/* This file is part of GNUnet. (C) 2001, 2002, 2003, 2004, 2005, 2006, 2009, 2012 Christian Grothoff (and other contributing authors) GNUnet is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2, or (at your option) any later version. GNUnet is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with GNUnet; see the file COPYING. If not, write to the Free Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ /** * @file util/crypto_ecc.c * @brief public key cryptography (ECC) with libgcrypt * @author Christian Grothoff * * This is just a first, completely untested, draft hack for future ECC support. * TODO: * - declare public API in gnunet_crypto_lib (move some structs, etc.) * - implement gnunet-ecc binary * - convert existing RSA testcases * - adjust encoding length and other parameters * - actually test it! */ #include "platform.h" #include #include "gnunet_common.h" #include "gnunet_util_lib.h" #define EXTRA_CHECKS ALLOW_EXTRA_CHECKS #define CURVE "NIST P-521" #define LOG(kind,...) GNUNET_log_from (kind, "util", __VA_ARGS__) #define LOG_STRERROR(kind,syscall) GNUNET_log_from_strerror (kind, "util", syscall) #define LOG_STRERROR_FILE(kind,syscall,filename) GNUNET_log_from_strerror_file (kind, "util", syscall, filename) /** * FIXME: what is an acceptable value here? */ #define GNUNET_CRYPTO_ECC_DATA_ENCODING_LENGTH 64 /** * Length of the q-point (Q = dP) in the public key. * FIXME: double-check that this is right. */ #define GNUNET_CRYPTO_ECC_PUBLIC_KEY_LENGTH 64 /** * @brief an ECC signature */ struct GNUNET_CRYPTO_EccSignature { unsigned char sig[GNUNET_CRYPTO_ECC_DATA_ENCODING_LENGTH]; }; GNUNET_NETWORK_STRUCT_BEGIN /** * @brief header of what an ECC signature signs * this must be followed by "size - 8" bytes of * the actual signed data */ struct GNUNET_CRYPTO_EccSignaturePurpose { /** * How many bytes does this signature sign? * (including this purpose header); in network * byte order (!). */ uint32_t size GNUNET_PACKED; /** * What does this signature vouch for? This * must contain a GNUNET_SIGNATURE_PURPOSE_XXX * constant (from gnunet_signatures.h). In * network byte order! */ uint32_t purpose GNUNET_PACKED; }; /** * Public ECC key (always for NIST P-521) encoded in a format suitable * for network transmission. */ struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded { /** * Size of the encoding, in network byte order. */ uint16_t size; /** * Actual length of the q-point binary encoding. */ uint16_t len; /** * 0-padded q-point in binary encoding (GCRYPT_MPI_FMT_USG). */ unsigned char key[GNUNET_CRYPTO_ECC_PUBLIC_KEY_LENGTH]; }; struct GNUNET_CRYPTO_EccPrivateKeyBinaryEncoded { /** * Overall size of the private key. */ uint16_t size; /** * Size of the q and d components of the private key. * Note that the other parameters are from NIST P-521. */ uint16_t sizes[2]; }; /** * ECC Encrypted data. */ struct GNUNET_CRYPTO_EccEncryptedData { unsigned char encoding[GNUNET_CRYPTO_ECC_DATA_ENCODING_LENGTH]; }; GNUNET_NETWORK_STRUCT_END /** * The private information of an ECC private key. */ struct GNUNET_CRYPTO_EccPrivateKey { /** * Libgcrypt S-expression for the ECC key. */ gcry_sexp_t sexp; }; /** * Function called upon completion of 'GNUNET_CRYPTO_ecc_key_create_async'. * * @param cls closure * @param pk NULL on error, otherwise the private key (which must be free'd by the callee) * @param emsg NULL on success, otherwise an error message */ typedef void (*GNUNET_CRYPTO_EccKeyCallback)(void *cls, struct GNUNET_CRYPTO_EccPrivateKey *pk, const char *emsg); /** * Log an error message at log-level 'level' that indicates * a failure of the command 'cmd' with the message given * by gcry_strerror(rc). */ #define LOG_GCRY(level, cmd, rc) do { LOG(level, _("`%s' failed at %s:%d with error: %s\n"), cmd, __FILE__, __LINE__, gcry_strerror(rc)); } while(0); /** * If target != size, move target bytes to the * end of the size-sized buffer and zero out the * first target-size bytes. * * @param buf original buffer * @param size number of bytes in the buffer * @param target target size of the buffer */ static void adjust (unsigned char *buf, size_t size, size_t target) { if (size < target) { memmove (&buf[target - size], buf, size); memset (buf, 0, target - size); } } /** * Free memory occupied by hostkey * @param privatekey pointer to the memory to free */ void GNUNET_CRYPTO_ecc_key_free (struct GNUNET_CRYPTO_EccPrivateKey *privatekey) { gcry_sexp_release (privatekey->sexp); GNUNET_free (privatekey); } /** * Extract values from an S-expression. * * @param array where to store the result(s) * @param sexp S-expression to parse * @param topname top-level name in the S-expression that is of interest * @param elems names of the elements to extract * @return 0 on success */ static int key_from_sexp (gcry_mpi_t * array, gcry_sexp_t sexp, const char *topname, const char *elems) { gcry_sexp_t list; gcry_sexp_t l2; const char *s; unsigned int i; unsigned int idx; list = gcry_sexp_find_token (sexp, topname, 0); if (! list) return 1; l2 = gcry_sexp_cadr (list); gcry_sexp_release (list); list = l2; if (! list) return 2; idx = 0; for (s = elems; *s; s++, idx++) { l2 = gcry_sexp_find_token (list, s, 1); if (! l2) { for (i = 0; i < idx; i++) { gcry_free (array[i]); array[i] = NULL; } gcry_sexp_release (list); return 3; /* required parameter not found */ } array[idx] = gcry_sexp_nth_mpi (l2, 1, GCRYMPI_FMT_USG); gcry_sexp_release (l2); if (! array[idx]) { for (i = 0; i < idx; i++) { gcry_free (array[i]); array[i] = NULL; } gcry_sexp_release (list); return 4; /* required parameter is invalid */ } } gcry_sexp_release (list); return 0; } /** * Extract the public key for the given private key. * * @param priv the private key * @param pub where to write the public key */ void GNUNET_CRYPTO_ecc_key_get_public (const struct GNUNET_CRYPTO_EccPrivateKey *priv, struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded *pub) { gcry_mpi_t skey; size_t size; int rc; rc = key_from_sexp (&skey, priv->sexp, "public-key", "q"); if (rc) rc = key_from_sexp (&skey, priv->sexp, "private-key", "q"); if (rc) rc = key_from_sexp (&skey, priv->sexp, "ecc", "q"); GNUNET_assert (0 == rc); pub->size = htons (sizeof (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded)); size = GNUNET_CRYPTO_ECC_DATA_ENCODING_LENGTH; GNUNET_assert (0 == gcry_mpi_print (GCRYMPI_FMT_USG, pub->key, size, &size, skey)); pub->len = htons (size); adjust (&pub->key[0], size, GNUNET_CRYPTO_ECC_DATA_ENCODING_LENGTH); gcry_mpi_release (skey); } /** * Convert a public key to a string. * * @param pub key to convert * @return string representing 'pub' */ char * GNUNET_CRYPTO_ecc_public_key_to_string (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded *pub) { char *pubkeybuf; size_t keylen = (sizeof (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded)) * 8; char *end; if (keylen % 5 > 0) keylen += 5 - keylen % 5; keylen /= 5; pubkeybuf = GNUNET_malloc (keylen + 1); end = GNUNET_STRINGS_data_to_string ((unsigned char *) pub, sizeof (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded), pubkeybuf, keylen); if (NULL == end) { GNUNET_free (pubkeybuf); return NULL; } *end = '\0'; return pubkeybuf; } /** * Convert a string representing a public key to a public key. * * @param enc encoded public key * @param enclen number of bytes in enc (without 0-terminator) * @param pub where to store the public key * @return GNUNET_OK on success */ int GNUNET_CRYPTO_ecc_public_key_from_string (const char *enc, size_t enclen, struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded *pub) { size_t keylen = (sizeof (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded)) * 8; if (keylen % 5 > 0) keylen += 5 - keylen % 5; keylen /= 5; if (enclen != keylen) return GNUNET_SYSERR; if (GNUNET_OK != GNUNET_STRINGS_string_to_data (enc, enclen, (unsigned char*) pub, sizeof (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded))) return GNUNET_SYSERR; if ( (ntohs (pub->size) != sizeof (struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded)) || (ntohs (pub->len) > GNUNET_CRYPTO_ECC_DATA_ENCODING_LENGTH) ) return GNUNET_SYSERR; return GNUNET_OK; } /** * Convert the given public key from the network format to the * S-expression that can be used by libgcrypt. * * @param publicKey public key to decode * @return NULL on error */ static gcry_sexp_t decode_public_key (const struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded *publicKey) { gcry_sexp_t result; gcry_mpi_t q; size_t size; size_t erroff; int rc; if (ntohs (publicKey->len) > GNUNET_CRYPTO_ECC_DATA_ENCODING_LENGTH) { GNUNET_break (0); return NULL; } size = ntohs (publicKey->size); if (0 != (rc = gcry_mpi_scan (&q, GCRYMPI_FMT_USG, publicKey->key, size, &size))) { LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_mpi_scan", rc); return NULL; } rc = gcry_sexp_build (&result, &erroff, "(public-key(ecc((curve \"" CURVE "\")(q %m)))", q); gcry_mpi_release (q); if (0 != rc) { LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc); /* erroff gives more info */ return NULL; } return result; } /** * Encode the private key in a format suitable for * storing it into a file. * * @returns encoding of the private key. * The first 4 bytes give the size of the array, as usual. */ struct GNUNET_CRYPTO_EccPrivateKeyBinaryEncoded * GNUNET_CRYPTO_ecc_encode_key (const struct GNUNET_CRYPTO_EccPrivateKey *hostkey) { struct GNUNET_CRYPTO_EccPrivateKeyBinaryEncoded *retval; gcry_mpi_t pkv[2]; void *pbu[2]; size_t sizes[2]; size_t off; int rc; unsigned int i; size_t size; #if EXTRA_CHECKS if (gcry_pk_testkey (hostkey->sexp)) { GNUNET_break (0); return NULL; } #endif memset (pkv, 0, sizeof (gcry_mpi_t) * 2); rc = key_from_sexp (pkv, hostkey->sexp, "private-key", "qd"); if (rc) rc = key_from_sexp (pkv, hostkey->sexp, "ecc", "qd"); GNUNET_assert (0 == rc); size = sizeof (struct GNUNET_CRYPTO_EccPrivateKeyBinaryEncoded); for (i=0;i<2;i++) { if (NULL != pkv[i]) { GNUNET_assert (0 == gcry_mpi_aprint (GCRYMPI_FMT_USG, (unsigned char **) &pbu[i], &sizes[i], pkv[i])); size += sizes[i]; } else { pbu[i] = NULL; sizes[i] = 0; } } GNUNET_assert (size < 65536); retval = GNUNET_malloc (size); retval->size = htons (size); off = 0; for (i=0;i<2;i++) { retval->sizes[i] = htons (sizes[0]); memcpy (&((char *) (&retval[1]))[off], pbu[i], sizes[i]); off += sizes[i]; if (NULL != pkv[i]) gcry_mpi_release (pkv[i]); if (NULL != pbu[i]) free (pbu[i]); } return retval; } /** * Decode the private key from the file-format back * to the "normal", internal format. * * @param buf the buffer where the private key data is stored * @param len the length of the data in 'buffer' * @return NULL on error */ struct GNUNET_CRYPTO_EccPrivateKey * GNUNET_CRYPTO_ecc_decode_key (const char *buf, uint16_t len) { struct GNUNET_CRYPTO_EccPrivateKey *ret; const struct GNUNET_CRYPTO_EccPrivateKeyBinaryEncoded *encoding = (const struct GNUNET_CRYPTO_EccPrivateKeyBinaryEncoded *) buf; gcry_sexp_t res; gcry_mpi_t q; gcry_mpi_t d; int rc; size_t size; size_t pos; uint16_t enc_len; size_t erroff; enc_len = ntohs (encoding->size); if (len != enc_len) return NULL; pos = 0; size = ntohs (encoding->sizes[0]); rc = gcry_mpi_scan (&q, GCRYMPI_FMT_USG, &((const unsigned char *) (&encoding[1]))[pos], size, &size); pos += ntohs (encoding->sizes[0]); if (0 != rc) { LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_mpi_scan", rc); return NULL; } size = ntohs (encoding->sizes[1]); rc = gcry_mpi_scan (&d, GCRYMPI_FMT_USG, &((const unsigned char *) (&encoding[1]))[pos], size, &size); pos += ntohs (encoding->sizes[1]); if (0 != rc) { LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_mpi_scan", rc); gcry_mpi_release (d); return NULL; } rc = gcry_sexp_build (&res, &erroff, "(private-key(ecc(q %m)(d %m)(curve \"" CURVE "\")))", q, d); gcry_mpi_release (q); gcry_mpi_release (d); if (0 != rc) LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc); #if EXTRA_CHECKS if (0 != (rc = gcry_pk_testkey (res))) { LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_pk_testkey", rc); return NULL; } #endif ret = GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_EccPrivateKey)); ret->sexp = res; return ret; } /** * Create a new private key. Caller must free return value. * * @return fresh private key */ static struct GNUNET_CRYPTO_EccPrivateKey * ecc_key_create () { struct GNUNET_CRYPTO_EccPrivateKey *ret; gcry_sexp_t s_key; gcry_sexp_t s_keyparam; GNUNET_assert (0 == gcry_sexp_build (&s_keyparam, NULL, "(genkey(ecc(curve \"" CURVE "\")))")); GNUNET_assert (0 == gcry_pk_genkey (&s_key, s_keyparam)); gcry_sexp_release (s_keyparam); #if