diff options
Diffstat (limited to 'src/lib/util/crypto_ecc_gnsrecord.c')
-rw-r--r-- | src/lib/util/crypto_ecc_gnsrecord.c | 451 |
1 files changed, 451 insertions, 0 deletions
diff --git a/src/lib/util/crypto_ecc_gnsrecord.c b/src/lib/util/crypto_ecc_gnsrecord.c new file mode 100644 index 000000000..fb8ba3ac9 --- /dev/null +++ b/src/lib/util/crypto_ecc_gnsrecord.c | |||
@@ -0,0 +1,451 @@ | |||
1 | /* | ||
2 | This file is part of GNUnet. | ||
3 | Copyright (C) 2012, 2013, 2015 GNUnet e.V. | ||
4 | |||
5 | GNUnet is free software: you can redistribute it and/or modify it | ||
6 | under the terms of the GNU Affero General Public License as published | ||
7 | by the Free Software Foundation, either version 3 of the License, | ||
8 | or (at your option) any later version. | ||
9 | |||
10 | GNUnet is distributed in the hope that it will be useful, but | ||
11 | WITHOUT ANY WARRANTY; without even the implied warranty of | ||
12 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | ||
13 | Affero General Public License for more details. | ||
14 | |||
15 | You should have received a copy of the GNU Affero General Public License | ||
16 | along with this program. If not, see <http://www.gnu.org/licenses/>. | ||
17 | |||
18 | SPDX-License-Identifier: AGPL3.0-or-later | ||
19 | */ | ||
20 | |||
21 | /** | ||
22 | * @file util/crypto_ecc_gnsrecord.c | ||
23 | * @brief public key cryptography (ECC) for GNS records (LSD0001) | ||
24 | * @author Christian Grothoff | ||
25 | * @author Florian Dold | ||
26 | * @author Martin Schanzenbach | ||
27 | */ | ||
28 | |||
29 | #include "platform.h" | ||
30 | #include <gcrypt.h> | ||
31 | #include <sodium.h> | ||
32 | #include "gnunet_util_lib.h" | ||
33 | |||
34 | #define CURVE "Ed25519" | ||
35 | |||
36 | /** | ||
37 | * Derive the 'h' value for key derivation, where | ||
38 | * 'h = H(l,P)'. | ||
39 | * | ||
40 | * @param pub public key for deriviation | ||
41 | * @param pubsize the size of the public key | ||
42 | * @param label label for deriviation | ||
43 | * @param context additional context to use for HKDF of 'h'; | ||
44 | * typically the name of the subsystem/application | ||
45 | * @param hc where to write the result | ||
46 | */ | ||
47 | void | ||
48 | derive_h (const void *pub, | ||
49 | size_t pubsize, | ||
50 | const char *label, | ||
51 | const char *context, | ||
52 | struct GNUNET_HashCode *hc) | ||
53 | { | ||
54 | static const char *const salt = "key-derivation"; | ||
55 | |||
56 | GNUNET_CRYPTO_kdf (hc, | ||
57 | sizeof(*hc), | ||
58 | salt, | ||
59 | strlen (salt), | ||
60 | pub, | ||
61 | pubsize, | ||
62 | label, | ||
63 | strlen (label), | ||
64 | context, | ||
65 | strlen (context), | ||
66 | NULL, | ||
67 | 0); | ||
68 | } | ||
69 | |||
70 | |||
71 | enum GNUNET_GenericReturnValue | ||
72 | GNUNET_CRYPTO_eddsa_sign_derived ( | ||
73 | const struct GNUNET_CRYPTO_EddsaPrivateKey *pkey, | ||
74 | const char *label, | ||
75 | const char *context, | ||
76 | const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, | ||
77 | struct GNUNET_CRYPTO_EddsaSignature *sig) | ||
78 | { | ||
79 | struct GNUNET_CRYPTO_EddsaPrivateScalar priv; | ||
80 | crypto_hash_sha512_state hs; | ||
81 | unsigned char sk[64]; | ||
82 | unsigned char r[64]; | ||
83 | unsigned char hram[64]; | ||
84 | unsigned char R[32]; | ||
85 | unsigned char zk[32]; | ||
