crypto_curve25519.c 6.53 KB
Newer Older
1
/* Copyright (c) 2012-2013, The Tor Project, Inc. */
2
3
4
5
6
7
/* See LICENSE for licensing information */

/* Wrapper code for a curve25519 implementation. */

#define CRYPTO_CURVE25519_PRIVATE
#include "orconfig.h"
8
9
10
#ifdef HAVE_SYS_STAT_H
#include <sys/stat.h>
#endif
11
12
13
#include "crypto.h"
#include "crypto_curve25519.h"
#include "util.h"
14
#include "torlog.h"
15
16
17
18
19
20
21
22
23
24

/* ==============================
   Part 1: wrap a suitable curve25519 implementation as curve25519_impl
   ============================== */

#ifdef USE_CURVE25519_DONNA
int curve25519_donna(uint8_t *mypublic,
                     const uint8_t *secret, const uint8_t *basepoint);
#endif
#ifdef USE_CURVE25519_NACL
25
#ifdef HAVE_CRYPTO_SCALARMULT_CURVE25519_H
26
#include <crypto_scalarmult_curve25519.h>
27
28
29
#elif defined(HAVE_NACL_CRYPTO_SCALARMULT_CURVE25519_H)
#include <nacl/crypto_scalarmult_curve25519.h>
#endif
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#endif

int
curve25519_impl(uint8_t *output, const uint8_t *secret,
                const uint8_t *basepoint)
{
#ifdef USE_CURVE25519_DONNA
  return curve25519_donna(output, secret, basepoint);
#elif defined(USE_CURVE25519_NACL)
  return crypto_scalarmult_curve25519(output, secret, basepoint);
#else
#error "No implementation of curve25519 is available."
#endif
}

/* ==============================
   Part 2: Wrap curve25519_impl with some convenience types and functions.
   ============================== */

/**
 * Return true iff a curve25519_public_key_t seems valid. (It's not necessary
 * to see if the point is on the curve, since the twist is also secure, but we
 * do need to make sure that it isn't the point at infinity.) */
int
curve25519_public_key_is_ok(const curve25519_public_key_t *key)
{
56
  return !safe_mem_is_zero(key->public_key, CURVE25519_PUBKEY_LEN);
57
58
59
60
}

/** Generate a new keypair and return the secret key.  If <b>extra_strong</b>
 * is true, this key is possibly going to get used more than once, so
61
62
 * use a better-than-usual RNG. Return 0 on success, -1 on failure. */
int
63
64
65
curve25519_secret_key_generate(curve25519_secret_key_t *key_out,
                               int extra_strong)
{
66
  uint8_t k_tmp[CURVE25519_SECKEY_LEN];
67

68
69
  if (crypto_rand((char*)key_out->secret_key, CURVE25519_SECKEY_LEN) < 0)
    return -1;
70
71
72
73
74
75
76
77
78
  if (extra_strong && !crypto_strongest_rand(k_tmp, CURVE25519_SECKEY_LEN)) {
    /* If they asked for extra-strong entropy and we have some, use it as an
     * HMAC key to improve not-so-good entopy rather than using it directly,
     * just in case the extra-strong entropy is less amazing than we hoped. */
    crypto_hmac_sha256((char *)key_out->secret_key,
                    (const char *)k_tmp, sizeof(k_tmp),
                    (const char *)key_out->secret_key, CURVE25519_SECKEY_LEN);
  }
  memwipe(k_tmp, 0, sizeof(k_tmp));
79
80
81
  key_out->secret_key[0] &= 248;
  key_out->secret_key[31] &= 127;
  key_out->secret_key[31] |= 64;
82
83

  return 0;
84
85
86
87
88
89
90
91
92
93
94
}

void
curve25519_public_key_generate(curve25519_public_key_t *key_out,
                               const curve25519_secret_key_t *seckey)
{
  static const uint8_t basepoint[32] = {9};

  curve25519_impl(key_out->public_key, seckey->secret_key, basepoint);
}

95
int
96
97
98
curve25519_keypair_generate(curve25519_keypair_t *keypair_out,
                            int extra_strong)
{
99
100
  if (curve25519_secret_key_generate(&keypair_out->seckey, extra_strong) < 0)
    return -1;
101
  curve25519_public_key_generate(&keypair_out->pubkey, &keypair_out->seckey);
102
  return 0;
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
}

