diff options
author | Markus Teich <markus.teich@stusta.mhn.de> | 2016-06-12 01:14:56 +0200 |
---|---|---|
committer | Markus Teich <markus.teich@stusta.mhn.de> | 2016-06-12 01:14:56 +0200 |
commit | 381d21c602b70afb8a3f8b07d7872b26fc4e2d7d (patch) | |
tree | fcb0090b58e0bad065eaa826253c75410f5e45f1 /crypto.c | |
parent | 1d3b927c3743f626f0ffb3f49c8167c4efb34a67 (diff) | |
download | libbrandt-381d21c602b70afb8a3f8b07d7872b26fc4e2d7d.tar.gz libbrandt-381d21c602b70afb8a3f8b07d7872b26fc4e2d7d.zip |
add crypto backend
Diffstat (limited to 'crypto.c')
-rw-r--r-- | crypto.c | 343 |
1 files changed, 343 insertions, 0 deletions
diff --git a/crypto.c b/crypto.c new file mode 100644 index 0000000..399cd21 --- /dev/null +++ b/crypto.c | |||
@@ -0,0 +1,343 @@ | |||
1 | /* This file is part of libbrandt. | ||
2 | * Copyright (C) 2016 GNUnet e.V. | ||
3 | * | ||
4 | * libbrandt is free software: you can redistribute it and/or modify it under | ||
5 | * the terms of the GNU General Public License as published by the Free Software | ||
6 | * Foundation, either version 3 of the License, or (at your option) any later | ||
7 | * version. | ||
8 | * | ||
9 | * libbrandt is distributed in the hope that it will be useful, but WITHOUT ANY | ||
10 | * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR | ||
11 | * A PARTICULAR PURPOSE. See the GNU General Public License for more details. | ||
12 | * | ||
13 | * You should have received a copy of the GNU General Public License along with | ||
14 | * libbrandt. If not, see <http://www.gnu.org/licenses/>. | ||
15 | */ | ||
16 | |||
17 | /** | ||
18 | * @file crypto.c | ||
19 | * @brief Implementation of the crypto primitives. | ||
20 | */ | ||
21 | |||
22 | #include <arpa/inet.h> | ||
23 | |||
24 | #include "crypto.h" | ||
25 | #include "util.h" | ||
26 | |||
27 | #define CURVE "Ed25519" | ||
28 | |||
29 | /* --- RANDOM --- */ | ||
30 | |||
31 | void | ||
32 | brandt_rand_poll () | ||
33 | { | ||
34 | static unsigned char rand_amount = 255; | ||
35 | |||
36 | if (!(rand_amount--)) | ||
37 | gcry_fast_random_poll (); | ||
38 | } | ||
39 | |||
40 | /* --- HASHING --- */ | ||
41 | |||
42 | /** | ||
43 | * Hash block of given size. | ||
44 | * | ||
45 | * @param block the data to #brandt_hash, length is given as a second argument | ||
46 | * @param size the length of the data to #brandt_hash in @a block | ||
47 | * @param ret pointer to where to write the hashcode | ||
48 | */ | ||
49 | void | ||
50 | brandt_hash (const void *block, size_t size, struct brandt_hash_code *ret) | ||
51 | { | ||
52 | gcry_md_hash_buffer (GCRY_MD_SHA512, ret, block, size); | ||
53 | } | ||
54 | |||
55 | /* --- MPI --- */ | ||
56 | |||
57 | /** | ||
58 | * If target != size, move @a target bytes to the end of the size-sized | ||
59 | * buffer and zero out the first @a target - @a size bytes. | ||
60 | * | ||
61 | * @param buf original buffer | ||
62 | * @param size number of bytes in @a buf | ||
63 | * @param target target size of the buffer | ||
64 | */ | ||
65 | static void | ||
66 | adjust (void *buf, size_t size, size_t target) | ||
67 | { | ||
68 | char *p = buf; | ||
69 | |||
70 | if (size < target) | ||