86 | unsigned char tmp[32]; | ||
87 | |||
88 | /** | ||
89 | * Derive the private key | ||
90 | */ | ||
91 | GNUNET_CRYPTO_eddsa_private_key_derive (pkey, | ||
92 | label, | ||
93 | context, | ||
94 | &priv); | ||
95 | |||
96 | crypto_hash_sha512_init (&hs); | ||
97 | |||
98 | /** | ||
99 | * Instead of expanding the private here, we already | ||
100 | * have the secret scalar as input. Use it. | ||
101 | * Note that sk is not plain SHA512 (d). | ||
102 | * sk[0..31] contains the derived private scalar | ||
103 | * sk[0..31] = h * SHA512 (d)[0..31] | ||
104 | * sk[32..63] = SHA512 (d)[32..63] | ||
105 | */ | ||
106 | memcpy (sk, priv.s, 64); | ||
107 | |||
108 | /** | ||
109 | * Calculate the derived zone key zk' from the | ||
110 | * derived private scalar. | ||
111 | */ | ||
112 | crypto_scalarmult_ed25519_base_noclamp (zk, | ||
113 | sk); | ||
114 | |||
115 | /** | ||
116 | * Calculate r: | ||
117 | * r = SHA512 (sk[32..63] | M) | ||
118 | * where M is our message (purpose). | ||
119 | * Note that sk[32..63] is the other half of the | ||
120 | * expansion from the original, non-derived private key | ||
121 | * "d". | ||
122 | */ | ||
123 | crypto_hash_sha512_update (&hs, sk + 32, 32); | ||
124 | crypto_hash_sha512_update (&hs, (uint8_t*) purpose, ntohl (purpose->size)); | ||
125 | crypto_hash_sha512_final (&hs, r); | ||
126 | |||
127 | /** | ||
128 | * Temporarily put zk into S | ||
129 | */ | ||
130 | memcpy (sig->s, zk, 32); | ||
131 | |||
132 | /** | ||
133 | * Reduce the scalar value r | ||
134 | */ | ||
135 | unsigned char r_mod[64]; | ||
136 | crypto_core_ed25519_scalar_reduce (r_mod, r); | ||
137 | |||
138 | /** | ||
139 | * Calculate R := r * G of the signature | ||
140 | */ | ||
141 | crypto_scalarmult_ed25519_base_noclamp (R, r_mod); | ||
142 | memcpy (sig->r, R, sizeof (R)); | ||
143 | |||
144 | /** | ||
145 | * Calculate | ||
146 | * hram := SHA512 (R | zk' | M) | ||
147 | */ | ||
148 | crypto_hash_sha512_init (&hs); | ||
149 | crypto_hash_sha512_update (&hs, (uint8_t*) sig, 64); | ||
150 | crypto_hash_sha512_update (&hs, (uint8_t*) purpose, | ||
151 | ntohl (purpose->size)); | ||
152 | crypto_hash_sha512_final (&hs, hram); | ||
153 | |||
154 | /** | ||
155 | * Reduce the resulting scalar value | ||
156 | */ | ||
157 | unsigned char hram_mod[64]; | ||
158 | crypto_core_ed25519_scalar_reduce (hram_mod, hram); | ||
159 | |||
160 | /** | ||
161 | * Calculate | ||
162 | * S := r + hram * s mod L | ||
163 | */ | ||
164 | crypto_core_ed25519_scalar_mul (tmp, hram_mod, sk); | ||
165 | crypto_core_ed25519_scalar_add (sig->s, tmp, r_mod); | ||
166 | |||
167 | sodium_memzero (sk, sizeof (sk)); | ||
168 | sodium_memzero (r, sizeof (r)); | ||
169 | sodium_memzero (r_mod, sizeof (r_mod)); | ||
170 | return GNUNET_OK; | ||
171 | } | ||
172 | |||
173 | |||
174 | enum GNUNET_GenericReturnValue | ||
175 | GNUNET_CRYPTO_ecdsa_sign_derived ( | ||
176 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, | ||
177 | const char *label, | ||
178 | const char *context, | ||
179 | const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, | ||
180 | struct GNUNET_CRYPTO_EcdsaSignature *sig) | ||
181 | { | ||
182 | struct GNUNET_CRYPTO_EcdsaPrivateKey *key; | ||
183 | enum GNUNET_GenericReturnValue res; | ||
184 | key = GNUNET_CRYPTO_ecdsa_private_key_derive (priv, | ||
185 | label, | ||
