X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=src%2Futil%2Fcrypto_ecc.c;h=4bba395b32b8fc77a7d5425078ba7bf12ad20b3f;hb=225ea594e86e56160b0f89b5cace24291cc6184b;hp=1215512f46f01d601f8c57b8d1a9f0ceefc4d888;hpb=d5d073a8b040165be91a59cbdf6344bb698a760d;p=oweals%2Fgnunet.git diff --git a/src/util/crypto_ecc.c b/src/util/crypto_ecc.c index 1215512f4..4bba395b3 100644 --- a/src/util/crypto_ecc.c +++ b/src/util/crypto_ecc.c @@ -1,6 +1,6 @@ /* This file is part of GNUnet. - (C) 2012, 2013 Christian Grothoff (and other contributing authors) + Copyright (C) 2012, 2013, 2015 GNUnet e.V. GNUnet is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published @@ -14,8 +14,8 @@ You should have received a copy of the GNU General Public License along with GNUnet; see the file COPYING. If not, write to the - Free Software Foundation, Inc., 59 Temple Place - Suite 330, - Boston, MA 02111-1307, USA. + Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor, + Boston, MA 02110-1301, USA. */ /** @@ -25,20 +25,18 @@ */ #include "platform.h" #include -#include "gnunet_common.h" -#include "gnunet_util_lib.h" +#include "gnunet_crypto_lib.h" +#include "gnunet_strings_lib.h" -#define EXTRA_CHECKS ALLOW_EXTRA_CHECKS +#define EXTRA_CHECKS 0 /** * Name of the curve we are using. Note that we have hard-coded * structs that use 256 bits, so using a bigger curve will require * changes that break stuff badly. The name of the curve given here * must be agreed by all peers and be supported by libgcrypt. - * - * NOTE: this will change to Curve25519 before GNUnet 0.10.0. */ -#define CURVE "NIST P-256" +#define CURVE "Ed25519" #define LOG(kind,...) GNUNET_log_from (kind, "util", __VA_ARGS__) @@ -64,7 +62,9 @@ * @return 0 on success */ static int -key_from_sexp (gcry_mpi_t * array, gcry_sexp_t sexp, const char *topname, +key_from_sexp (gcry_mpi_t * array, + gcry_sexp_t sexp, + const char *topname, const char *elems) { gcry_sexp_t list; @@ -74,13 +74,13 @@ key_from_sexp (gcry_mpi_t * array, gcry_sexp_t sexp, const char *topname, unsigned int idx; list = gcry_sexp_find_token (sexp, topname, 0); - if (! list) - return 1; + if (! list) + return 1; l2 = gcry_sexp_cadr (list); gcry_sexp_release (list); list = l2; - if (! list) - return 2; + if (! list) + return 2; idx = 0; for (s = elems; *s; s++, idx++) @@ -115,69 +115,68 @@ key_from_sexp (gcry_mpi_t * array, gcry_sexp_t sexp, const char *topname, /** - * If target != size, move @a target bytes to the end of the size-sized - * buffer and zero out the first @a target - @a size bytes. + * Convert the given private key from the network format to the + * S-expression that can be used by libgcrypt. * - * @param buf original buffer - * @param size number of bytes in @a buf - * @param target target size of the buffer + * @param priv private key to decode + * @return NULL on error */ -static void -adjust (unsigned char *buf, - size_t size, - size_t target) +static gcry_sexp_t +decode_private_ecdsa_key (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv) { - if (size < target) + gcry_sexp_t result; + int rc; + + rc = gcry_sexp_build (&result, NULL, + "(private-key(ecc(curve \"" CURVE "\")" + "(d %b)))", + (int) sizeof (priv->d), priv->d); + if (0 != rc) { - memmove (&buf[target - size], buf, size); - memset (buf, 0, target - size); + LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc); + GNUNET_assert (0); } +#if EXTRA_CHECKS + if (0 != (rc = gcry_pk_testkey (result))) + { + LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_pk_testkey", rc); + GNUNET_assert (0); + } +#endif + return result; } /** - * Output the given MPI value to the given buffer. - * - * @param buf where to output to - * @param size number of bytes in @a buf - * @param val value to write to @a buf - */ -static void -mpi_print (unsigned char *buf, - size_t size, - gcry_mpi_t val) -{ - size_t rsize; - - rsize = size; - GNUNET_assert (0 == - gcry_mpi_print (GCRYMPI_FMT_USG, buf, rsize, &rsize, - val)); - adjust (buf, rsize, size); -} - - -/** - * Convert data buffer into MPI value. + * Convert the given private key from the network format to the + * S-expression that can be used by libgcrypt. * - * @param result where to store MPI value (allocated) - * @param data raw data (GCRYMPI_FMT_USG) - * @param size number of bytes in data + * @param priv private key to decode + * @return NULL on error */ -static void -mpi_scan (gcry_mpi_t *result, - const unsigned char *data, - size_t size) +static gcry_sexp_t +decode_private_eddsa_key (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv) { + gcry_sexp_t result; int rc; - if (0 != (rc = gcry_mpi_scan (result, - GCRYMPI_FMT_USG, - data, size, &size))) + rc = gcry_sexp_build (&result, NULL, + "(private-key(ecc(curve \"" CURVE "\")" + "(flags eddsa)(d %b)))", + (int)sizeof (priv->d), priv->d); + if (0 != rc) { - LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_mpi_scan", rc); + LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc); GNUNET_assert (0); } +#if EXTRA_CHECKS + if (0 != (rc = gcry_pk_testkey (result))) + { + LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_pk_testkey", rc); + GNUNET_assert (0); + } +#endif + return result; } @@ -189,22 +188,18 @@ mpi_scan (gcry_mpi_t *result, * @return NULL on error */ static gcry_sexp_t -decode_private_key (const struct GNUNET_CRYPTO_EccPrivateKey *priv) +decode_private_ecdhe_key (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv) { gcry_sexp_t result; - gcry_mpi_t d; int rc; - mpi_scan (&d, - priv->d, - sizeof (priv->d)); rc = gcry_sexp_build (&result, NULL, - "(private-key(ecdsa(curve \"" CURVE "\")(d %m)))", - d); - gcry_mpi_release (d); + "(private-key(ecc(curve \"" CURVE "\")" + "(d %b)))", + (int)sizeof (priv->d), priv->d); if (0 != rc) { - LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc); + LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc); GNUNET_assert (0); } #if EXTRA_CHECKS @@ -219,33 +214,28 @@ decode_private_key (const struct GNUNET_CRYPTO_EccPrivateKey *priv) /** - * Initialize public key struct from the respective point - * on the curve. + * Extract the public key for the given private key. * - * @param q point on curve - * @param pub public key struct to initialize - * @param ctx context to use for ECC operations - */ -static void -point_to_public_key (gcry_mpi_point_t q, - gcry_ctx_t ctx, - struct GNUNET_CRYPTO_EccPublicSignKey *pub) + * @param priv the private key + * @param pub where to write the public key + */ +void +GNUNET_CRYPTO_ecdsa_key_get_public (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, + struct GNUNET_CRYPTO_EcdsaPublicKey *pub) { - gcry_mpi_t q_x; - gcry_mpi_t q_y; - - q_x = gcry_mpi_new (256); - q_y = gcry_mpi_new (256); - if (gcry_mpi_ec_get_affine (q_x, q_y, q, ctx)) - { - LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "get_affine