71 | { | ||
72 | memmove (&p[target - size], buf, size); | ||
73 | memset (buf, 0, target - size); | ||
74 | } | ||
75 | } | ||
76 | |||
77 | /** | ||
78 | * Output the given MPI value to the given buffer in | ||
79 | * network byte order. | ||
80 | * The MPI @a val may not be negative. | ||
81 | * | ||
82 | * @param buf where to output to | ||
83 | * @param size number of bytes in @a buf | ||
84 | * @param val value to write to @a buf | ||
85 | */ | ||
86 | void | ||
87 | brandt_mpi_print_unsigned (void *buf, size_t size, gcry_mpi_t val) | ||
88 | { | ||
89 | size_t rsize; | ||
90 | gcry_error_t rc; | ||
91 | |||
92 | if (gcry_mpi_get_flag (val, GCRYMPI_FLAG_OPAQUE)) | ||
93 | { | ||
94 | /* Store opaque MPIs left aligned into the buffer. */ | ||
95 | unsigned int nbits; | ||
96 | const void *p; | ||
97 | |||
98 | p = gcry_mpi_get_opaque (val, &nbits); | ||
99 | brandt_assert (NULL != p); | ||
100 | rsize = (nbits + 7) / 8; | ||
101 | if (rsize > size) | ||
102 | rsize = size; | ||
103 | memcpy (buf, p, rsize); | ||
104 | if (rsize < size) | ||
105 | memset (((char *)buf) + rsize, 0, size - rsize); | ||
106 | } | ||
107 | else | ||
108 | { | ||
109 | /* Store regular MPIs as unsigned integers right aligned into the buffer. */ | ||
110 | rsize = size; | ||
111 | rc = gcry_mpi_print (GCRYMPI_FMT_USG, buf, rsize, &rsize, val); | ||
112 | brandt_assert_gpgerr (rc); | ||
113 | adjust (buf, rsize, size); | ||
114 | } | ||
115 | } | ||
116 | |||
117 | /** | ||
118 | * Convert data buffer into MPI value. | ||
119 | * The buffer is interpreted as network | ||
120 | * byte order, unsigned integer. | ||
121 | * | ||
122 | * @param result where to store MPI value (allocated) | ||
123 | * @param data raw data (GCRYMPI_FMT_USG) | ||
124 | * @param size number of bytes in @a data | ||
125 | */ | ||
126 | void | ||
127 | brandt_mpi_scan_unsigned (gcry_mpi_t *result, const void *data, size_t size) | ||
128 | { | ||
129 | gcry_error_t rc; | ||
130 | |||
131 | rc = gcry_mpi_scan (result, GCRYMPI_FMT_USG, data, size, &size); | ||
132 | brandt_assert_gpgerr (rc); | ||
133 | } | ||
134 | |||
135 | /* --- ECDHE --- */ | ||
136 | |||
137 | /** | ||
138 | * Convert the given private key from the network format to the | ||
139 | * S-expression that can be used by libgcrypt. | ||
140 | * | ||
141 | * @param priv private key to decode | ||
142 | * @return NULL on error | ||
143 | */ | ||
144 | static gcry_sexp_t | ||
145 | decode_private_ecdhe_key (const struct brandt_dhe_skey *priv) | ||
146 | { | ||
147 | gcry_sexp_t result; | ||
148 | gcry_error_t rc; | ||
149 | |||
150 | rc = gcry_sexp_build (&result, NULL, | ||
151 | "(private-key(ecc(curve \"" CURVE "\")" | ||
152 | "(d %b)))", | ||
153 | (int)sizeof (priv->d), priv->d); | ||
154 | brandt_assert_gpgerr (rc); | ||
155 | return result; | ||
156 | } | ||
157 | |||
158 | /** | ||
159 | * Extract values from an S-expression. | ||
160 | * | ||
161 | * @param array where to store the result(s) | ||
162 | * @param sexp S-expression to parse | ||
163 | * @param topname top-level name in the S-expression that is of interest | ||
164 | * @param elems names of the elements to extract | ||