186 | context); | ||
187 | res = GNUNET_CRYPTO_ecdsa_sign_ (key, | ||
188 | purpose, | ||
189 | sig); | ||
190 | GNUNET_free (key); | ||
191 | return res; | ||
192 | } | ||
193 | |||
194 | |||
195 | struct GNUNET_CRYPTO_EcdsaPrivateKey * | ||
196 | GNUNET_CRYPTO_ecdsa_private_key_derive ( | ||
197 | const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, | ||
198 | const char *label, | ||
199 | const char *context) | ||
200 | { | ||
201 | struct GNUNET_CRYPTO_EcdsaPublicKey pub; | ||
202 | struct GNUNET_CRYPTO_EcdsaPrivateKey *ret; | ||
203 | struct GNUNET_HashCode hc; | ||
204 | uint8_t dc[32]; | ||
205 | gcry_mpi_t h; | ||
206 | gcry_mpi_t x; | ||
207 | gcry_mpi_t d; | ||
208 | gcry_mpi_t n; | ||
209 | gcry_ctx_t ctx; | ||
210 | |||
211 | GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, CURVE)); | ||
212 | |||
213 | n = gcry_mpi_ec_get_mpi ("n", ctx, 1); | ||
214 | GNUNET_CRYPTO_ecdsa_key_get_public (priv, &pub); | ||
215 | |||
216 | derive_h (&pub, sizeof (pub), label, context, &hc); | ||
217 | GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof(hc)); | ||
218 | |||
219 | /* Convert to big endian for libgcrypt */ | ||
220 | for (size_t i = 0; i < 32; i++) | ||
221 | dc[i] = priv->d[31 - i]; | ||
222 | GNUNET_CRYPTO_mpi_scan_unsigned (&x, dc, sizeof(dc)); | ||
223 | d = gcry_mpi_new (256); | ||
224 | gcry_mpi_mulm (d, h, x, n); | ||
225 | gcry_mpi_release (h); | ||
226 | gcry_mpi_release (x); | ||
227 | gcry_mpi_release (n); | ||
228 | gcry_ctx_release (ctx); | ||
229 | ret = GNUNET_new (struct GNUNET_CRYPTO_EcdsaPrivateKey); | ||
230 | GNUNET_CRYPTO_mpi_print_unsigned (dc, sizeof(dc), d); | ||
231 | /* Convert to big endian for libgcrypt */ | ||
232 | for (size_t i = 0; i < 32; i++) | ||
233 | ret->d[i] = dc[31 - i]; | ||
234 | sodium_memzero (dc, sizeof(dc)); | ||
235 | gcry_mpi_release (d); | ||
236 | return ret; | ||
237 | } | ||
238 | |||
239 | |||
240 | void | ||
241 | GNUNET_CRYPTO_ecdsa_public_key_derive ( | ||
242 | const struct GNUNET_CRYPTO_EcdsaPublicKey *pub, | ||
243 | const char *label, | ||
244 | const char *context, | ||
245 | struct GNUNET_CRYPTO_EcdsaPublicKey *result) | ||
246 | { | ||
247 | struct GNUNET_HashCode hc; | ||
248 | gcry_ctx_t ctx; | ||
249 | gcry_mpi_t q_y; | ||
250 | gcry_mpi_t h; | ||
251 | gcry_mpi_t n; | ||
252 | gcry_mpi_t h_mod_n; | ||
253 | gcry_mpi_point_t q; | ||
254 | gcry_mpi_point_t v; | ||
255 | |||
256 | GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, CURVE)); | ||
257 | |||
258 | /* obtain point 'q' from original public key. The provided 'q' is | ||
259 | compressed thus we first store it in the context and then get it | ||
260 | back as a (decompresssed) point. */ | ||
261 | q_y = gcry_mpi_set_opaque_copy (NULL, pub->q_y, 8 * sizeof(pub->q_y)); | ||
262 | GNUNET_assert (NULL != q_y); | ||
263 | GNUNET_assert (0 == gcry_mpi_ec_set_mpi ("q", q_y, ctx)); | ||
264 | gcry_mpi_release (q_y); | ||
265 | q = gcry_mpi_ec_get_point ("q", ctx, 0); | ||
266 | GNUNET_assert (q); | ||
267 | |||
268 | /* calculate h_mod_n = h % n */ | ||
269 | derive_h (pub, sizeof (*pub), label, context, &hc); | ||
270 | GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof(hc)); | ||
271 | n = gcry_mpi_ec_get_mpi ("n", ctx, 1); | ||
272 | h_mod_n = gcry_mpi_new (256); | ||
273 | gcry_mpi_mod (h_mod_n, h, n); | ||
