StarMirror
/
toxcore
mirror of https://github.com/irungentoo/toxcore
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
toxcore/toxcore/crypto_core.c

284 lines
10 KiB
C
Raw Blame History

/* net_crypto.c
*
* Functions for the core crypto.
*
* NOTE: This code has to be perfect. We don't mess around with encryption.
*
* Copyright (C) 2013 Tox project All Rights Reserved.
*
* This file is part of Tox.
*
* Tox is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Tox is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with Tox. If not, see <http://www.gnu.org/licenses/>.
*
*/
#ifdef HAVE_CONFIG_H
#include "config.h"
#endif
#include "crypto_core.h"
#if crypto_box_PUBLICKEYBYTES != 32
#error crypto_box_PUBLICKEYBYTES is required to be 32 bytes for public_key_cmp to work,
#endif
/* compare 2 public keys of length crypto_box_PUBLICKEYBYTES, not vulnerable to timing attacks.
returns 0 if both mem locations of length are equal,
return -1 if they are not. */
int public_key_cmp(const uint8_t *pk1, const uint8_t *pk2)
{
return crypto_verify_32(pk1, pk2);
}
/* return a random number.
*/
uint32_t random_int(void)
{
uint32_t randnum;
randombytes((uint8_t *)&randnum , sizeof(randnum));
return randnum;
}
uint64_t random_64b(void)
{
uint64_t randnum;
randombytes((uint8_t *)&randnum, sizeof(randnum));
return randnum;
}
/* Check if a Tox public key crypto_box_PUBLICKEYBYTES is valid or not.
* This should only be used for input validation.
*
* return 0 if it isn't.
* return 1 if it is.
*/
int public_key_valid(const uint8_t *public_key)
{
if (public_key[31] >= 128) /* Last bit of key is always zero. */
return 0;
return 1;
}
/* Precomputes the shared key from their public_key and our secret_key.
* This way we can avoid an expensive elliptic curve scalar multiply for each
* encrypt/decrypt operation.
* enc_key has to be crypto_box_BEFORENMBYTES bytes long.
*/
void encrypt_precompute(const uint8_t *public_key, const uint8_t *secret_key, uint8_t *enc_key)
{
crypto_box_beforenm(enc_key, public_key, secret_key);
}
int encrypt_data_symmetric(const uint8_t *secret_key, const uint8_t *nonce, const uint8_t *plain, uint32_t length,
uint8_t *encrypted)
{
if (length == 0 || !secret_key || !nonce || !plain || !encrypted)
return -1;
uint8_t temp_plain[length + crypto_box_ZEROBYTES];
uint8_t temp_encrypted[length + crypto_box_MACBYTES + crypto_box_BOXZEROBYTES];
memset(temp_plain, 0, crypto_box_ZEROBYTES);
memcpy(temp_plain + crypto_box_ZEROBYTES, plain, length); // Pad the message with 32 0 bytes.
if (crypto_box_afternm(temp_encrypted, temp_plain, length + crypto_box_ZEROBYTES, nonce, secret_key) != 0)
return -1;
/* Unpad the encrypted message. */
memcpy(encrypted, temp_encrypted + crypto_box_BOXZEROBYTES, length + crypto_box_MACBYTES);
return length + crypto_box_MACBYTES;
}
int decrypt_data_symmetric(const uint8_t *secret_key, const uint8_t *nonce, const uint8_t *encrypted, uint32_t length,
uint8_t *plain)
{
if (length <= crypto_box_BOXZEROBYTES || !secret_key || !nonce || !encrypted || !plain)
return -1;
uint8_t temp_plain[length + crypto_box_ZEROBYTES];
uint8_t temp_encrypted[length + crypto_box_BOXZEROBYTES];
memset(temp_encrypted, 0, crypto_box_BOXZEROBYTES);
memcpy(temp_encrypted + crypto_box_BOXZEROBYTES, encrypted, length); // Pad the message with 16 0 bytes.