165 | * @return 0 on success | ||
166 | */ | ||
167 | static int | ||
168 | key_from_sexp (gcry_mpi_t *array, gcry_sexp_t sexp, const char *topname, | ||
169 | const char *elems) | ||
170 | { | ||
171 | gcry_sexp_t list; | ||
172 | gcry_sexp_t l2; | ||
173 | const char *s; | ||
174 | unsigned int i; | ||
175 | unsigned int idx; | ||
176 | |||
177 | list = gcry_sexp_find_token (sexp, topname, 0); | ||
178 | if (!list) | ||
179 | return 1; | ||
180 | l2 = gcry_sexp_cadr (list); | ||
181 | gcry_sexp_release (list); | ||
182 | list = l2; | ||
183 | if (!list) | ||
184 | return 2; | ||
185 | idx = 0; | ||
186 | for (s = elems; *s; s++, idx++) | ||
187 | { | ||
188 | l2 = gcry_sexp_find_token (list, s, 1); | ||
189 | if (!l2) | ||
190 | { | ||
191 | for (i = 0; i < idx; i++) | ||
192 | { | ||
193 | gcry_free (array[i]); | ||
194 | array[i] = NULL; | ||
195 | } | ||
196 | gcry_sexp_release (list); | ||
197 | return 3; /* required parameter not found */ | ||
198 | } | ||
199 | array[idx] = gcry_sexp_nth_mpi (l2, 1, GCRYMPI_FMT_USG); | ||
200 | gcry_sexp_release (l2); | ||
201 | if (!array[idx]) | ||
202 | { | ||
203 | for (i = 0; i < idx; i++) | ||
204 | { | ||
205 | gcry_free (array[i]); | ||
206 | array[i] = NULL; | ||
207 | } | ||
208 | gcry_sexp_release (list); | ||
209 | return 4; /* required parameter is invalid */ | ||
210 | } | ||
211 | } | ||
212 | gcry_sexp_release (list); | ||
213 | return 0; | ||
214 | } | ||
215 | |||
216 | /** | ||
217 | * Create a new private key. | ||
218 | * | ||
219 | * @param priv where to write the private key | ||
220 | */ | ||
221 | void | ||
222 | brandt_ecdhe_key_create (struct brandt_dhe_skey *priv) | ||
223 | { | ||
224 | gcry_sexp_t priv_sexp; | ||
225 | gcry_sexp_t s_keyparam; | ||
226 | gcry_mpi_t d; | ||
227 | gcry_error_t rc; | ||
228 | |||
229 | rc = gcry_sexp_build (&s_keyparam, NULL, "(genkey(ecc(curve \"" CURVE "\")" | ||
230 | "(flags)))") | ||
231 | brandt_assert_gpgerr (rc); | ||
232 | rc = gcry_pk_genkey (&priv_sexp, s_keyparam) | ||
233 | brandt_assert_gpgerr (rc); | ||
234 | gcry_sexp_release (s_keyparam); | ||
235 | rc = key_from_sexp (&d, priv_sexp, "private-key", "d") | ||
236 | brandt_assert_gpgerr (rc); | ||
237 | gcry_sexp_release (priv_sexp); | ||
238 | brandt_mpi_print_unsigned (priv->d, sizeof (priv->d), d); | ||
239 | gcry_mpi_release (d); | ||
240 | } | ||
241 | |||
242 | /** | ||
243 | * Extract the public key for the given private key. | ||
244 | * | ||
245 | * @param priv the private key | ||
246 | * @param pub where to write the public key | ||
247 | */ | ||
248 | void | ||
249 | brandt_ecdhe_key_get_public (const struct brandt_dhe_skey *priv, | ||
250 | struct brandt_dhe_pkey *pub) | ||
251 | { | ||
252 | gcry_sexp_t sexp; | ||
253 | gcry_ctx_t ctx; | ||
254 | gcry_mpi_t q; | ||
255 | gcry_error_t rc; | ||
256 | |||
257 | sexp = decode_private_ecdhe_key (priv); | ||
258 | brandt_assert (NULL != sexp); | ||
259 | rc = gcry_mpi_ec_new (&ctx, sexp, NULL); | ||
260 | brandt_assert_gpgerr (rc); | ||
261 | gcry_sexp_release (sexp); | ||
262 | q = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0); | ||
263 | brandt_assert (NULL != q); | ||