274 | /* calculate v = h_mod_n * q */ | ||
275 | v = gcry_mpi_point_new (0); | ||
276 | gcry_mpi_ec_mul (v, h_mod_n, q, ctx); | ||
277 | gcry_mpi_release (h_mod_n); | ||
278 | gcry_mpi_release (h); | ||
279 | gcry_mpi_release (n); | ||
280 | gcry_mpi_point_release (q); | ||
281 | |||
282 | /* convert point 'v' to public key that we return */ | ||
283 | GNUNET_assert (0 == gcry_mpi_ec_set_point ("q", v, ctx)); | ||
284 | gcry_mpi_point_release (v); | ||
285 | q_y = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0); | ||
286 | GNUNET_assert (q_y); | ||
287 | GNUNET_CRYPTO_mpi_print_unsigned (result->q_y, sizeof(result->q_y), q_y); | ||
288 | gcry_mpi_release (q_y); | ||
289 | gcry_ctx_release (ctx); | ||
290 | } | ||
291 | |||
292 | |||
293 | void | ||
294 | GNUNET_CRYPTO_eddsa_private_key_derive ( | ||
295 | const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, | ||
296 | const char *label, | ||
297 | const char *context, | ||
298 | struct GNUNET_CRYPTO_EddsaPrivateScalar *result) | ||
299 | { | ||
300 | struct GNUNET_CRYPTO_EddsaPublicKey pub; | ||
301 | struct GNUNET_HashCode hc; | ||
302 | uint8_t dc[32]; | ||
303 | unsigned char sk[64]; | ||
304 | gcry_mpi_t h; | ||
305 | gcry_mpi_t h_mod_L; | ||
306 | gcry_mpi_t a; | ||
307 | gcry_mpi_t d; | ||
308 | gcry_mpi_t L; | ||
309 | gcry_ctx_t ctx; | ||
310 | |||
311 | /** | ||
312 | * Libsodium does not offer an API with arbitrary arithmetic. | ||
313 | * Hence we have to use libgcrypt here. | ||
314 | */ | ||
315 | GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, "Ed25519")); | ||
316 | |||
317 | /** | ||
318 | * Get our modulo L | ||
319 | */ | ||
320 | L = gcry_mpi_ec_get_mpi ("n", ctx, 1); | ||
321 | GNUNET_CRYPTO_eddsa_key_get_public (priv, &pub); | ||
322 | |||
323 | /** | ||
324 | * This is the standard private key expansion in Ed25519. | ||
325 | * The first 32 octets are used as a little-endian private | ||
326 | * scalar. | ||
327 | * We derive this scalar using our "h". | ||
328 | */ | ||
329 | crypto_hash_sha512 (sk, priv->d, 32); | ||
330 | sk[0] &= 248; | ||
331 | sk[31] &= 127; | ||
332 | sk[31] |= 64; | ||
333 | |||
334 | /** | ||
335 | * Get h mod L | ||
336 | */ | ||
337 | derive_h (&pub, sizeof (pub), label, context, &hc); | ||
338 | GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof(hc)); | ||
339 | h_mod_L = gcry_mpi_new (256); | ||
340 | gcry_mpi_mod (h_mod_L, h, L); | ||
341 | /* Convert scalar to big endian for libgcrypt */ | ||
342 | for (size_t i = 0; i < 32; i++) | ||
343 | dc[i] = sk[31 - i]; | ||
344 | |||
345 | /** | ||
346 | * dc now contains the private scalar "a". | ||
347 | * We calculate: | ||
348 | * d' := h * a mod L | ||
349 | */ | ||
350 | GNUNET_CRYPTO_mpi_scan_unsigned (&a, dc, sizeof(dc)); // a | ||
351 | d = gcry_mpi_new (256); | ||
352 | gcry_mpi_mulm (d, h_mod_L, a, L); // d := h * a mod L | ||
353 | gcry_mpi_release (h); | ||
354 | gcry_mpi_release (a); | ||
355 | gcry_mpi_release (L); | ||
356 | gcry_mpi_release (h_mod_L); | ||
357 | gcry_ctx_release (ctx); | ||
358 | GNUNET_CRYPTO_mpi_print_unsigned (dc, sizeof(dc), d); | ||
359 | /** | ||
360 | * We hash the derived "h" parameter with the | ||
361 | * other half of the expanded private key. This ensures | ||
362 | * that for signature generation, the "R" is derived from | ||
363 | * the same derivation path as "h" and is not reused. | ||
