c
@@ -0,0 +1,88 @@
+/*
+     This file is part of GNUnet.
+     (C) 2010 Christian Grothoff (and other contributing authors)
+
+     GNUnet is free software; you can redistribute it and/or modify
+     it under the terms of the GNU General Public License as published
+     by the Free Software Foundation; either version 2, or (at your
+     option) any later version.
+
+     GNUnet is distributed in the hope that it will be useful, but
+     WITHOUT ANY WARRANTY; without even the implied warranty of
+     MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+     General Public License for more details.
+
+     You should have received a copy of the GNU General Public License
+     along with GNUnet; see the file COPYING.  If not, write to the
+     Free Software Foundation, Inc., 59 Temple Place - Suite 330,
+     Boston, MA 02111-1307, USA.
+*/
+
+/**
+ * @file src/util/crypto_kdf.c
+ * @brief Key derivation
+ * @author Nils Durner
+ */
+
+#include <gcrypt.h>
+
+#include "platform.h"
+#include "gnunet_crypto_lib.h"
+
+/**
+ * @brief Derive key
+ * @param result buffer for the derived key, allocated by caller
+ * @param out_len desired length of the derived key
+ * @param xts salt
+ * @param xts_len length of xts
+ * @param skm source key material
+ * @param skm_len length of skm
+ * @param argp va_list of void * & size_t pairs for context chunks
+ * @return GNUNET_YES on success
+ */
+int
+GNUNET_CRYPTO_kdf_v (void *result, const unsigned long long out_len,
+    const void *xts, const size_t xts_len, const void *skm,
+    const size_t skm_len, va_list argp)
+{
+  /*
+   "Finally, we point out to a particularly advantageous instantiation using
+    HMAC-SHA512 as XTR and HMAC-SHA256 in PRF* (in which case the output from SHA-512 is
+    truncated to 256 bits). This makes sense in two ways: First, the extraction part is where we need a
+    stronger hash function due to the unconventional demand from the hash function in the extraction
+    setting. Second, as shown in Section 6, using HMAC with a truncated output as an extractor
+    allows to prove the security of HKDF under considerably weaker assumptions on the underlying
+    hash function."
+
+   http://eprint.iacr.org/2010/264
+   */
+
+  return GNUNET_CRYPTO_hkdf_v (result, out_len, GCRY_MD_SHA512, GCRY_MD_SHA256,
+      xts, xts_len, skm, skm_len, argp);
+}
+
+/**
+ * @brief Derive key
+ * @param result buffer for the derived key, allocated by caller
+ * @param out_len desired length of the derived key
+ * @param xts salt
+ * @param xts_len length of xts
+ * @param skm source key material
+ * @param skm_len length of skm
+ * @param ... void * & size_t pairs for context chunks
+ * @return GNUNET_YES on success
+ */
+int
+GNUNET_CRYPTO_kdf (void *result, const unsigned long long out_len,
+    const void *xts, const size_t xts_len, const void *skm,
+    const size_t skm_len, ...)
+{
+  va_list argp;
+  int ret;
+
+  va_start(argp, skm_len);
+  ret = GNUNET_CRYPTO_kdf_v (result, out_len, xts, xts_len, skm, skm_len, argp);
+  va_end(argp);
+
+  return ret;
+}
diff --git a/src/util/crypto_random.c b/src/util/crypto_random.c
index 0a092cdcc..14d87b1cd 100644
--- a/src/util/crypto_random.c
+++ b/src/util/crypto_random.c
@@ -76,6 +76,17 @@ GNUNET_CRYPTO_random_u32 (enum GNUNET_CRYPTO_Quality mode, uint32_t i)
       while (ret >= ul);
       return ret % i;
     }
+  else if (mode == GNUNET_CRYPTO_QUALITY_NONCE)
+    {
+      ul = UINT32_MAX - (UINT32_MAX % i);
+      do
+        {
+          gcry_create_nonce(&ret, sizeof(ret));
+        }
+      while (ret >= ul);
+
+      return ret % i;
+    }
   else
     {
       ret = i * weak_random ();
@@ -142,6 +153,17 @@ GNUNET_CRYPTO_random_u64 (enum GNUNET_CRYPTO_Quality mode, uint64_t max)
       while (ret >= ul);
       return ret % max;
     }
+  else if (mode == GNUNET_CRYPTO_QUALITY_NONCE)
+    {
+      ul = UINT64_MAX - (UINT64_MAX % max);
+      do
+        {
+          gcry_create_nonce(&ret, sizeof(ret));
+        }
+      while (ret >= ul);
+
+      return ret % max;
+    }
   else
     {
       ret = max * weak_random ();