int
curve25519_keypair_write_to_file(const curve25519_keypair_t *keypair,
                                 const char *fname,
                                 const char *tag)
{
  char contents[32 + CURVE25519_SECKEY_LEN + CURVE25519_PUBKEY_LEN];
  int r;

  memset(contents, 0, sizeof(contents));
  tor_snprintf(contents, sizeof(contents), "== c25519v1: %s ==", tag);
  tor_assert(strlen(contents) <= 32);
  memcpy(contents+32, keypair->seckey.secret_key, CURVE25519_SECKEY_LEN);
  memcpy(contents+32+CURVE25519_SECKEY_LEN,
         keypair->pubkey.public_key, CURVE25519_PUBKEY_LEN);

  r = write_bytes_to_file(fname, contents, sizeof(contents), 1);

  memwipe(contents, 0, sizeof(contents));
  return r;
}

int
curve25519_keypair_read_from_file(curve25519_keypair_t *keypair_out,
                                  char **tag_out,
                                  const char *fname)
{
  char prefix[33];
  char *content;
  struct stat st;
  int r = -1;

  *tag_out = NULL;

  st.st_size = 0;
  content = read_file_to_str(fname, RFTS_BIN|RFTS_IGNORE_MISSING, &st);
  if (! content)
    goto end;
  if (st.st_size != 32 + CURVE25519_SECKEY_LEN + CURVE25519_PUBKEY_LEN)
    goto end;

  memcpy(prefix, content, 32);
  prefix[32] = '\0';
  if (strcmpstart(prefix, "== c25519v1: ") ||
      strcmpend(prefix, " =="))
    goto end;

  *tag_out = tor_strndup(prefix+strlen("== c25519v1: "),
                         strlen(prefix) - strlen("== c25519v1:  =="));

  memcpy(keypair_out->seckey.secret_key, content+32, CURVE25519_SECKEY_LEN);
  curve25519_public_key_generate(&keypair_out->pubkey, &keypair_out->seckey);
  if (tor_memneq(keypair_out->pubkey.public_key,
                 content + 32 + CURVE25519_SECKEY_LEN,
                 CURVE25519_PUBKEY_LEN))
    goto end;

  r = 0;

 end:
  if (content) {
    memwipe(content, 0, st.st_size);
    tor_free(content);
  }
  if (r != 0) {
    memset(keypair_out, 0, sizeof(*keypair_out));
    tor_free(*tag_out);
  }
  return r;
}

175
176
177
178
179
180
181
182
183
184
/** Perform the curve25519 ECDH handshake with <b>skey</b> and <b>pkey</b>,
 * writing CURVE25519_OUTPUT_LEN bytes of output into <b>output</b>. */
void
curve25519_handshake(uint8_t *output,
                     const curve25519_secret_key_t *skey,
                     const curve25519_public_key_t *pkey)
{
  curve25519_impl(output, skey->secret_key, pkey->public_key);
}

185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
int
curve25519_public_to_base64(char *output,
                            const curve25519_public_key_t *pkey)
{
  char buf[128];
  base64_encode(buf, sizeof(buf),
                (const char*)pkey->public_key, CURVE25519_PUBKEY_LEN);
  buf[CURVE25519_BASE64_PADDED_LEN] = '\0';
  memcpy(output, buf, CURVE25519_BASE64_PADDED_LEN+1);
  return 0;
}

int
curve25519_public_from_base64(curve25519_public_key_t *pkey,
                              const char *input)
{
  size_t len = strlen(input);
  if (len == CURVE25519_BASE64_PADDED_LEN - 1) {
    /* not padded */
    return digest256_from_base64((char*)pkey->public_key, input);
  } else if (len == CURVE25519_BASE64_PADDED_LEN) {
    char buf[128];
    if (base64_decode(buf, sizeof(buf), input, len) != CURVE25519_PUBKEY_LEN)
      return -1;
    memcpy(pkey->public_key, buf, CURVE25519_PUBKEY_LEN);
    return 0;
  } else {
    return -1;
  }
}
Roger Dingledine's avatar
Roger Dingledine committed
215