364 | */ | ||
365 | crypto_hash_sha256_state hs; | ||
366 | crypto_hash_sha256_init (&hs); | ||
367 | crypto_hash_sha256_update (&hs, sk + 32, 32); | ||
368 | crypto_hash_sha256_update (&hs, (unsigned char*) &hc, sizeof (hc)); | ||
369 | crypto_hash_sha256_final (&hs, result->s + 32); | ||
370 | // memcpy (result->s, sk, sizeof (sk)); | ||
371 | /* Convert to little endian for libsodium */ | ||
372 | for (size_t i = 0; i < 32; i++) | ||
373 | result->s[i] = dc[31 - i]; | ||
374 | |||
375 | sodium_memzero (dc, sizeof(dc)); | ||
376 | gcry_mpi_release (d); | ||
377 | } | ||
378 | |||
379 | |||
380 | void | ||
381 | GNUNET_CRYPTO_eddsa_public_key_derive ( | ||
382 | const struct GNUNET_CRYPTO_EddsaPublicKey *pub, | ||
383 | const char *label, | ||
384 | const char *context, | ||
385 | struct GNUNET_CRYPTO_EddsaPublicKey *result) | ||
386 | { | ||
387 | struct GNUNET_HashCode hc; | ||
388 | gcry_ctx_t ctx; | ||
389 | gcry_mpi_t q_y; | ||
390 | gcry_mpi_t h; | ||
391 | gcry_mpi_t n; | ||
392 | gcry_mpi_t h_mod_n; | ||
393 | gcry_mpi_point_t q; | ||
394 | gcry_mpi_point_t v; | ||
395 | |||
396 | GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, "Ed25519")); | ||
397 | |||
398 | /* obtain point 'q' from original public key. The provided 'q' is | ||
399 | compressed thus we first store it in the context and then get it | ||
400 | back as a (decompresssed) point. */ | ||
401 | q_y = gcry_mpi_set_opaque_copy (NULL, pub->q_y, 8 * sizeof(pub->q_y)); | ||
402 | GNUNET_assert (NULL != q_y); | ||
403 | GNUNET_assert (0 == gcry_mpi_ec_set_mpi ("q", q_y, ctx)); | ||
404 | gcry_mpi_release (q_y); | ||
405 | q = gcry_mpi_ec_get_point ("q", ctx, 0); | ||
406 | GNUNET_assert (q); | ||
407 | |||
408 | /* calculate h_mod_n = h % n */ | ||
409 | derive_h (pub, sizeof (*pub), label, context, &hc); | ||
410 | GNUNET_CRYPTO_mpi_scan_unsigned (&h, (unsigned char *) &hc, sizeof(hc)); | ||
411 | |||
412 | n = gcry_mpi_ec_get_mpi ("n", ctx, 1); | ||
413 | h_mod_n = gcry_mpi_new (256); | ||
414 | gcry_mpi_mod (h_mod_n, h, n); | ||
415 | |||
416 | /* calculate v = h_mod_n * q */ | ||
417 | v = gcry_mpi_point_new (0); | ||
418 | gcry_mpi_ec_mul (v, h_mod_n, q, ctx); | ||
419 | gcry_mpi_release (h_mod_n); | ||
420 | gcry_mpi_release (h); | ||
421 | gcry_mpi_release (n); | ||
422 | gcry_mpi_point_release (q); | ||
423 | |||
424 | /* convert point 'v' to public key that we return */ | ||
425 | GNUNET_assert (0 == gcry_mpi_ec_set_point ("q", v, ctx)); | ||
426 | gcry_mpi_point_release (v); | ||
427 | q_y = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0); | ||
428 | GNUNET_assert (q_y); | ||
429 | GNUNET_CRYPTO_mpi_print_unsigned (result->q_y, sizeof(result->q_y), q_y); | ||
430 | gcry_mpi_release (q_y); | ||
431 | gcry_ctx_release (ctx); | ||
432 | |||
433 | } | ||
434 | |||
435 | |||
436 | void | ||
437 | GNUNET_CRYPTO_eddsa_key_get_public_from_scalar ( | ||
438 | const struct GNUNET_CRYPTO_EddsaPrivateScalar *priv, | ||
439 | struct GNUNET_CRYPTO_EddsaPublicKey *pkey) | ||
440 | { | ||
441 | unsigned char sk[32]; | ||
442 | |||
443 | memcpy (sk, priv->s, 32); | ||
444 | |||
445 | /** | ||
446 | * Calculate the derived zone key zk' from the | ||
447 | * derived private scalar. | ||
448 | */ | ||
449 | crypto_scalarmult_ed25519_base_noclamp (pkey->q_y, | ||
450 | sk); | ||
451 | } | ||