EXTRA_CHECKS GNUNET_assert (0 == gcry_pk_testkey (s_key)); #endif ret = GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_EccPrivateKey)); ret->sexp = s_key; return ret; } /** * Try to read the private key from the given file. * * @param filename file to read the key from * @return NULL on error */ static struct GNUNET_CRYPTO_EccPrivateKey * try_read_key (const char *filename) { struct GNUNET_CRYPTO_EccPrivateKey *ret; struct GNUNET_CRYPTO_EccPrivateKeyBinaryEncoded *enc; struct GNUNET_DISK_FileHandle *fd; OFF_T fs; uint16_t len; if (GNUNET_YES != GNUNET_DISK_file_test (filename)) return NULL; /* hostkey file exists already, read it! */ if (NULL == (fd = GNUNET_DISK_file_open (filename, GNUNET_DISK_OPEN_READ, GNUNET_DISK_PERM_NONE))) { LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_ERROR, "open", filename); return NULL; } if (GNUNET_OK != (GNUNET_DISK_file_handle_size (fd, &fs))) { LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_ERROR, "stat", filename); (void) GNUNET_DISK_file_close (fd); return NULL; } if (0 == fs) { GNUNET_break (GNUNET_OK == GNUNET_DISK_file_close (fd)); return NULL; } if (fs > UINT16_MAX) { LOG (GNUNET_ERROR_TYPE_ERROR, _("File `%s' does not contain a valid private key (too long, %llu bytes). Deleting it.\n"), filename, (unsigned long long) fs); GNUNET_break (GNUNET_OK == GNUNET_DISK_file_close (fd)); if (0 != UNLINK (filename)) LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "unlink", filename); return NULL; } enc = GNUNET_malloc (fs); GNUNET_break (fs == GNUNET_DISK_file_read (fd, enc, fs)); len = ntohs (enc->size); ret = NULL; if ((len != fs) || (NULL == (ret = GNUNET_CRYPTO_ecc_decode_key ((char *) enc, len)))) { LOG (GNUNET_ERROR_TYPE_ERROR, _("File `%s' does not contain a valid private key (failed decode, %llu bytes). Deleting it.\n"), filename, (unsigned long long) fs); GNUNET_break (GNUNET_OK == GNUNET_DISK_file_close (fd)); if (0 != UNLINK (filename)) LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "unlink", filename); GNUNET_free (enc); return NULL; } GNUNET_free (enc); GNUNET_break (GNUNET_OK == GNUNET_DISK_file_close (fd)); return ret; } /** * Wait for a short time (we're trying to lock a file or want * to give another process a shot at finishing a disk write, etc.). * Sleeps for 100ms (as that should be long enough for virtually all * modern systems to context switch and allow another process to do * some 'real' work). */ static void short_wait () { struct GNUNET_TIME_Relative timeout; timeout = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MILLISECONDS, 100); (void) GNUNET_NETWORK_socket_select (NULL, NULL, NULL, timeout); } /** * Create a new private key by reading it from a file. If the * files does not exist, create a new key and write it to the * file. Caller must free return value. Note that this function * can not guarantee that another process might not be trying * the same operation on the same file at the same time. * If the contents of the file * are invalid the old file is deleted and a fresh key is * created. * * @return new private key, NULL on error (for example, * permission denied) */ struct GNUNET_CRYPTO_EccPrivateKey * GNUNET_CRYPTO_ecc_key_create_from_file (const char *filename) { struct GNUNET_CRYPTO_EccPrivateKey *ret; struct GNUNET_CRYPTO_EccPrivateKeyBinaryEncoded *enc; uint16_t len; struct GNUNET_DISK_FileHandle *fd; unsigned int cnt; int ec; uint64_t fs; struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded pub; struct GNUNET_PeerIdentity pid; if (GNUNET_SYSERR == GNUNET_DISK_directory_create_for_file (filename)) return NULL; while (GNUNET_YES != GNUNET_DISK_file_test (filename)) { fd = GNUNET_DISK_file_open (filename, GNUNET_DISK_OPEN_WRITE | GNUNET_DISK_OPEN_CREATE | GNUNET_DISK_OPEN_FAILIFEXISTS, GNUNET_DISK_PERM_USER_READ | GNUNET_DISK_PERM_USER_WRITE); if (NULL == fd) { if (errno == EEXIST) { if (GNUNET_YES != GNUNET_DISK_file_test (filename)) { /* must exist but not be accessible, fail for good! */ if (0 != ACCESS (filename, R_OK)) LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_ERROR, "access", filename); else GNUNET_break (0); /* what is going on!? */ return NULL; } continue; } LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_ERROR, "open", filename); return NULL; } cnt = 0; while (GNUNET_YES != GNUNET_DISK_file_lock (fd, 0, sizeof (struct GNUNET_CRYPTO_EccPrivateKeyBinaryEncoded), GNUNET_YES)) { short_wait (); if (0 == ++cnt % 10) { ec = errno; LOG (GNUNET_ERROR_TYPE_ERROR, _("Could not acquire lock on file `%s': %s...