failed", 0); - return; - } + gcry_sexp_t sexp; + gcry_ctx_t ctx; + gcry_mpi_t q; - mpi_print (pub->q_x, sizeof (pub->q_x), q_x); - mpi_print (pub->q_y, sizeof (pub->q_y), q_y); - gcry_mpi_release (q_x); - gcry_mpi_release (q_y); + sexp = decode_private_ecdsa_key (priv); + GNUNET_assert (NULL != sexp); + GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, sexp, NULL)); + gcry_sexp_release (sexp); + q = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0); + GNUNET_assert (NULL != q); + GNUNET_CRYPTO_mpi_print_unsigned (pub->q_y, sizeof (pub->q_y), q); + gcry_mpi_release (q); + gcry_ctx_release (ctx); } @@ -256,21 +246,79 @@ point_to_public_key (gcry_mpi_point_t q, * @param pub where to write the public key */ void -GNUNET_CRYPTO_ecc_key_get_public_for_signature (const struct GNUNET_CRYPTO_EccPrivateKey *priv, - struct GNUNET_CRYPTO_EccPublicSignKey *pub) +GNUNET_CRYPTO_eddsa_key_get_public (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, + struct GNUNET_CRYPTO_EddsaPublicKey *pub) { gcry_sexp_t sexp; gcry_ctx_t ctx; - gcry_mpi_point_t q; + gcry_mpi_t q; - sexp = decode_private_key (priv); + sexp = decode_private_eddsa_key (priv); GNUNET_assert (NULL != sexp); GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, sexp, NULL)); gcry_sexp_release (sexp); - q = gcry_mpi_ec_get_point ("q", ctx, 0); - point_to_public_key (q, ctx, pub); + q = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0); + GNUNET_assert (q); + GNUNET_CRYPTO_mpi_print_unsigned (pub->q_y, sizeof (pub->q_y), q); + gcry_mpi_release (q); gcry_ctx_release (ctx); - gcry_mpi_point_release (q); +} + + +/** + * Extract the public key for the given private key. + * + * @param priv the private key + * @param pub where to write the public key + */ +void +GNUNET_CRYPTO_ecdhe_key_get_public (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, + struct GNUNET_CRYPTO_EcdhePublicKey *pub) +{ + gcry_sexp_t sexp; + gcry_ctx_t ctx; + gcry_mpi_t q; + + sexp = decode_private_ecdhe_key (priv); + GNUNET_assert (NULL != sexp); + GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, sexp, NULL)); + gcry_sexp_release (sexp); + q = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0); + GNUNET_assert (q); + GNUNET_CRYPTO_mpi_print_unsigned (pub->q_y, sizeof (pub->q_y), q); + gcry_mpi_release (q); + gcry_ctx_release (ctx); +} + + +/** + * Convert a public key to a string. + * + * @param pub key to convert + * @return string representing @a pub + */ +char * +GNUNET_CRYPTO_ecdsa_public_key_to_string (const struct GNUNET_CRYPTO_EcdsaPublicKey *pub) +{ + char *pubkeybuf; + size_t keylen = (sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey)) * 8; + char *end; + + if (keylen % 5 > 0) + keylen += 5 - keylen % 5; + keylen /= 5; + pubkeybuf = GNUNET_malloc (keylen + 1); + end = GNUNET_STRINGS_data_to_string ((unsigned char *) pub, + sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey), + pubkeybuf, + keylen); + if (NULL == end) + { + GNUNET_free (pubkeybuf); + return NULL; + } + *end = '\0'; + return pubkeybuf; } @@ -281,19 +329,19 @@ GNUNET_CRYPTO_ecc_key_get_public_for_signature (const struct GNUNET_CRYPTO_EccPr * @return string representing @a pub */ char * -GNUNET_CRYPTO_ecc_public_sign_key_to_string (const struct GNUNET_CRYPTO_EccPublicSignKey *pub) +GNUNET_CRYPTO_eddsa_public_key_to_string (const struct GNUNET_CRYPTO_EddsaPublicKey *pub) { char *pubkeybuf; - size_t keylen = (sizeof (struct GNUNET_CRYPTO_EccPublicSignKey)) * 8; + size_t keylen = (sizeof (struct GNUNET_CRYPTO_EddsaPublicKey)) * 8; char *end; if (keylen % 5 > 0) keylen += 5 - keylen % 5; keylen /= 5; pubkeybuf = GNUNET_malloc (keylen + 1); - end = GNUNET_STRINGS_data_to_string ((unsigned char *) pub, - sizeof (struct GNUNET_CRYPTO_EccPublicSignKey), - pubkeybuf, + end = GNUNET_STRINGS_data_to_string ((unsigned char *) pub, + sizeof (struct GNUNET_CRYPTO_EddsaPublicKey), + pubkeybuf, keylen); if (NULL == end) { @@ -314,11 +362,11 @@ GNUNET_CRYPTO_ecc_public_sign_key_to_string (const struct GNUNET_CRYPTO_EccPubli * @return #GNUNET_OK on success */ int -GNUNET_CRYPTO_ecc_public_sign_key_from_string (const char *enc, - size_t enclen, - struct GNUNET_CRYPTO_EccPublicSignKey *pub) +GNUNET_CRYPTO_ecdsa_public_key_from_string (const char *enc, + size_t enclen, + struct GNUNET_CRYPTO_EcdsaPublicKey *pub) { - size_t keylen = (sizeof (struct GNUNET_CRYPTO_EccPublicSignKey)) * 8; + size_t keylen = (sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey)) * 8; if (keylen % 5 > 0) keylen += 5 - keylen % 5; @@ -328,44 +376,106 @@ GNUNET_CRYPTO_ecc_public_sign_key_from_string (const char *enc, if (GNUNET_OK != GNUNET_STRINGS_string_to_data (enc, enclen, pub, - sizeof (struct GNUNET_CRYPTO_EccPublicSignKey))) + sizeof (struct GNUNET_CRYPTO_EcdsaPublicKey))) return GNUNET_SYSERR; return GNUNET_OK; } /** - * Convert the given public key from the network format to the - * S-expression that can be used by libgcrypt. + * Convert a string representing a public key to a public key. * - * @param pub public key to decode - * @return NULL on error + * @param enc encoded public key + * @param enclen number of bytes in @a enc (without 0-terminator) + * @param pub where to store the public key + * @return #GNUNET_OK on success */ -static gcry_sexp_t -decode_public_sign_key (const struct GNUNET_CRYPTO_EccPublicSignKey *pub) +int +GNUNET_CRYPTO_eddsa_public_key_from_string (const char *enc, + size_t enclen, + struct GNUNET_CRYPTO_EddsaPublicKey *pub) { - gcry_sexp_t pub_sexp; - gcry_mpi_t q_x; - gcry_mpi_t q_y; - gcry_mpi_point_t q; - gcry_ctx_t ctx; + size_t keylen = (sizeof (struct GNUNET_CRYPTO_EddsaPublicKey)) * 8; - mpi_scan (&q_x, pub->q_x, sizeof (pub->q_x)); - mpi_scan (&q_y, pub->q_y, sizeof (pub->q_y)); - q = gcry_mpi_point_new (256); - gcry_mpi_point_set (q, q_x, q_y, GCRYMPI_CONST_ONE); - gcry_mpi_release (q_x); - gcry_mpi_release (q_y); + if (keylen % 5 > 0) + keylen += 5 - keylen % 5; + keylen /= 5; + if (enclen != keylen) + return GNUNET_SYSERR; - /* initialize 'ctx' with 'q' */ - GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, CURVE)); - gcry_mpi_ec_set_point ("q", q, ctx); - gcry_mpi_point_release (q); + if (GNUNET_OK != GNUNET_STRINGS_string_to_data (enc, enclen, + pub, + sizeof (struct GNUNET_CRYPTO_EddsaPublicKey))) + return GNUNET_SYSERR; + return GNUNET_OK; +} - /* convert 'ctx' to 'sexp' */ - GNUNET_assert (0 == gcry_pubkey_get_sexp (&pub_sexp, GCRY_PK_GET_PUBKEY, ctx)); - gcry_ctx_release (ctx); - return pub_sexp; + +/** + * Convert a string representing a private key to a private key. + * + * @param enc encoded public key + * @param enclen number of bytes in @a enc (without 0-terminator) + * @param priv where to store the private key + * @return #GNUNET_OK on success + */ +int +GNUNET_CRYPTO_eddsa_private_key_from_string (const char *enc, + size_t enclen, + struct GNUNET_CRYPTO_EddsaPrivateKey *pub) +{ + size_t keylen = (sizeof (struct GNUNET_CRYPTO_EddsaPrivateKey)) * 8; + + if (keylen % 5 > 0) + keylen += 5 - keylen % 5; + keylen /= 5; + if (enclen != keylen) + return GNUNET_SYSERR; + + if (GNUNET_OK != GNUNET_STRINGS_string_to_data (enc, enclen, + pub, + sizeof (struct GNUNET_CRYPTO_EddsaPrivateKey))) + return GNUNET_SYSERR; + return GNUNET_OK; +} + + +/** + * @ingroup crypto + * Clear memory that was used to store a private key. + * + * @param pk location of the key + */ +void +GNUNET_CRYPTO_ecdhe_key_clear (struct GNUNET_CRYPTO_EcdhePrivateKey *pk) +{ + memset (pk, 0, sizeof (struct GNUNET_CRYPTO_EcdhePrivateKey)); +} + + +/** + * @ingroup crypto + * Clear memory that was used to store a private key. + * + * @param pk location of the key + */ +void +GNUNET_CRYPTO_ecdsa_key_clear (struct GNUNET_CRYPTO_EcdsaPrivateKey *pk) +{ + memset (pk, 0, sizeof (struct GNUNET_CRYPTO_EcdsaPrivateKey)); +} + + +/** + * @ingroup crypto + * Clear memory that was used to store a private key. + * + * @param pk location of the key + */ +void +GNUNET_CRYPTO_eddsa_key_clear (struct GNUNET_CRYPTO_EddsaPrivateKey *pk) +{ + memset (pk, 0, sizeof (struct GNUNET_CRYPTO_EddsaPrivateKey)); } @@ -374,17 +484,23 @@ decode_public_sign_key (const struct GNUNET_CRYPTO_EccPublicSignKey *pub) * * @return fresh private key */ -struct GNUNET_CRYPTO_EccPrivateKey * -GNUNET_CRYPTO_ecc_key_create () +struct GNUNET_CRYPTO_EcdhePrivateKey * +GNUNET_CRYPTO_ecdhe_key_create () { - struct GNUNET_CRYPTO_EccPrivateKey *priv; + struct GNUNET_CRYPTO_EcdhePrivateKey *priv; gcry_sexp_t priv_sexp; gcry_sexp_t s_keyparam; gcry_mpi_t d; int rc; + /* NOTE: For libgcrypt >= 1.7, we do not need the 'eddsa' flag here, + but should also be harmless. For libgcrypt < 1.7, using 'eddsa' + disables an expensive key testing routine. We do not want to run + the expensive check for ECDHE, as we generate TONS of keys to + use for a very short time. */ if (0 != (rc = gcry_sexp_build (&s_keyparam, NULL, - "(genkey(ecdsa(curve \"" CURVE "\")))"))) + "(genkey(ecc(curve \"" CURVE "\")" + "(flags eddsa no-keytest)))"))) { LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc); return NULL; @@ -411,284 +527,178 @@ GNUNET_CRYPTO_ecc_key_create () return NULL; } gcry_sexp_release (priv_sexp); - priv = GNUNET_new (struct GNUNET_CRYPTO_EccPrivateKey); - mpi_print (priv->d, sizeof (priv->d), d); + priv = GNUNET_new (struct GNUNET_CRYPTO_EcdhePrivateKey); + GNUNET_CRYPTO_mpi_print_unsigned (priv->d, sizeof (priv->d), d); gcry_mpi_release (d); return priv; } /** - * Get the shared private key we use for anonymous users. + * Create a new private key. Caller must free return value. * - * @return "anonymous" private key - */ -const struct GNUNET_CRYPTO_EccPrivateKey * -GNUNET_CRYPTO_ecc_key_get_anonymous () -{ - /** - * 'anonymous' pseudonym (global static, d=1, public key = G - * (generator). - */ - static struct GNUNET_CRYPTO_EccPrivateKey anonymous; - static int once; - - if (once) - return &anonymous; - mpi_print (anonymous.d, - sizeof (anonymous.d), - GCRYMPI_CONST_ONE); - once = 1; - return &anonymous; -} - - -/** - * Wait for a short time (we're trying to lock a file or want - * to give another process a shot at finishing a disk write, etc.). - * Sleeps for 100ms (as that should be long enough for virtually all - * modern systems to context switch and allow another process to do - * some 'real' work). + * @return fresh private key */ -static void -short_wait () +struct GNUNET_CRYPTO_EcdsaPrivateKey * +GNUNET_CRYPTO_ecdsa_key_create () { - struct GNUNET_TIME_Relative timeout; + struct GNUNET_CRYPTO_EcdsaPrivateKey *priv; + gcry_sexp_t priv_sexp; + gcry_sexp_t s_keyparam; + gcry_mpi_t d; + int rc; - timeout = GNUNET_TIME_relative_multiply (GNUNET_TIME_UNIT_MILLISECONDS, 100); - (void) GNUNET_NETWORK_socket_select (NULL, NULL, NULL, timeout); + if (0 != (rc = gcry_sexp_build (&s_keyparam, NULL, + "(genkey(ecc(curve \"" CURVE "\")" + "(flags)))"))) + { + LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc); + return NULL; + } + if (0 != (rc = gcry_pk_genkey (&priv_sexp, s_keyparam))) + { + LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_pk_genkey", rc); + gcry_sexp_release (s_keyparam); + return NULL; + } + gcry_sexp_release (s_keyparam); +#if EXTRA_CHECKS + if (0 != (rc = gcry_pk_testkey (priv_sexp))) + { + LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_pk_testkey", rc); + gcry_sexp_release (priv_sexp); + return NULL; + } +#endif + if (0 != (rc = key_from_sexp (&d, priv_sexp, "private-key", "d"))) + { + LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "key_from_sexp", rc); + gcry_sexp_release (priv_sexp); + return NULL; + } + gcry_sexp_release (priv_sexp); + priv = GNUNET_new (struct GNUNET_CRYPTO_EcdsaPrivateKey); + GNUNET_CRYPTO_mpi_print_unsigned (priv->d, sizeof (priv->d), d); + gcry_mpi_release (d); + return priv; } - /** - * Create a new private key by reading it from a file. If the - * files does not exist, create a new key and write it to the - * file. Caller must free return value. Note that this function - * can not guarantee that another process might not be trying - * the same operation on the same file at the same time. - * If the contents of the file - * are invalid the old file is deleted and a fresh key is - * created. + * Create a new private key. Caller must free return value. * - * @param filename name of file to use to store the key - * @return new private key, NULL on error (for example, - * permission denied) + * @return fresh private key */ -struct GNUNET_CRYPTO_EccPrivateKey * -GNUNET_CRYPTO_ecc_key_create_from_file (const char *filename) +struct GNUNET_CRYPTO_EddsaPrivateKey * +GNUNET_CRYPTO_eddsa_key_create () { - struct GNUNET_CRYPTO_EccPrivateKey *priv; - struct GNUNET_DISK_FileHandle *fd; - unsigned int cnt; - int ec; - uint64_t fs; + struct GNUNET_CRYPTO_EddsaPrivateKey *priv; + gcry_sexp_t priv_sexp; + gcry_sexp_t s_keyparam; + gcry_mpi_t d; + int rc; - if (GNUNET_SYSERR == GNUNET_DISK_directory_create_for_file (filename)) + if (0 != (rc = gcry_sexp_build (&s_keyparam, NULL, + "(genkey(ecc(curve \"" CURVE "\")" + "(flags eddsa)))"))) + { + LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc); return NULL; - while (GNUNET_YES != GNUNET_DISK_file_test (filename)) + } + if (0 != (rc = gcry_pk_genkey (&priv_sexp, s_keyparam))) { - fd = GNUNET_DISK_file_open (filename, - GNUNET_DISK_OPEN_WRITE | GNUNET_DISK_OPEN_CREATE - | GNUNET_DISK_OPEN_FAILIFEXISTS, - GNUNET_DISK_PERM_USER_READ | - GNUNET_DISK_PERM_USER_WRITE); - if (NULL == fd) - { - if (EEXIST == errno) - { - if (GNUNET_YES != GNUNET_DISK_file_test (filename)) - { - /* must exist but not be accessible, fail for good! */ - if (0 != ACCESS (filename, R_OK)) - LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_ERROR, "access", filename); - else - GNUNET_break (0); /* what is going on!? */ - return NULL; - } - continue; - } - LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_ERROR, "open", filename); - return NULL; - } - cnt = 0; - while (GNUNET_YES != - GNUNET_DISK_file_lock (fd, 0, - sizeof (struct GNUNET_CRYPTO_EccPrivateKey), - GNUNET_YES)) - { - short_wait (); - if (0 == ++cnt % 10) - { - ec = errno; - LOG (GNUNET_ERROR_TYPE_ERROR, - _("Could not acquire lock on file `%s': %s...