264 | brandt_mpi_print_unsigned (pub->q_y, sizeof (pub->q_y), q); | ||
265 | gcry_mpi_release (q); | ||
266 | gcry_ctx_release (ctx); | ||
267 | } | ||
268 | |||
269 | /** | ||
270 | * Derive key material from a public and a private ECDHE key. | ||
271 | * | ||
272 | * @param priv private key to use for the ECDH (x) | ||
273 | * @param pub public key to use for the ECDH (yG) | ||
274 | * @param key_material where to write the key material (xyG) | ||
275 | * @return 0 on error, 1 on success | ||
276 | */ | ||
277 | int | ||
278 | brandt_ecdhe (const struct brandt_dhe_skey *priv, | ||
279 | const struct brandt_dhe_pkey *pub, | ||
280 | struct brandt_hash_code *key_material) | ||
281 | { | ||
282 | gcry_error_t rc; | ||
283 | int rc2; | ||
284 | gcry_mpi_point_t result; | ||
285 | gcry_mpi_point_t q; | ||
286 | gcry_mpi_t d; | ||
287 | gcry_ctx_t ctx; | ||
288 | gcry_sexp_t pub_sexpr; | ||
289 | gcry_mpi_t result_x; | ||
290 | unsigned char xbuf[256 / 8]; | ||
291 | size_t rsize; | ||
292 | |||
293 | /* first, extract the q = dP value from the public key */ | ||
294 | if (0 != gcry_sexp_build (&pub_sexpr, NULL, | ||
295 | "(public-key(ecc(curve " CURVE ")(q %b)))", | ||
296 | (int)sizeof (pub->q_y), pub->q_y)) | ||
297 | return 0; | ||
298 | rc = gcry_mpi_ec_new (&ctx, pub_sexpr, NULL); | ||
299 | brandt_assert_gpgerr (rc); | ||
300 | gcry_sexp_release (pub_sexpr); | ||
301 | q = gcry_mpi_ec_get_point ("q", ctx, 0); | ||
302 | |||
303 | /* second, extract the d value from our private key */ | ||
304 | brandt_mpi_scan_unsigned (&d, priv->d, sizeof (priv->d)); | ||
305 | |||
306 | /* then call the 'multiply' function, to compute the product */ | ||
307 | result = gcry_mpi_point_new (0); | ||
308 | gcry_mpi_ec_mul (result, d, q, ctx); | ||
309 | gcry_mpi_point_release (q); | ||
310 | gcry_mpi_release (d); | ||
311 | |||
312 | /* finally, convert point to string for hashing */ | ||
313 | result_x = gcry_mpi_new (256); | ||
314 | rc = gcry_mpi_ec_get_affine (result_x, NULL, result, ctx); | ||
315 | brandt_assert (0 == rc); | ||
316 | gcry_mpi_point_release (result); | ||
317 | gcry_ctx_release (ctx); | ||
318 | |||
319 | rsize = sizeof (xbuf); | ||
320 | rc2 = gcry_mpi_get_flag (result_x, GCRYMPI_FLAG_OPAQUE); | ||
321 | brandt_assert (0 == rc2); | ||
322 | /* result_x can be negative here, so we do not use 'brandt_mpi_print_unsigned' | ||
323 | * as that does not include the sign bit; x should be a 255-bit | ||
324 | * value, so with the sign it should fit snugly into the 256-bit | ||
325 | * xbuf */ | ||
326 | rc = gcry_mpi_print (GCRYMPI_FMT_STD, xbuf, rsize, &rsize, result_x); | ||
327 | brandt_assert_gpgerr (rc); | ||
328 | brandt_hash (xbuf, rsize, key_material); | ||
329 | gcry_mpi_release (result_x); | ||
330 | return 1; | ||
331 | } | ||
332 | |||
333 | /** | ||
334 | * @ingroup crypto | ||
335 | * Clear memory that was used to store a private key. | ||
336 | * | ||
337 | * @param pk location of the key | ||
338 | */ | ||
339 | void | ||
340 | brandt_ecdhe_key_clear (struct brandt_dhe_skey *pk) | ||
341 | { | ||
342 | memset (pk, 0, sizeof (struct brandt_dhe_skey)); | ||
343 | } | ||