\n"), filename, STRERROR (ec)); } } LOG (GNUNET_ERROR_TYPE_INFO, _("Creating a new private key. This may take a while.\n")); ret = ecc_key_create (); GNUNET_assert (ret != NULL); enc = GNUNET_CRYPTO_ecc_encode_key (ret); GNUNET_assert (enc != NULL); GNUNET_assert (ntohs (enc->size) == GNUNET_DISK_file_write (fd, enc, ntohs (enc->size))); GNUNET_free (enc); GNUNET_DISK_file_sync (fd); if (GNUNET_YES != GNUNET_DISK_file_unlock (fd, 0, sizeof (struct GNUNET_CRYPTO_EccPrivateKeyBinaryEncoded))) LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "fcntl", filename); GNUNET_assert (GNUNET_YES == GNUNET_DISK_file_close (fd)); GNUNET_CRYPTO_ecc_key_get_public (ret, &pub); GNUNET_CRYPTO_hash (&pub, sizeof (pub), &pid.hashPubKey); LOG (GNUNET_ERROR_TYPE_INFO, _("I am host `%s'. Stored new private key in `%s'.\n"), GNUNET_i2s (&pid), filename); return ret; } /* hostkey file exists already, read it! */ fd = GNUNET_DISK_file_open (filename, GNUNET_DISK_OPEN_READ, GNUNET_DISK_PERM_NONE); if (NULL == fd) { LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_ERROR, "open", filename); return NULL; } cnt = 0; while (1) { if (GNUNET_YES != GNUNET_DISK_file_lock (fd, 0, sizeof (struct GNUNET_CRYPTO_EccPrivateKeyBinaryEncoded), GNUNET_NO)) { if (0 == ++cnt % 60) { ec = errno; LOG (GNUNET_ERROR_TYPE_ERROR, _("Could not acquire lock on file `%s': %s...\n"), filename, STRERROR (ec)); LOG (GNUNET_ERROR_TYPE_ERROR, _ ("This may be ok if someone is currently generating a hostkey.\n")); } short_wait (); continue; } if (GNUNET_YES != GNUNET_DISK_file_test (filename)) { /* eh, what!? File we opened is now gone!? */ LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "stat", filename); if (GNUNET_YES != GNUNET_DISK_file_unlock (fd, 0, sizeof (struct GNUNET_CRYPTO_EccPrivateKeyBinaryEncoded))) LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "fcntl", filename); GNUNET_assert (GNUNET_OK == GNUNET_DISK_file_close (fd)); return NULL; } if (GNUNET_OK != GNUNET_DISK_file_size (filename, &fs, GNUNET_YES, GNUNET_YES)) fs = 0; if (fs < sizeof (struct GNUNET_CRYPTO_EccPrivateKeyBinaryEncoded)) { /* maybe we got the read lock before the hostkey generating * process had a chance to get the write lock; give it up! */ if (GNUNET_YES != GNUNET_DISK_file_unlock (fd, 0, sizeof (struct GNUNET_CRYPTO_EccPrivateKeyBinaryEncoded))) LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "fcntl", filename); if (0 == ++cnt % 10) { LOG (GNUNET_ERROR_TYPE_ERROR, _ ("When trying to read hostkey file `%s' I found %u bytes but I need at least %u.\n"), filename, (unsigned int) fs, (unsigned int) sizeof (struct GNUNET_CRYPTO_EccPrivateKeyBinaryEncoded)); LOG (GNUNET_ERROR_TYPE_ERROR, _ ("This may be ok if someone is currently generating a hostkey.\n")); } short_wait (); /* wait a bit longer! */ continue; } break; } enc = GNUNET_malloc (fs); GNUNET_assert (fs == GNUNET_DISK_file_read (fd, enc, fs)); len = ntohs (enc->size); ret = NULL; if ((len != fs) || (NULL == (ret = GNUNET_CRYPTO_ecc_decode_key ((char *) enc, len)))) { LOG (GNUNET_ERROR_TYPE_ERROR, _("File `%s' does not contain a valid private key. Deleting it.\n"), filename); if (0 != UNLINK (filename)) { LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "unlink", filename); } } GNUNET_free (enc); if (GNUNET_YES != GNUNET_DISK_file_unlock (fd, 0, sizeof (struct GNUNET_CRYPTO_EccPrivateKeyBinaryEncoded))) LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "fcntl", filename); GNUNET_assert (GNUNET_YES == GNUNET_DISK_file_close (fd)); if (ret != NULL) { GNUNET_CRYPTO_ecc_key_get_public (ret, &pub); GNUNET_CRYPTO_hash (&pub, sizeof (pub), &pid.hashPubKey); LOG (GNUNET_ERROR_TYPE_INFO, _("I am host `%s'. Read private key from `%s'.