\n"), filename, - STRERROR (ec)); - } - } - LOG (GNUNET_ERROR_TYPE_INFO, - _("Creating a new private key. This may take a while.\n")); - priv = GNUNET_CRYPTO_ecc_key_create (); - GNUNET_assert (NULL != priv); - GNUNET_assert (sizeof (*priv) == - GNUNET_DISK_file_write (fd, priv, sizeof (*priv))); - GNUNET_DISK_file_sync (fd); - if (GNUNET_YES != - GNUNET_DISK_file_unlock (fd, 0, - sizeof (struct GNUNET_CRYPTO_EccPrivateKey))) - LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "fcntl", filename); - GNUNET_assert (GNUNET_YES == GNUNET_DISK_file_close (fd)); - return priv; + LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_pk_genkey", rc); + gcry_sexp_release (s_keyparam); + return NULL; } - /* key file exists already, read it! */ - fd = GNUNET_DISK_file_open (filename, GNUNET_DISK_OPEN_READ, - GNUNET_DISK_PERM_NONE); - if (NULL == fd) + gcry_sexp_release (s_keyparam); +#if EXTRA_CHECKS + if (0 != (rc = gcry_pk_testkey (priv_sexp))) { - LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_ERROR, "open", filename); + LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_pk_testkey", rc); + gcry_sexp_release (priv_sexp); return NULL; } - cnt = 0; - while (1) +#endif + if (0 != (rc = key_from_sexp (&d, priv_sexp, "private-key", "d"))) { - if (GNUNET_YES != - GNUNET_DISK_file_lock (fd, 0, - sizeof (struct GNUNET_CRYPTO_EccPrivateKey), - GNUNET_NO)) - { - if (0 == ++cnt % 60) - { - ec = errno; - LOG (GNUNET_ERROR_TYPE_ERROR, - _("Could not acquire lock on file `%s': %s...\n"), filename, - STRERROR (ec)); - LOG (GNUNET_ERROR_TYPE_ERROR, - _ - ("This may be ok if someone is currently generating a private key.\n")); - } - short_wait (); - continue; - } - if (GNUNET_YES != GNUNET_DISK_file_test (filename)) - { - /* eh, what!? File we opened is now gone!? */ - LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "stat", filename); - if (GNUNET_YES != - GNUNET_DISK_file_unlock (fd, 0, - sizeof (struct GNUNET_CRYPTO_EccPrivateKey))) - LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "fcntl", filename); - GNUNET_assert (GNUNET_OK == GNUNET_DISK_file_close (fd)); - - return NULL; - } - if (GNUNET_OK != GNUNET_DISK_file_size (filename, &fs, GNUNET_YES, GNUNET_YES)) - fs = 0; - if (fs < sizeof (struct GNUNET_CRYPTO_EccPrivateKey)) - { - /* maybe we got the read lock before the key generating - * process had a chance to get the write lock; give it up! */ - if (GNUNET_YES != - GNUNET_DISK_file_unlock (fd, 0, - sizeof (struct GNUNET_CRYPTO_EccPrivateKey))) - LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "fcntl", filename); - if (0 == ++cnt % 10) - { - LOG (GNUNET_ERROR_TYPE_ERROR, - _ - ("When trying to read key file `%s' I found %u bytes but I need at least %u.\n"), - filename, (unsigned int) fs, - (unsigned int) sizeof (struct GNUNET_CRYPTO_EccPrivateKey)); - LOG (GNUNET_ERROR_TYPE_ERROR, - _ - ("This may be ok if someone is currently generating a key.\n")); - } - short_wait (); /* wait a bit longer! */ - continue; - } - break; + LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "key_from_sexp", rc); + gcry_sexp_release (priv_sexp); + return NULL; } - fs = sizeof (struct GNUNET_CRYPTO_EccPrivateKey); - priv = GNUNET_malloc (fs); - GNUNET_assert (fs == GNUNET_DISK_file_read (fd, priv, fs)); - if (GNUNET_YES != - GNUNET_DISK_file_unlock (fd, 0, - sizeof (struct GNUNET_CRYPTO_EccPrivateKey))) - LOG_STRERROR_FILE (GNUNET_ERROR_TYPE_WARNING, "fcntl", filename); - GNUNET_assert (GNUNET_YES == GNUNET_DISK_file_close (fd)); + gcry_sexp_release (priv_sexp); + priv = GNUNET_new (struct GNUNET_CRYPTO_EddsaPrivateKey); + GNUNET_CRYPTO_mpi_print_unsigned (priv->d, sizeof (priv->d), d); + gcry_mpi_release (d); return priv; } /** - * Create a new private key by reading our peer's key from - * the file specified in the configuration. + * Get the shared private key we use for anonymous users. * - * @param cfg the configuration to use - * @return new private key, NULL on error (for example, - * permission denied) + * @return "anonymous" private key */ -struct GNUNET_CRYPTO_EccPrivateKey * -GNUNET_CRYPTO_ecc_key_create_from_configuration (const struct GNUNET_CONFIGURATION_Handle *cfg) +const struct GNUNET_CRYPTO_EcdsaPrivateKey * +GNUNET_CRYPTO_ecdsa_key_get_anonymous () { - struct GNUNET_CRYPTO_EccPrivateKey *priv; - char *fn; + /** + * 'anonymous' pseudonym (global static, d=1, public key = G + * (generator). + */ + static struct GNUNET_CRYPTO_EcdsaPrivateKey anonymous; + static int once; - if (GNUNET_OK != - GNUNET_CONFIGURATION_get_value_filename (cfg, "PEER", "PRIVATE_KEY", &fn)) - return NULL; - priv = GNUNET_CRYPTO_ecc_key_create_from_file (fn); - GNUNET_free (fn); - return priv; + if (once) + return &anonymous; + GNUNET_CRYPTO_mpi_print_unsigned (anonymous.d, + sizeof (anonymous.d), + GCRYMPI_CONST_ONE); + once = 1; + return &anonymous; } /** - * Setup a key file for a peer given the name of the - * configuration file (!). This function is used so that - * at a later point code can be certain that reading a - * key is fast (for example in time-dependent testcases). + * Compare two Peer Identities. * - * @param cfg_name name of the configuration file to use + * @param first first peer identity + * @param second second peer identity + * @return bigger than 0 if first > second, + * 0 if they are the same + * smaller than 0 if second > first */ -void -GNUNET_CRYPTO_ecc_setup_key (const char *cfg_name) +int +GNUNET_CRYPTO_cmp_peer_identity (const struct GNUNET_PeerIdentity *first, + const struct GNUNET_PeerIdentity *second) { - struct GNUNET_CONFIGURATION_Handle *cfg; - struct GNUNET_CRYPTO_EccPrivateKey *priv; - - cfg = GNUNET_CONFIGURATION_create (); - (void) GNUNET_CONFIGURATION_load (cfg, cfg_name); - priv = GNUNET_CRYPTO_ecc_key_create_from_configuration (cfg); - if (NULL != priv) - GNUNET_free (priv); - GNUNET_CONFIGURATION_destroy (cfg); + return memcmp (first, second, sizeof (struct GNUNET_PeerIdentity)); } /** - * Retrieve the identity of the host's peer. + * Convert the data specified in the given purpose argument to an + * S-expression suitable for signature operations. * - * @param cfg configuration to use - * @param dst pointer to where to write the peer