mirror of
https://github.com/irungentoo/toxcore.git
synced 2024-03-22 13:30:51 +08:00
296 lines
9.0 KiB
C
296 lines
9.0 KiB
C
/* net_crypto.c
|
|
*
|
|
* Functions for the core crypto.
|
|
*
|
|
* NOTE: This code has to be perfect. We don't mess around with encryption.
|
|
*
|
|
* Copyright (C) 2013 Tox project All Rights Reserved.
|
|
*
|
|
* This file is part of Tox.
|
|
*
|
|
* Tox is free software: you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License as published by
|
|
* the Free Software Foundation, either version 3 of the License, or
|
|
* (at your option) any later version.
|
|
*
|
|
* Tox is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with Tox. If not, see <http://www.gnu.org/licenses/>.
|
|
*
|
|
*/
|
|
|
|
#ifdef HAVE_CONFIG_H
|
|
#include "config.h"
|
|
#endif
|
|
|
|
#include "crypto_core.h"
|
|
|
|
#include "network.h"
|
|
|
|
#include <string.h>
|
|
|
|
#ifndef VANILLA_NACL
|
|
/* We use libsodium by default. */
|
|
#include <sodium.h>
|
|
#else
|
|
#include <crypto_box.h>
|
|
#include <crypto_hash_sha256.h>
|
|
#include <crypto_hash_sha512.h>
|
|
#include <crypto_scalarmult_curve25519.h>
|
|
#include <crypto_verify_16.h>
|
|
#include <crypto_verify_32.h>
|
|
#include <randombytes.h>
|
|
#define crypto_box_MACBYTES (crypto_box_ZEROBYTES - crypto_box_BOXZEROBYTES)
|
|
#endif
|
|
|
|
#if CRYPTO_PUBLIC_KEY_SIZE != crypto_box_PUBLICKEYBYTES
|
|
#error CRYPTO_PUBLIC_KEY_SIZE should be equal to crypto_box_PUBLICKEYBYTES
|
|
#endif
|
|
|
|
#if CRYPTO_SECRET_KEY_SIZE != crypto_box_SECRETKEYBYTES
|
|
#error CRYPTO_SECRET_KEY_SIZE should be equal to crypto_box_SECRETKEYBYTES
|
|
#endif
|
|
|
|
#if CRYPTO_SHARED_KEY_SIZE != crypto_box_BEFORENMBYTES
|
|
#error CRYPTO_SHARED_KEY_SIZE should be equal to crypto_box_BEFORENMBYTES
|
|
#endif
|
|
|
|
#if CRYPTO_SYMMETRIC_KEY_SIZE != crypto_box_BEFORENMBYTES
|
|
#error CRYPTO_SYMMETRIC_KEY_SIZE should be equal to crypto_box_BEFORENMBYTES
|
|
#endif
|
|
|
|
#if CRYPTO_MAC_SIZE != crypto_box_MACBYTES
|
|
#error CRYPTO_MAC_SIZE should be equal to crypto_box_MACBYTES
|
|
#endif
|
|
|
|
#if CRYPTO_NONCE_SIZE != crypto_box_NONCEBYTES
|
|
#error CRYPTO_NONCE_SIZE should be equal to crypto_box_NONCEBYTES
|
|
#endif
|
|
|
|
#if CRYPTO_SHA256_SIZE != crypto_hash_sha256_BYTES
|
|
#error CRYPTO_SHA256_SIZE should be equal to crypto_hash_sha256_BYTES
|
|
#endif
|
|
|
|
#if CRYPTO_SHA512_SIZE != crypto_hash_sha512_BYTES
|
|
#error CRYPTO_SHA512_SIZE should be equal to crypto_hash_sha512_BYTES
|
|
#endif
|
|
|
|
int32_t public_key_cmp(const uint8_t *pk1, const uint8_t *pk2)
|
|
{
|
|
#if CRYPTO_PUBLIC_KEY_SIZE != 32
|
|
#error CRYPTO_PUBLIC_KEY_SIZE is required to be 32 bytes for public_key_cmp to work,
|
|
#endif
|
|
return crypto_verify_32(pk1, pk2);
|
|
}
|
|
|
|
uint32_t random_int(void)
|
|
{
|
|
uint32_t randnum;
|
|
randombytes((uint8_t *)&randnum , sizeof(randnum));
|
|
return randnum;
|
|
}
|
|
|
|
uint64_t random_64b(void)
|
|
{
|
|
uint64_t randnum;
|
|
randombytes((uint8_t *)&randnum, sizeof(randnum));
|
|
return randnum;
|
|
}
|
|
|
|
bool public_key_valid(const uint8_t *public_key)
|
|
{
|
|
if (public_key[31] >= 128) { /* Last bit of key is always zero. */
|
|
return 0;
|
|
}
|
|
|
|
return 1;
|
|
}
|
|
|
|
/* Precomputes the shared key from their public_key and our secret_key.