\n"), GNUNET_i2s (&pid), filename); } return ret; } /** * Handle to cancel private key generation and state for the * key generation operation. */ struct GNUNET_CRYPTO_EccKeyGenerationContext { /** * Continuation to call upon completion. */ GNUNET_CRYPTO_EccKeyCallback cont; /** * Closure for 'cont'. */ void *cont_cls; /** * Name of the file. */ char *filename; /** * Handle to the helper process which does the key generation. */ struct GNUNET_OS_Process *gnunet_ecc; /** * Handle to 'stdout' of gnunet-ecc. We 'read' on stdout to detect * process termination (instead of messing with SIGCHLD). */ struct GNUNET_DISK_PipeHandle *gnunet_ecc_out; /** * Location where we store the private key if it already existed. * (if this is used, 'filename', 'gnunet_ecc' and 'gnunet_ecc_out' will * not be used). */ struct GNUNET_CRYPTO_EccPrivateKey *pk; /** * Task reading from 'gnunet_ecc_out' to wait for process termination. */ GNUNET_SCHEDULER_TaskIdentifier read_task; }; /** * Abort ECC key generation. * * @param gc key generation context to abort */ void GNUNET_CRYPTO_ecc_key_create_stop (struct GNUNET_CRYPTO_EccKeyGenerationContext *gc) { if (GNUNET_SCHEDULER_NO_TASK != gc->read_task) { GNUNET_SCHEDULER_cancel (gc->read_task); gc->read_task = GNUNET_SCHEDULER_NO_TASK; } if (NULL != gc->gnunet_ecc) { (void) GNUNET_OS_process_kill (gc->gnunet_ecc, SIGKILL); GNUNET_break (GNUNET_OK == GNUNET_OS_process_wait (gc->gnunet_ecc)); GNUNET_OS_process_destroy (gc->gnunet_ecc); GNUNET_DISK_pipe_close (gc->gnunet_ecc_out); } if (NULL != gc->filename) { if (0 != UNLINK (gc->filename)) GNUNET_log_strerror_file (GNUNET_ERROR_TYPE_WARNING, "unlink", gc->filename); GNUNET_free (gc->filename); } if (NULL != gc->pk) GNUNET_CRYPTO_ecc_key_free (gc->pk); GNUNET_free (gc); } /** * Task called upon shutdown or process termination of 'gnunet-ecc' during * ECC key generation. Check where we are and perform the appropriate * action. * * @param cls the 'struct GNUNET_CRYPTO_EccKeyGenerationContext' * @param tc scheduler context */ static void check_key_generation_completion (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc) { struct GNUNET_CRYPTO_EccKeyGenerationContext *gc = cls; struct GNUNET_CRYPTO_EccPrivateKey *pk; gc->read_task = GNUNET_SCHEDULER_NO_TASK; if (0 != (tc->reason & GNUNET_SCHEDULER_REASON_SHUTDOWN)) { gc->cont (gc->cont_cls, NULL, _("interrupted by shutdown")); GNUNET_CRYPTO_ecc_key_create_stop (gc); return; } GNUNET_assert (GNUNET_OK == GNUNET_OS_process_wait (gc->gnunet_ecc)); GNUNET_OS_process_destroy (gc->gnunet_ecc); gc->gnunet_ecc = NULL; if (NULL == (pk = try_read_key (gc->filename))) { GNUNET_break (0); gc->cont (gc->cont_cls, NULL, _("gnunet-ecc failed")); GNUNET_CRYPTO_ecc_key_create_stop (gc); return; } gc->cont (gc->cont_cls, pk, NULL); GNUNET_DISK_pipe_close (gc->gnunet_ecc_out); GNUNET_free (gc->filename); GNUNET_free (gc); } /** * Return the private ECC key which already existed on disk * (asynchronously) to the caller. * * @param cls the 'struct GNUNET_CRYPTO_EccKeyGenerationContext' * @param tc scheduler context (unused) */ static void async_return_key (void *cls, const struct GNUNET_SCHEDULER_TaskContext *tc) { struct GNUNET_CRYPTO_EccKeyGenerationContext *gc = cls; gc->cont (gc->cont_cls, gc->pk, NULL); GNUNET_free (gc); } /** * Create a new private key by reading it from a file. If the files * does not exist, create a new key and write it to the file. If the * contents of the file are invalid the old file is deleted and a * fresh key is created. * * @param filename name of file to use for storage * @param cont function to call when done (or on errors) * @param cont_cls closure for 'cont' * @return handle to abort operation, NULL on fatal errors (cont will not be called if NULL is returned) */ struct GNUNET_CRYPTO_EccKeyGenerationContext * GNUNET_CRYPTO_ecc_key_create_start (const char *filename, GNUNET_CRYPTO_EccKeyCallback cont, void *cont_cls) { struct GNUNET_CRYPTO_EccKeyGenerationContext *gc; struct GNUNET_CRYPTO_EccPrivateKey *pk; const char *weak_random; if (NULL != (pk = try_read_key (filename))) { /* quick happy ending: key already exists! */ gc = GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_EccKeyGenerationContext)); gc->pk = pk; gc->cont = cont; gc->cont_cls = cont_cls; gc->read_task = GNUNET_SCHEDULER_add_now (&async_return_key, gc); return gc; } gc = GNUNET_malloc (sizeof (struct GNUNET_CRYPTO_EccKeyGenerationContext)); gc->filename = GNUNET_strdup (filename); gc->cont = cont; gc->cont_cls = cont_cls; gc->gnunet_ecc_out = GNUNET_DISK_pipe (GNUNET_NO, GNUNET_NO, GNUNET_NO, GNUNET_YES); if (NULL == gc->gnunet_ecc_out) { GNUNET_log_strerror (GNUNET_ERROR_TYPE_WARNING, "pipe"); GNUNET_free (gc->filename); GNUNET_free (gc); return NULL; } weak_random = NULL; if (GNUNET_YES == GNUNET_CRYPTO_random_is_weak ()) weak_random = "-w"; gc->gnunet_ecc = GNUNET_OS_start_process (GNUNET_NO, GNUNET_OS_INHERIT_STD_ERR, NULL, gc->gnunet_ecc_out, "gnunet-ecc", "gnunet-ecc", gc->filename, weak_random, NULL); if (NULL == gc->gnunet_ecc) { GNUNET_log_strerror (GNUNET_ERROR_TYPE_WARNING, "fork"); GNUNET_DISK_pipe_close (gc->gnunet_ecc_out); GNUNET_free (gc->filename); GNUNET_free (gc); return NULL; } GNUNET_assert (GNUNET_OK == GNUNET_DISK_pipe_close_end (gc->gnunet_ecc_out, GNUNET_DISK_PIPE_END_WRITE)); gc->read_task = GNUNET_SCHEDULER_add_read_file (GNUNET_TIME_UNIT_FOREVER_REL, GNUNET_DISK_pipe_handle (gc->gnunet_ecc_out, GNUNET_DISK_PIPE_END_READ), &check_key_generation_completion, gc); return gc; } /** * Setup a hostkey file for a peer given the name of the * configuration file (!). This function is used so that * at a later point code can be certain that reading a * hostkey is fast (for example in time-dependent testcases). * * @param cfg_name name of the configuration file to use */ void GNUNET_CRYPTO_ecc_setup_hostkey (const char *cfg_name) { struct GNUNET_CONFIGURATION_Handle *cfg; struct GNUNET_CRYPTO_EccPrivateKey *pk; char *fn; cfg = GNUNET_CONFIGURATION_create (); (void) GNUNET_CONFIGURATION_load (cfg, cfg_name); if (GNUNET_OK == GNUNET_CONFIGURATION_get_value_filename (cfg, "GNUNETD", "HOSTKEY", &fn)) { pk = GNUNET_CRYPTO_ecc_key_create_from_file (fn); if (NULL != pk) GNUNET_CRYPTO_ecc_key_free (pk); GNUNET_free (fn); } GNUNET_CONFIGURATION_destroy (cfg); } /** * Encrypt a block with the public key of another host that uses the * same cipher. * * @param block the block to encrypt * @param size the size of block * @param publicKey the encoded public key used to encrypt * @param target where to store the encrypted block * @returns GNUNET_SYSERR on error, GNUNET_OK if ok */ int GNUNET_CRYPTO_ecc_encrypt (const void *block, size_t size, const struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded *publicKey, struct GNUNET_CRYPTO_EccEncryptedData *target) { gcry_sexp_t result; gcry_sexp_t data; gcry_sexp_t psexp; gcry_mpi_t val; gcry_mpi_t rval; size_t isize; size_t erroff; GNUNET_assert (size <= sizeof (struct GNUNET_HashCode)); if (! (psexp = decode_public_key (publicKey))) return GNUNET_SYSERR; isize = size; GNUNET_assert (0 == gcry_mpi_scan (&val, GCRYMPI_FMT_USG, block, isize, &isize)); GNUNET_assert (0 == gcry_sexp_build (&data, &erroff, "(data (flags pkcs1)(value %m))", val)); gcry_mpi_release (val); GNUNET_assert (0 == gcry_pk_encrypt (&result, data, psexp)); gcry_sexp_release (data); gcry_sexp_release (psexp); GNUNET_assert (0 == key_from_sexp (&rval, result, "ecc", "a")); gcry_sexp_release (result); isize = sizeof (struct GNUNET_CRYPTO_EccEncryptedData); GNUNET_assert (0 == gcry_mpi_print (GCRYMPI_FMT_USG, (unsigned char *) target, isize, &isize, rval)); gcry_mpi_release (rval); adjust (&target->encoding[0], isize, sizeof (struct GNUNET_CRYPTO_EccEncryptedData)); return GNUNET_OK; } /** * Decrypt a given block with the hostkey. * * @param key the key with which to decrypt this block * @param block the data to decrypt, encoded as returned by encrypt * @param result pointer to a location where the result can be stored * @param max the maximum number of bits to store for the result, if * the decrypted block is bigger, an error is returned * @return the size of the decrypted block, -1 on error */ ssize_t GNUNET_CRYPTO_ecc_decrypt (const struct GNUNET_CRYPTO_EccPrivateKey * key, const struct GNUNET_CRYPTO_EccEncryptedData * block, void *result, size_t max) { gcry_sexp_t resultsexp; gcry_sexp_t data; size_t erroff; size_t size; gcry_mpi_t val; unsigned char *endp; unsigned char *tmp; #if EXTRA_CHECKS GNUNET_assert (0 == gcry_pk_testkey (key->sexp)); #endif size = sizeof (struct GNUNET_CRYPTO_EccEncryptedData); GNUNET_assert (0 == gcry_mpi_scan (&val, GCRYMPI_FMT_USG, &block->encoding[0], size, &size)); GNUNET_assert (0 == gcry_sexp_build (&data, &erroff, "(enc-val(flags)(ecc(a %m)))", val)); gcry_mpi_release (val); GNUNET_assert (0 == gcry_pk_decrypt (&resultsexp, data, key->sexp)); gcry_sexp_release (data); /* resultsexp has format "(value %m)" */ GNUNET_assert (NULL != (val = gcry_sexp_nth_mpi (resultsexp, 1, GCRYMPI_FMT_USG))); gcry_sexp_release (resultsexp); size = max + GNUNET_CRYPTO_ECC_DATA_ENCODING_LENGTH * 2; tmp = GNUNET_malloc (size); GNUNET_assert (0 == gcry_mpi_print (GCRYMPI_FMT_USG, tmp, size, &size, val)); gcry_mpi_release (val); endp = tmp; endp += (size - max); size = max; memcpy (result, endp, size); GNUNET_free (tmp); return size; } /** * Sign a given block. * * @param key private key to use for the signing * @param purpose what to sign (size, purpose) * @param sig where to write the signature * @return GNUNET_SYSERR on error, GNUNET_OK on success */ int GNUNET_CRYPTO_ecc_sign (const struct GNUNET_CRYPTO_EccPrivateKey *key, const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, struct GNUNET_CRYPTO_EccSignature *sig) { gcry_sexp_t result; gcry_sexp_t data; size_t ssize; gcry_mpi_t rval; struct GNUNET_HashCode hc; char *buff; int bufSize; GNUNET_CRYPTO_hash (purpose, ntohl (purpose->size), &hc); #define FORMATSTRING "(4:data(5:flags5:pkcs1)(4:hash6:sha51264:0123456789012345678901234567890123456789012345678901234567890123))" bufSize = strlen (FORMATSTRING) + 1; buff = GNUNET_malloc (bufSize); memcpy (buff, FORMATSTRING, bufSize); memcpy (&buff [bufSize - strlen ("0123456789012345678901234567890123456789012345678901234567890123))") - 1], &hc, sizeof (struct GNUNET_HashCode)); GNUNET_assert (0 == gcry_sexp_new (&data, buff, bufSize, 0)); GNUNET_free (buff); GNUNET_assert (0 == gcry_pk_sign (&result, data, key->sexp)); gcry_sexp_release (data); GNUNET_assert (0 == key_from_sexp (&rval, result, "ecc", "s")); gcry_sexp_release (result); ssize = sizeof (struct GNUNET_CRYPTO_EccSignature); GNUNET_assert (0 == gcry_mpi_print (GCRYMPI_FMT_USG, (unsigned char *) sig, ssize, &ssize, rval)); gcry_mpi_release (rval); adjust (sig->sig, ssize, sizeof (struct GNUNET_CRYPTO_EccSignature)); return GNUNET_OK; } /** * Verify signature. * * @param purpose what is the purpose that the signature should have? * @param validate block to validate (size, purpose, data) * @param sig signature that is being validated * @param publicKey public key of the signer * @returns GNUNET_OK if ok, GNUNET_SYSERR if invalid */ int GNUNET_CRYPTO_ecc_verify (uint32_t purpose, const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, const struct GNUNET_CRYPTO_EccSignature *sig, const struct GNUNET_CRYPTO_EccPublicKeyBinaryEncoded *publicKey) { gcry_sexp_t data; gcry_sexp_t sigdata; size_t size; gcry_mpi_t val; gcry_sexp_t psexp; struct GNUNET_HashCode hc; char *buff; int bufSize; size_t erroff; int rc; if (purpose != ntohl (validate->purpose)) return GNUNET_SYSERR; /* purpose mismatch */ GNUNET_CRYPTO_hash (validate, ntohl (validate->size), &hc); size = sizeof (struct GNUNET_CRYPTO_EccSignature); GNUNET_assert (0 == gcry_mpi_scan (&val, GCRYMPI_FMT_USG, (const unsigned char *) sig, size, &size)); GNUNET_assert (0 == gcry_sexp_build (&sigdata, &erroff, "(sig-val(ecc(s %m)))", val)); gcry_mpi_release (val); bufSize = strlen (FORMATSTRING) + 1; buff = GNUNET_malloc (bufSize); memcpy (buff, FORMATSTRING, bufSize); memcpy (&buff [strlen (FORMATSTRING) - strlen ("0123456789012345678901234567890123456789012345678901234567890123))")], &hc, sizeof (struct GNUNET_HashCode)); GNUNET_assert (0 == gcry_sexp_new (&data, buff, bufSize, 0)); GNUNET_free (buff); if (! (psexp = decode_public_key (publicKey))) { gcry_sexp_release (data); gcry_sexp_release (sigdata); return GNUNET_SYSERR; } rc = gcry_pk_verify (sigdata, data, psexp); gcry_sexp_release (psexp); gcry_sexp_release (data); gcry_sexp_release (sigdata); if (rc) { LOG (GNUNET_ERROR_TYPE_WARNING, _("ECC signature verification failed at %s:%d: %s\n"), __FILE__, __LINE__, gcry_strerror (rc)); return GNUNET_SYSERR; } return GNUNET_OK; } /* end of crypto_ecc.c */