identity - * @return #GNUNET_OK on success, #GNUNET_SYSERR if the identity - * could not be retrieved + * @param purpose data to convert + * @return converted s-expression */ -int -GNUNET_CRYPTO_get_host_identity (const struct GNUNET_CONFIGURATION_Handle *cfg, - struct GNUNET_PeerIdentity *dst) +static gcry_sexp_t +data_to_eddsa_value (const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose) { - struct GNUNET_CRYPTO_EccPrivateKey *priv; - struct GNUNET_CRYPTO_EccPublicSignKey pub; + struct GNUNET_HashCode hc; + gcry_sexp_t data; + int rc; - if (NULL == (priv = GNUNET_CRYPTO_ecc_key_create_from_configuration (cfg))) + GNUNET_CRYPTO_hash (purpose, ntohl (purpose->size), &hc); + if (0 != (rc = gcry_sexp_build (&data, NULL, + "(data(flags eddsa)(hash-algo %s)(value %b))", + "sha512", + (int)sizeof (hc), &hc))) { - GNUNET_log (GNUNET_ERROR_TYPE_ERROR, - _("Could not load peer's private key\n")); - return GNUNET_SYSERR; + LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc); + return NULL; } - GNUNET_CRYPTO_ecc_key_get_public_for_signature (priv, &pub); - GNUNET_free (priv); - GNUNET_CRYPTO_hash (&pub, sizeof (pub), &dst->hashPubKey); - return GNUNET_OK; + return data; } @@ -700,23 +710,72 @@ GNUNET_CRYPTO_get_host_identity (const struct GNUNET_CONFIGURATION_Handle *cfg, * @return converted s-expression */ static gcry_sexp_t -data_to_pkcs1 (const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose) +data_to_ecdsa_value (const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose) { struct GNUNET_HashCode hc; gcry_sexp_t data; int rc; - GNUNET_CRYPTO_hash (purpose, ntohl (purpose->size), &hc); - if (0 != (rc = gcry_sexp_build (&data, NULL, - "(data(flags rfc6979)(hash %s %b))", - "sha512", - sizeof (hc), - &hc))) + GNUNET_CRYPTO_hash (purpose, ntohl (purpose->size), &hc); + if (0 != (rc = gcry_sexp_build (&data, NULL, + "(data(flags rfc6979)(hash %s %b))", + "sha512", + (int)sizeof (hc), &hc))) + { + LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc); + return NULL; + } + return data; +} + + +/** + * Sign a given block. + * + * @param priv private key to use for the signing + * @param purpose what to sign (size, purpose) + * @param sig where to write the signature + * @return #GNUNET_SYSERR on error, #GNUNET_OK on success + */ +int +GNUNET_CRYPTO_ecdsa_sign (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, + const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, + struct GNUNET_CRYPTO_EcdsaSignature *sig) +{ + gcry_sexp_t priv_sexp; + gcry_sexp_t sig_sexp; + gcry_sexp_t data; + int rc; + gcry_mpi_t rs[2]; + + priv_sexp = decode_private_ecdsa_key (priv); + data = data_to_ecdsa_value (purpose); + if (0 != (rc = gcry_pk_sign (&sig_sexp, data, priv_sexp))) { - LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc); - return NULL; + LOG (GNUNET_ERROR_TYPE_WARNING, + _("ECC signing failed at %s:%d: %s\n"), __FILE__, + __LINE__, gcry_strerror (rc)); + gcry_sexp_release (data); + gcry_sexp_release (priv_sexp); + return GNUNET_SYSERR; } - return data; + gcry_sexp_release (priv_sexp); + gcry_sexp_release (data); + + /* extract 'r' and 's' values from sexpression 'sig_sexp' and store in + 'signature' */ + if (0 != (rc = key_from_sexp (rs, sig_sexp, "sig-val", "rs"))) + { + GNUNET_break (0); + gcry_sexp_release (sig_sexp); + return GNUNET_SYSERR; + } + gcry_sexp_release (sig_sexp); + GNUNET_CRYPTO_mpi_print_unsigned (sig->r, sizeof (sig->r), rs[0]); + GNUNET_CRYPTO_mpi_print_unsigned (sig->s, sizeof (sig->s), rs[1]); + gcry_mpi_release (rs[0]); + gcry_mpi_release (rs[1]); + return GNUNET_OK; } @@ -729,9 +788,9 @@ data_to_pkcs1 (const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose) * @return #GNUNET_SYSERR on error, #GNUNET_OK on success */ int -GNUNET_CRYPTO_ecc_sign (const struct GNUNET_CRYPTO_EccPrivateKey *priv, - const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, - struct GNUNET_CRYPTO_EccSignature *sig) +GNUNET_CRYPTO_eddsa_sign (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, + const struct GNUNET_CRYPTO_EccSignaturePurpose *purpose, + struct GNUNET_CRYPTO_EddsaSignature *sig) { gcry_sexp_t priv_sexp; gcry_sexp_t sig_sexp; @@ -739,12 +798,12 @@ GNUNET_CRYPTO_ecc_sign (const struct GNUNET_CRYPTO_EccPrivateKey *priv, int rc; gcry_mpi_t rs[2]; - priv_sexp = decode_private_key (priv); - data = data_to_pkcs1 (purpose); + priv_sexp = decode_private_eddsa_key (priv); + data = data_to_eddsa_value (purpose); if (0 != (rc = gcry_pk_sign (&sig_sexp, data, priv_sexp))) { LOG (GNUNET_ERROR_TYPE_WARNING, - _("ECC signing failed at %s:%d: %s\n"), __FILE__, + _("EdDSA signing failed at %s:%d: %s\n"), __FILE__, __LINE__, gcry_strerror (rc)); gcry_sexp_release (data); gcry_sexp_release (priv_sexp); @@ -762,8 +821,8 @@ GNUNET_CRYPTO_ecc_sign (const struct GNUNET_CRYPTO_EccPrivateKey *priv, return GNUNET_SYSERR; } gcry_sexp_release (sig_sexp); - mpi_print (sig->r, sizeof (sig->r), rs[0]); - mpi_print (sig->s, sizeof (sig->s), rs[1]); + GNUNET_CRYPTO_mpi_print_unsigned (sig->r, sizeof (sig->r), rs[0]); + GNUNET_CRYPTO_mpi_print_unsigned (sig->s, sizeof (sig->s), rs[1]); gcry_mpi_release (rs[0]); gcry_mpi_release (rs[1]); return GNUNET_OK; @@ -780,38 +839,32 @@ GNUNET_CRYPTO_ecc_sign (const struct GNUNET_CRYPTO_EccPrivateKey *priv, * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid */ int -GNUNET_CRYPTO_ecc_verify (uint32_t purpose, - const struct GNUNET_CRYPTO_EccSignaturePurpose - *validate, - const struct GNUNET_CRYPTO_EccSignature *sig, - const struct GNUNET_CRYPTO_EccPublicSignKey *pub) +GNUNET_CRYPTO_ecdsa_verify (uint32_t purpose, + const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, + const struct GNUNET_CRYPTO_EcdsaSignature *sig, + const struct GNUNET_CRYPTO_EcdsaPublicKey *pub) { gcry_sexp_t data; gcry_sexp_t sig_sexpr; gcry_sexp_t pub_sexpr; int rc; - gcry_mpi_t r; - gcry_mpi_t s; if (purpose != ntohl (validate->purpose)) return GNUNET_SYSERR; /* purpose mismatch */ /* build s-expression for signature */ - mpi_scan (&r, sig->r, sizeof (sig->r)); - mpi_scan (&s, sig->s, sizeof (sig->s)); - if (0 != (rc = gcry_sexp_build (&sig_sexpr, NULL, - "(sig-val(ecdsa(r %m)(s %m)))", - r, s))) + if (0 != (rc = gcry_sexp_build (&sig_sexpr, NULL, + "(sig-val(ecdsa(r %b)(s %b)))", + (int) sizeof (sig->r), sig->r, + (int) sizeof (sig->s), sig->s))) { LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc); - gcry_mpi_release (r); - gcry_mpi_release (s); return GNUNET_SYSERR; } - gcry_mpi_release (r); - gcry_mpi_release (s); - data = data_to_pkcs1 (validate); - if (! (pub_sexpr = decode_public_sign_key (pub))) + data = data_to_ecdsa_value (validate); + if (0 != (rc = gcry_sexp_build (&pub_sexpr, NULL, + "(public-key(ecc(curve " CURVE ")(q %b)))", + (int) sizeof (pub->q_y), pub->q_y))) { gcry_sexp_release (data); gcry_sexp_release (sig_sexpr); @@ -824,7 +877,7 @@ GNUNET_CRYPTO_ecc_verify (uint32_t purpose, if (0 != rc) { LOG (GNUNET_ERROR_TYPE_INFO, - _("ECC signature verification failed at %s:%d: %s\n"), __FILE__, + _("ECDSA signature verification failed at %s:%d: %s\n"), __FILE__, __LINE__, gcry_strerror (rc)); return GNUNET_SYSERR; } @@ -832,43 +885,65 @@ GNUNET_CRYPTO_ecc_verify (uint32_t purpose, } + /** - * Convert the given public key from the network format to the - * S-expression that can be used by libgcrypt. + * Verify signature. * - * @param pub public key to decode - * @return NULL on error + * @param purpose what is the purpose that the signature should have? + * @param validate block to validate (size, purpose, data) + * @param sig signature that is being validated + * @param pub public key of the signer + * @returns #GNUNET_OK if ok, #GNUNET_SYSERR if invalid */ -static gcry_sexp_t -decode_public_encrypt_key (const struct GNUNET_CRYPTO_EccPublicEncryptKey *pub) +int +GNUNET_CRYPTO_eddsa_verify (uint32_t purpose, + const struct GNUNET_CRYPTO_EccSignaturePurpose *validate, + const struct GNUNET_CRYPTO_EddsaSignature *sig, + const struct GNUNET_CRYPTO_EddsaPublicKey *pub) { - gcry_sexp_t pub_sexp; - gcry_mpi_t q_x; - gcry_mpi_t q_y; - gcry_mpi_point_t q; - gcry_ctx_t ctx; - - mpi_scan (&q_x, pub->q_x, sizeof (pub->q_x)); - mpi_scan (&q_y, pub->q_y, sizeof (pub->q_y)); - q = gcry_mpi_point_new (256); - gcry_mpi_point_set (q, q_x, q_y, GCRYMPI_CONST_ONE); - gcry_mpi_release (q_x); - gcry_mpi_release (q_y); + gcry_sexp_t data; + gcry_sexp_t sig_sexpr; + gcry_sexp_t pub_sexpr; + int rc; - /* initialize 'ctx' with 'q' */ - GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, CURVE)); - gcry_mpi_ec_set_point ("q", q, ctx); - gcry_mpi_point_release (q); + if (purpose != ntohl (validate->purpose)) + return GNUNET_SYSERR; /* purpose mismatch */ - /* convert 'ctx' to 'sexp' */ - GNUNET_assert (0 == gcry_pubkey_get_sexp (&pub_sexp, GCRY_PK_GET_PUBKEY, ctx)); - gcry_ctx_release (ctx); - return pub_sexp; + /* build s-expression for signature */ + if (0 != (rc = gcry_sexp_build (&sig_sexpr, NULL, + "(sig-val(eddsa(r %b)(s %b)))", + (int)sizeof (sig->r), sig->r, + (int)sizeof (sig->s), sig->s))) + { + LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "gcry_sexp_build", rc); + return GNUNET_SYSERR; + } + data = data_to_eddsa_value (validate); + if (0 != (rc = gcry_sexp_build (&pub_sexpr, NULL, + "(public-key(ecc(curve " CURVE ")(flags eddsa)(q %b)))", + (int)sizeof (pub->q_y), pub->q_y))) + { + gcry_sexp_release (data); + gcry_sexp_release (sig_sexpr); + return GNUNET_SYSERR; + } + rc = gcry_pk_verify (sig_sexpr, data, pub_sexpr); + gcry_sexp_release (pub_sexpr); + gcry_sexp_release (data); + gcry_sexp_release (sig_sexpr); + if (0 != rc) + { + LOG (GNUNET_ERROR_TYPE_INFO, + _("EdDSA signature verification failed at %s:%d: %s\n"), __FILE__, + __LINE__, gcry_strerror (rc)); + return GNUNET_SYSERR; + } + return GNUNET_OK; } /** - * Derive key material from a public and a private ECC key. + * Derive key material from a public and a private ECDHE key. * * @param priv private key to use for the ECDH (x) * @param pub public key to use for the ECDH (yG) @@ -876,28 +951,30 @@ decode_public_encrypt_key (const struct GNUNET_CRYPTO_EccPublicEncryptKey *pub) * @return #GNUNET_SYSERR on error, #GNUNET_OK on success */ int -GNUNET_CRYPTO_ecc_ecdh (const struct GNUNET_CRYPTO_EccPrivateKey *priv, - const struct GNUNET_CRYPTO_EccPublicEncryptKey *pub, +GNUNET_CRYPTO_ecc_ecdh (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, + const struct GNUNET_CRYPTO_EcdhePublicKey *pub, struct GNUNET_HashCode *key_material) -{ +{ gcry_mpi_point_t result; gcry_mpi_point_t q; gcry_mpi_t d; gcry_ctx_t ctx; gcry_sexp_t pub_sexpr; gcry_mpi_t result_x; - gcry_mpi_t result_y; unsigned char xbuf[256 / 8]; + size_t rsize; /* first, extract the q = dP value from the public key */ - if (! (pub_sexpr = decode_public_encrypt_key (pub))) + if (0 != gcry_sexp_build (&pub_sexpr, NULL, + "(public-key(ecc(curve " CURVE ")(q %b)))", + (int)sizeof (pub->q_y), pub->q_y)) return GNUNET_SYSERR; GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, pub_sexpr, NULL)); gcry_sexp_release (pub_sexpr); q = gcry_mpi_ec_get_point ("q", ctx, 0); /* second, extract the d value from our private key */ - mpi_scan (&d, priv->d, sizeof (priv->d)); + GNUNET_CRYPTO_mpi_scan_unsigned (&d, priv->d, sizeof (priv->d)); /* then call the 'multiply' function, to compute the product */ result = gcry_mpi_point_new (0); @@ -907,8 +984,7 @@ GNUNET_CRYPTO_ecc_ecdh (const struct GNUNET_CRYPTO_EccPrivateKey *priv, /* finally, convert point to string for hashing */ result_x = gcry_mpi_new (256); - result_y = gcry_mpi_new (256); - if (gcry_mpi_ec_get_affine (result_x, result_y, result, ctx)) + if (gcry_mpi_ec_get_affine (result_x, NULL, result, ctx)) { LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "get_affine failed", 0); gcry_mpi_point_release (result); @@ -918,16 +994,25 @@ GNUNET_CRYPTO_ecc_ecdh (const struct GNUNET_CRYPTO_EccPrivateKey *priv, gcry_mpi_point_release (result); gcry_ctx_release (ctx); - mpi_print (xbuf, sizeof (xbuf), result_x); - GNUNET_CRYPTO_hash (xbuf, sizeof (xbuf), key_material); + rsize = sizeof (xbuf); + GNUNET_assert (! gcry_mpi_get_flag (result_x, GCRYMPI_FLAG_OPAQUE)); + /* result_x can be negative here, so we do not use 'GNUNET_CRYPTO_mpi_print_unsigned' + as that does not include the sign bit; x should be a 255-bit + value, so with the sign it should fit snugly into the 256-bit + xbuf */ + GNUNET_assert (0 == + gcry_mpi_print (GCRYMPI_FMT_STD, xbuf, rsize, &rsize, + result_x)); + GNUNET_CRYPTO_hash (xbuf, + rsize, + key_material); gcry_mpi_release (result_x); - gcry_mpi_release (result_y); return GNUNET_OK; } /** - * Derive the 'h' value for key derivation, where + * Derive the 'h' value for key derivation, where * 'h = H(l,P)'. * * @param pub public key for deriviation @@ -935,22 +1020,25 @@ GNUNET_CRYPTO_ecc_ecdh (const struct GNUNET_CRYPTO_EccPrivateKey *priv, * @param context additional context to use for HKDF of 'h'; * typically the name of the subsystem/application * @return h value - */ -static gcry_mpi_t -derive_h (const struct GNUNET_CRYPTO_EccPublicSignKey *pub, + */ +static gcry_mpi_t +derive_h (const struct GNUNET_CRYPTO_EcdsaPublicKey *pub, const char *label, const char *context) { gcry_mpi_t h; struct GNUNET_HashCode hc; + static const char *const salt = "key-derivation"; GNUNET_CRYPTO_kdf (&hc, sizeof (hc), - "key-derivation", strlen ("key-derivation"), + salt, strlen (salt), pub, sizeof (*pub), label, strlen (label), context, strlen (context), NULL, 0); - mpi_scan (&h, (unsigned char *) &hc, sizeof (hc)); + GNUNET_CRYPTO_mpi_scan_unsigned (&h, + (unsigned char *) &hc, + sizeof (hc)); return