|
|
* This way we can avoid an expensive elliptic curve scalar multiply for each
|
|
* encrypt/decrypt operation.
|
|
* shared_key has to be crypto_box_BEFORENMBYTES bytes long.
|
|
*/
|
|
int32_t encrypt_precompute(const uint8_t *public_key, const uint8_t *secret_key, uint8_t *shared_key)
|
|
{
|
|
return crypto_box_beforenm(shared_key, public_key, secret_key);
|
|
}
|
|
|
|
int32_t encrypt_data_symmetric(const uint8_t *secret_key, const uint8_t *nonce, const uint8_t *plain, size_t length,
|
|
uint8_t *encrypted)
|
|
{
|
|
if (length == 0 || !secret_key || !nonce || !plain || !encrypted) {
|
|
return -1;
|
|
}
|
|
|
|
uint8_t temp_plain[length + crypto_box_ZEROBYTES];
|
|
uint8_t temp_encrypted[length + crypto_box_MACBYTES + crypto_box_BOXZEROBYTES];
|
|
|
|
memset(temp_plain, 0, crypto_box_ZEROBYTES);
|
|
memcpy(temp_plain + crypto_box_ZEROBYTES, plain, length); // Pad the message with 32 0 bytes.
|
|
|
|
if (crypto_box_afternm(temp_encrypted, temp_plain, length + crypto_box_ZEROBYTES, nonce, secret_key) != 0) {
|
|
return -1;
|
|
}
|
|
|
|
/* Unpad the encrypted message. */
|
|
memcpy(encrypted, temp_encrypted + crypto_box_BOXZEROBYTES, length + crypto_box_MACBYTES);
|
|
return length + crypto_box_MACBYTES;
|
|
}
|
|
|
|
int32_t decrypt_data_symmetric(const uint8_t *secret_key, const uint8_t *nonce, const uint8_t *encrypted, size_t length,
|
|
uint8_t *plain)
|
|
{
|
|
if (length <= crypto_box_BOXZEROBYTES || !secret_key || !nonce || !encrypted || !plain) {
|
|
return -1;
|
|
}
|
|
|
|
uint8_t temp_plain[length + crypto_box_ZEROBYTES];
|
|
uint8_t temp_encrypted[length + crypto_box_BOXZEROBYTES];
|
|
|
|
memset(temp_encrypted, 0, crypto_box_BOXZEROBYTES);
|
|
memcpy(temp_encrypted + crypto_box_BOXZEROBYTES, encrypted, length); // Pad the message with 16 0 bytes.
|
|
|
|
if (crypto_box_open_afternm(temp_plain, temp_encrypted, length + crypto_box_BOXZEROBYTES, nonce, secret_key) != 0) {
|
|
return -1;
|
|
}
|
|
|
|
memcpy(plain, temp_plain + crypto_box_ZEROBYTES, length - crypto_box_MACBYTES);
|
|
return length - crypto_box_MACBYTES;
|
|
}
|
|
|
|
int32_t encrypt_data(const uint8_t *public_key, const uint8_t *secret_key, const uint8_t *nonce,
|
|
const uint8_t *plain, size_t length, uint8_t *encrypted)
|
|
{
|
|
if (!public_key || !secret_key) {
|
|
return -1;
|
|
}
|
|
|
|
uint8_t k[crypto_box_BEFORENMBYTES];
|
|
encrypt_precompute(public_key, secret_key, k);
|
|
int ret = encrypt_data_symmetric(k, nonce, plain, length, encrypted);
|
|
crypto_memzero(k, sizeof k);
|
|
return ret;
|
|
}
|
|
|
|
int32_t decrypt_data(const uint8_t *public_key, const uint8_t *secret_key, const uint8_t *nonce,
|
|
const uint8_t *encrypted, size_t length, uint8_t *plain)
|
|
{
|
|
if (!public_key || !secret_key) {
|
|
return -1;
|
|
}
|
|
|
|
uint8_t k[crypto_box_BEFORENMBYTES];
|
|
encrypt_precompute(public_key, secret_key, k);
|
|
int ret = decrypt_data_symmetric(k, nonce, encrypted, length, plain);
|
|
crypto_memzero(k, sizeof k);
|
|
return ret;
|
|
}
|
|
|
|
|
|
/* Increment the given nonce by 1. */
|
|
void increment_nonce(uint8_t *nonce)
|
|
{
|
|
/* TODO(irungentoo): use increment_nonce_number(nonce, 1) or sodium_increment (change to little endian)
|
|
* NOTE don't use breaks inside this loop
|
|
* In particular, make sure, as far as possible,
|
|
* that loop bounds and their potential underflow or overflow
|
|
* are independent of user-controlled input (you may have heard of the Heartbleed bug).