h; } @@ -967,13 +1055,13 @@ derive_h (const struct GNUNET_CRYPTO_EccPublicSignKey *pub, * typically the name of the subsystem/application * @return derived private key */ -struct GNUNET_CRYPTO_EccPrivateKey * -GNUNET_CRYPTO_ecc_key_derive (const struct GNUNET_CRYPTO_EccPrivateKey *priv, - const char *label, - const char *context) +struct GNUNET_CRYPTO_EcdsaPrivateKey * +GNUNET_CRYPTO_ecdsa_private_key_derive (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, + const char *label, + const char *context) { - struct GNUNET_CRYPTO_EccPublicSignKey pub; - struct GNUNET_CRYPTO_EccPrivateKey *ret; + struct GNUNET_CRYPTO_EcdsaPublicKey pub; + struct GNUNET_CRYPTO_EcdsaPrivateKey *ret; gcry_mpi_t h; gcry_mpi_t x; gcry_mpi_t d; @@ -981,18 +1069,22 @@ GNUNET_CRYPTO_ecc_key_derive (const struct GNUNET_CRYPTO_EccPrivateKey *priv, gcry_ctx_t ctx; GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, CURVE)); + n = gcry_mpi_ec_get_mpi ("n", ctx, 1); - GNUNET_CRYPTO_ecc_key_get_public_for_signature (priv, &pub); + GNUNET_CRYPTO_ecdsa_key_get_public (priv, &pub); + h = derive_h (&pub, label, context); - mpi_scan (&x, priv->d, sizeof (priv->d)); + GNUNET_CRYPTO_mpi_scan_unsigned (&x, + priv->d, + sizeof (priv->d)); d = gcry_mpi_new (256); gcry_mpi_mulm (d, h, x, n); gcry_mpi_release (h); gcry_mpi_release (x); gcry_mpi_release (n); gcry_ctx_release (ctx); - ret = GNUNET_new (struct GNUNET_CRYPTO_EccPrivateKey); - mpi_print (ret->d, sizeof (ret->d), d); + ret = GNUNET_new (struct GNUNET_CRYPTO_EcdsaPrivateKey); + GNUNET_CRYPTO_mpi_print_unsigned (ret->d, sizeof (ret->d), d); gcry_mpi_release (d); return ret; } @@ -1003,38 +1095,38 @@ GNUNET_CRYPTO_ecc_key_derive (const struct GNUNET_CRYPTO_EccPrivateKey *priv, * Essentially calculates a public key 'V = H(l,P) * P'. * * @param pub original public key - * @param label label to use for key deriviation + * @param label label to use for key derivation * @param context additional context to use for HKDF of 'h'; * typically the name of the subsystem/application * @param result where to write the derived public key */ void -GNUNET_CRYPTO_ecc_public_key_derive (const struct GNUNET_CRYPTO_EccPublicSignKey *pub, - const char *label, - const char *context, - struct GNUNET_CRYPTO_EccPublicSignKey *result) +GNUNET_CRYPTO_ecdsa_public_key_derive (const struct GNUNET_CRYPTO_EcdsaPublicKey *pub, + const char *label, + const char *context, + struct GNUNET_CRYPTO_EcdsaPublicKey *result) { gcry_ctx_t ctx; + gcry_mpi_t q_y; gcry_mpi_t h; gcry_mpi_t n; gcry_mpi_t h_mod_n; - gcry_mpi_t q_x; - gcry_mpi_t q_y; gcry_mpi_point_t q; gcry_mpi_point_t v; GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, NULL, CURVE)); - - /* obtain point 'q' from original public key */ - mpi_scan (&q_x, pub->q_x, sizeof (pub->q_x)); - mpi_scan (&q_y, pub->q_y, sizeof (pub->q_y)); - - q = gcry_mpi_point_new (0); - gcry_mpi_point_set (q, q_x, q_y, GCRYMPI_CONST_ONE); - gcry_mpi_release (q_x); + + /* obtain point 'q' from original public key. The provided 'q' is + compressed thus we first store it in the context and then get it + back as a (decompresssed) point. */ + q_y = gcry_mpi_set_opaque_copy (NULL, pub->q_y, 8*sizeof (pub->q_y)); + GNUNET_assert (NULL != q_y); + GNUNET_assert (0 == gcry_mpi_ec_set_mpi ("q", q_y, ctx)); gcry_mpi_release (q_y); + q = gcry_mpi_ec_get_point ("q", ctx, 0); + GNUNET_assert (q); - /* calulcate h_mod_n = h % n */ + /* calculate h_mod_n = h % n */ h = derive_h (pub, label, context); n = gcry_mpi_ec_get_mpi ("n", ctx, 1); h_mod_n = gcry_mpi_new (256); @@ -1046,11 +1138,327 @@ GNUNET_CRYPTO_ecc_public_key_derive (const struct GNUNET_CRYPTO_EccPublicSignKey gcry_mpi_release (h); gcry_mpi_release (n); gcry_mpi_point_release (q); + /* convert point 'v' to public key that we return */ - point_to_public_key (v, ctx, result); + GNUNET_assert (0 == gcry_mpi_ec_set_point ("q", v, ctx)); gcry_mpi_point_release (v); + q_y = gcry_mpi_ec_get_mpi ("q@eddsa", ctx, 0); + GNUNET_assert (q_y); + GNUNET_CRYPTO_mpi_print_unsigned (result->q_y, + sizeof (result->q_y), + q_y); + gcry_mpi_release (q_y); + gcry_ctx_release (ctx); +} + + +/** + * Reverse the sequence of the bytes in @a buffer + * + * @param[in|out] buffer buffer to invert + * @param length number of bytes in @a buffer + */ +static void +reverse_buffer (unsigned char *buffer, + size_t length) +{ + unsigned char tmp; + size_t i; + + for (i=0; i < length/2; i++) + { + tmp = buffer[i]; + buffer[i] = buffer[length-1-i]; + buffer[length-1-i] = tmp; + } +} + + +/** + * Convert the secret @a d of an EdDSA key to the + * value that is actually used in the EdDSA computation. + * + * @param d secret input + * @return value used for the calculation in EdDSA + */ +static gcry_mpi_t +eddsa_d_to_a (gcry_mpi_t d) +{ + unsigned char rawmpi[32]; /* 256-bit value */ + size_t rawmpilen; + unsigned char digest[64]; /* 512-bit hash value */ + gcry_buffer_t hvec[2]; + int b; + gcry_mpi_t a; + + b = 256 / 8; /* number of bytes in `d` */ + + /* Note that we clear DIGEST so we can use it as input to left pad + the key with zeroes for hashing. */ + memset (hvec, 0, sizeof hvec); + rawmpilen = sizeof (rawmpi); + GNUNET_assert (0 == + gcry_mpi_print (GCRYMPI_FMT_USG, + rawmpi, rawmpilen, &rawmpilen, + d)); + hvec[0].data = digest; + hvec[0].off = 0; + hvec[0].len = b > rawmpilen? b - rawmpilen : 0; + hvec[1].data = rawmpi; + hvec[1].off = 0; + hvec[1].len = rawmpilen; + GNUNET_assert (0 == + gcry_md_hash_buffers (GCRY_MD_SHA512, + 0 /* flags */, + digest, + hvec, 2)); + /* Compute the A value. */ + reverse_buffer (digest, 32); /* Only the first half of the hash. */ + digest[0] = (digest[0] & 0x7f) | 0x40; + digest[31] &= 0xf8; + + GNUNET_CRYPTO_mpi_scan_unsigned (&a, + digest, + 32); + return a; +} + + +/** + * @ingroup crypto + * Derive key material from a ECDH public key and a private EdDSA key. + * Dual to #GNUNET_CRRYPTO_ecdh_eddsa. + * + * @param priv private key from EdDSA to use for the ECDH (x) + * @param pub public key to use for the ECDH (yG) + * @param key_material where to write the key material H(h(x)yG) + * @return #GNUNET_SYSERR on error, #GNUNET_OK on success + */ +int +GNUNET_CRYPTO_eddsa_ecdh (const struct GNUNET_CRYPTO_EddsaPrivateKey *priv, + const struct GNUNET_CRYPTO_EcdhePublicKey *pub, + struct GNUNET_HashCode *key_material) +{ + gcry_mpi_point_t result; + gcry_mpi_point_t q; + gcry_mpi_t d; + gcry_mpi_t a; + gcry_ctx_t ctx; + gcry_sexp_t pub_sexpr; + gcry_mpi_t result_x; + unsigned char xbuf[256 / 8]; + size_t rsize; + + /* first, extract the q = dP value from the public key */ + if (0 != gcry_sexp_build (&pub_sexpr, NULL, + "(public-key(ecc(curve " CURVE ")(q %b)))", + (int)sizeof (pub->q_y), pub->q_y)) + return GNUNET_SYSERR; + GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, pub_sexpr, NULL)); + gcry_sexp_release (pub_sexpr); + q = gcry_mpi_ec_get_point ("q", ctx, 0); + + /* second, extract the d value from our private key */ + GNUNET_CRYPTO_mpi_scan_unsigned (&d, priv->d, sizeof (priv->d)); + + /* NOW, because this is EdDSA, HASH 'd' first! */ + a = eddsa_d_to_a (d); + gcry_mpi_release (d); + + /* then call the 'multiply' function, to compute the product */ + result = gcry_mpi_point_new (0); + gcry_mpi_ec_mul (result, a, q, ctx); + gcry_mpi_point_release (q); + gcry_mpi_release (a); + + /* finally, convert point to string for hashing */ + result_x = gcry_mpi_new (256); + if (gcry_mpi_ec_get_affine (result_x, NULL, result, ctx)) + { + LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "get_affine failed", 0); + gcry_mpi_point_release (result); + gcry_ctx_release (ctx); + return GNUNET_SYSERR; + } + gcry_mpi_point_release (result); + gcry_ctx_release (ctx); + + rsize = sizeof (xbuf); + GNUNET_assert (! gcry_mpi_get_flag (result_x, GCRYMPI_FLAG_OPAQUE)); + /* result_x can be negative here, so we do not use 'GNUNET_CRYPTO_mpi_print_unsigned' + as that does not include the sign bit; x should be a 255-bit + value, so with the sign it should fit snugly into the 256-bit + xbuf */ + GNUNET_assert (0 == + gcry_mpi_print (GCRYMPI_FMT_STD, xbuf, rsize, &rsize, + result_x)); + GNUNET_CRYPTO_hash (xbuf, + rsize, + key_material); + gcry_mpi_release (result_x); + return GNUNET_OK; +} + +/** + * @ingroup crypto + * Derive key material from a ECDH public key and a private ECDSA key. + * Dual to #GNUNET_CRRYPTO_ecdh_eddsa. + * + * @param priv private key from ECDSA to use for the ECDH (x) + * @param pub public key to use for the ECDH (yG) + * @param key_material where to write the key material H(h(x)yG) + * @return #GNUNET_SYSERR on error, #GNUNET_OK on success + */ +int +GNUNET_CRYPTO_ecdsa_ecdh (const struct GNUNET_CRYPTO_EcdsaPrivateKey *priv, + const struct GNUNET_CRYPTO_EcdhePublicKey *pub, + struct GNUNET_HashCode *key_material) +{ + gcry_mpi_point_t result; + gcry_mpi_point_t q; + gcry_mpi_t d; + gcry_ctx_t ctx; + gcry_sexp_t pub_sexpr; + gcry_mpi_t result_x; + unsigned char xbuf[256 / 8]; + size_t rsize; + + /* first, extract the q = dP value from the public key */ + if (0 != gcry_sexp_build (&pub_sexpr, NULL, + "(public-key(ecc(curve " CURVE ")(q %b)))", + (int)sizeof (pub->q_y), pub->q_y)) + return GNUNET_SYSERR; + GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, pub_sexpr, NULL)); + gcry_sexp_release (pub_sexpr); + q = gcry_mpi_ec_get_point ("q", ctx, 0); + + /* second, extract the d value from our private key */ + GNUNET_CRYPTO_mpi_scan_unsigned (&d, priv->d, sizeof (priv->d)); + + /* then call the 'multiply' function, to compute the product */ + result = gcry_mpi_point_new (0); + gcry_mpi_ec_mul (result, d, q, ctx); + gcry_mpi_point_release (q); + gcry_mpi_release (d); + + /* finally, convert point to string for hashing */ + result_x = gcry_mpi_new (256); + if (gcry_mpi_ec_get_affine (result_x, NULL, result, ctx)) + { + LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "get_affine failed", 0); + gcry_mpi_point_release (result); + gcry_ctx_release (ctx); + return GNUNET_SYSERR; + } + gcry_mpi_point_release (result); + gcry_ctx_release (ctx); + + rsize = sizeof (xbuf); + GNUNET_assert (! gcry_mpi_get_flag (result_x, GCRYMPI_FLAG_OPAQUE)); + /* result_x can be negative here, so we do not use 'GNUNET_CRYPTO_mpi_print_unsigned' + as that does not include the sign bit; x should be a 255-bit + value, so with the sign it should fit snugly into the 256-bit + xbuf */ + GNUNET_assert (0 == + gcry_mpi_print (GCRYMPI_FMT_STD, xbuf, rsize, &rsize, + result_x)); + GNUNET_CRYPTO_hash (xbuf, + rsize, + key_material); + gcry_mpi_release (result_x); + return GNUNET_OK; +} + + + +/** + * @ingroup crypto + * Derive key material from a EdDSA public key and a private ECDH key. + * Dual to #GNUNET_CRRYPTO_eddsa_ecdh. + * + * @param priv private key to use for the ECDH (y) + * @param pub public key from EdDSA to use for the ECDH (X=h(x)G) + * @param key_material where to write the key material H(yX)=H(h(x)yG) + * @return #GNUNET_SYSERR on error, #GNUNET_OK on success + */ +int +GNUNET_CRYPTO_ecdh_eddsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, + const struct GNUNET_CRYPTO_EddsaPublicKey *pub, + struct GNUNET_HashCode *key_material) +{ + gcry_mpi_point_t result; + gcry_mpi_point_t q; + gcry_mpi_t d; + gcry_ctx_t ctx; + gcry_sexp_t pub_sexpr; + gcry_mpi_t result_x; + unsigned char xbuf[256 / 8]; + size_t rsize; + + /* first, extract the q = dP value from the public key */ + if (0 != gcry_sexp_build (&pub_sexpr, NULL, + "(public-key(ecc(curve " CURVE ")(q %b)))", + (int)sizeof (pub->q_y), pub->q_y)) + return GNUNET_SYSERR; + GNUNET_assert (0 == gcry_mpi_ec_new (&ctx, pub_sexpr, NULL)); + gcry_sexp_release (pub_sexpr); + q = gcry_mpi_ec_get_point ("q", ctx, 0); + + /* second, extract the d value from our private key */ + GNUNET_CRYPTO_mpi_scan_unsigned (&d, priv->d, sizeof (priv->d)); + + /* then call the 'multiply' function, to compute the product */ + result = gcry_mpi_point_new (0); + gcry_mpi_ec_mul (result, d, q, ctx); + gcry_mpi_point_release (q); + gcry_mpi_release (d); + + /* finally, convert point to string for hashing */ + result_x = gcry_mpi_new (256); + if (gcry_mpi_ec_get_affine (result_x, NULL, result, ctx)) + { + LOG_GCRY (GNUNET_ERROR_TYPE_ERROR, "get_affine failed", 0); + gcry_mpi_point_release (result); + gcry_ctx_release (ctx); + return GNUNET_SYSERR; + } + gcry_mpi_point_release (result); gcry_ctx_release (ctx); + + rsize = sizeof (xbuf); + GNUNET_assert (! gcry_mpi_get_flag (result_x, GCRYMPI_FLAG_OPAQUE)); + /* result_x can be negative here, so we do not use 'GNUNET_CRYPTO_mpi_print_unsigned' + as that does not include the sign bit; x should be a 255-bit + value, so with the sign it should fit snugly into the 256-bit + xbuf */ + GNUNET_assert (0 == + gcry_mpi_print (GCRYMPI_FMT_STD, xbuf, rsize, &rsize, + result_x)); + GNUNET_CRYPTO_hash (xbuf, + rsize, + key_material); + gcry_mpi_release (result_x); + return GNUNET_OK; } +/** + * @ingroup crypto + * Derive key material from a ECDSA public key and a private ECDH key. + * Dual to #GNUNET_CRRYPTO_eddsa_ecdh. + * + * @param priv private key to use for the ECDH (y) + * @param pub public key from ECDSA to use for the ECDH (X=h(x)G) + * @param key_material where to write the key material H(yX)=H(h(x)yG) + * @return #GNUNET_SYSERR on error, #GNUNET_OK on success + */ +int +GNUNET_CRYPTO_ecdh_ecdsa (const struct GNUNET_CRYPTO_EcdhePrivateKey *priv, + const struct GNUNET_CRYPTO_EcdsaPublicKey *pub, + struct GNUNET_HashCode *key_material) +{ + return GNUNET_CRYPTO_ecdh_eddsa (priv, + (const struct GNUNET_CRYPTO_EddsaPublicKey *)pub, + key_material); +} /* end of crypto_ecc.c */