|
|
*/
|
|
uint32_t i = crypto_box_NONCEBYTES;
|
|
uint_fast16_t carry = 1U;
|
|
|
|
for (; i != 0; --i) {
|
|
carry += (uint_fast16_t) nonce[i - 1];
|
|
nonce[i - 1] = (uint8_t) carry;
|
|
carry >>= 8;
|
|
}
|
|
}
|
|
/* increment the given nonce by num */
|
|
void increment_nonce_number(uint8_t *nonce, uint32_t host_order_num)
|
|
{
|
|
/* NOTE don't use breaks inside this loop
|
|
* In particular, make sure, as far as possible,
|
|
* that loop bounds and their potential underflow or overflow
|
|
* are independent of user-controlled input (you may have heard of the Heartbleed bug).
|
|
*/
|
|
const uint32_t big_endian_num = htonl(host_order_num);
|
|
const uint8_t *const num_vec = (const uint8_t *) &big_endian_num;
|
|
uint8_t num_as_nonce[crypto_box_NONCEBYTES] = {0};
|
|
num_as_nonce[crypto_box_NONCEBYTES - 4] = num_vec[0];
|
|
num_as_nonce[crypto_box_NONCEBYTES - 3] = num_vec[1];
|
|
num_as_nonce[crypto_box_NONCEBYTES - 2] = num_vec[2];
|
|
num_as_nonce[crypto_box_NONCEBYTES - 1] = num_vec[3];
|
|
|
|
uint32_t i = crypto_box_NONCEBYTES;
|
|
uint_fast16_t carry = 0U;
|
|
|
|
for (; i != 0; --i) {
|
|
carry += (uint_fast16_t) nonce[i - 1] + (uint_fast16_t) num_as_nonce[i - 1];
|
|
nonce[i - 1] = (unsigned char) carry;
|
|
carry >>= 8;
|
|
}
|
|
}
|
|
|
|
/* Fill the given nonce with random bytes. */
|
|
void random_nonce(uint8_t *nonce)
|
|
{
|
|
randombytes(nonce, crypto_box_NONCEBYTES);
|
|
}
|
|
|
|
/* Fill a key CRYPTO_SYMMETRIC_KEY_SIZE big with random bytes */
|
|
void new_symmetric_key(uint8_t *key)
|
|
{
|
|
randombytes(key, CRYPTO_SYMMETRIC_KEY_SIZE);
|
|
}
|
|
|
|
int32_t crypto_new_keypair(uint8_t *public_key, uint8_t *secret_key)
|
|
{
|
|
return crypto_box_keypair(public_key, secret_key);
|
|
}
|
|
|
|
void crypto_derive_public_key(uint8_t *public_key, const uint8_t *secret_key)
|
|
{
|
|
crypto_scalarmult_curve25519_base(public_key, secret_key);
|
|
}
|
|
|
|
void crypto_sha256(uint8_t *hash, const uint8_t *data, size_t length)
|
|
{
|
|
crypto_hash_sha256(hash, data, length);
|
|
}
|
|
|
|
void crypto_sha512(uint8_t *hash, const uint8_t *data, size_t length)
|
|
{
|
|
crypto_hash_sha512(hash, data, length);
|
|
}
|
|
|
|
void crypto_memzero(void *data, size_t length)
|
|
{
|
|
#ifdef VANILLA_NACL
|
|
/* TODO(c-toxcore#347): this is insecure. We need to provide our own
|
|
* secure memzero/memcmp for NaCL. */
|
|
memset(data, 0, length);
|
|
#else
|
|
sodium_memzero(data, length);
|
|
#endif
|
|
}
|
|
|
|
int32_t crypto_memcmp(const void *p1, const void *p2, size_t length)
|
|
{
|
|
#ifdef VANILLA_NACL
|
|
/* TODO(c-toxcore#347): Implement secure memcmp. */
|
|
return memcmp(p1, p2, length);
|
|
#else
|
|
return sodium_memcmp(p1, p2, length);
|
|
#endif
|
|
}
|
|
|
|
void random_bytes(uint8_t *data, size_t length)
|
|
{
|
|
randombytes(data, length);
|
|
}
|