if (crypto_box_open_afternm(temp_plain, temp_encrypted, length + crypto_box_BOXZEROBYTES, nonce, secret_key) != 0)
return -1;
memcpy(plain, temp_plain + crypto_box_ZEROBYTES, length - crypto_box_MACBYTES);
return length - crypto_box_MACBYTES;
}
int encrypt_data(const uint8_t *public_key, const uint8_t *secret_key, const uint8_t *nonce,
const uint8_t *plain, uint32_t length, uint8_t *encrypted)
{
if (!public_key || !secret_key)
return -1;
uint8_t k[crypto_box_BEFORENMBYTES];
encrypt_precompute(public_key, secret_key, k);
int ret = encrypt_data_symmetric(k, nonce, plain, length, encrypted);
sodium_memzero(k, sizeof k);
return ret;
}
int decrypt_data(const uint8_t *public_key, const uint8_t *secret_key, const uint8_t *nonce,
const uint8_t *encrypted, uint32_t length, uint8_t *plain)
{
if (!public_key || !secret_key)
return -1;
uint8_t k[crypto_box_BEFORENMBYTES];
encrypt_precompute(public_key, secret_key, k);
int ret = decrypt_data_symmetric(k, nonce, encrypted, length, plain);
sodium_memzero(k, sizeof k);
return ret;
}
/* Increment the given nonce by 1. */
void increment_nonce(uint8_t *nonce)
{
/* FIXME use increment_nonce_number(nonce, 1) or sodium_increment (change to little endian)
* NOTE don't use breaks inside this loop
* In particular, make sure, as far as possible,
* that loop bounds and their potential underflow or overflow
* are independent of user-controlled input (you may have heard of the Heartbleed bug).
*/
uint32_t i = crypto_box_NONCEBYTES;
uint_fast16_t carry = 1U;
for (; i != 0; --i) {
carry += (uint_fast16_t) nonce[i - 1];
nonce[i - 1] = (uint8_t) carry;
carry >>= 8;
}
}
/* increment the given nonce by num */
void increment_nonce_number(uint8_t *nonce, uint32_t host_order_num)
{
/* NOTE don't use breaks inside this loop
* In particular, make sure, as far as possible,
* that loop bounds and their potential underflow or overflow
* are independent of user-controlled input (you may have heard of the Heartbleed bug).
*/
const uint32_t big_endian_num = htonl(host_order_num);
const uint8_t *const num_vec = (const uint8_t *) &big_endian_num;
uint8_t num_as_nonce[crypto_box_NONCEBYTES] = {0};
num_as_nonce[crypto_box_NONCEBYTES - 4] = num_vec[0];
num_as_nonce[crypto_box_NONCEBYTES - 3] = num_vec[1];
num_as_nonce[crypto_box_NONCEBYTES - 2] = num_vec[2];
num_as_nonce[crypto_box_NONCEBYTES - 1] = num_vec[3];
uint32_t i = crypto_box_NONCEBYTES;
uint_fast16_t carry = 0U;
for (; i != 0; --i) {
carry += (uint_fast16_t) nonce[i - 1] + (uint_fast16_t) num_as_nonce[i - 1];
nonce[i - 1] = (unsigned char) carry;
carry >>= 8;
}
}
/* Fill the given nonce with random bytes. */
void random_nonce(uint8_t *nonce)
{
randombytes(nonce, crypto_box_NONCEBYTES);
}
/* Fill a key crypto_box_KEYBYTES big with random bytes */
void new_symmetric_key(uint8_t *key)
{
randombytes(key, crypto_box_KEYBYTES);
}
/* Gives a nonce guaranteed to be different from previous ones.*/
void new_nonce(uint8_t *nonce)
{
random_nonce(nonce);
}
/* Create a request to peer.
* send_public_key and send_secret_key are the pub/secret keys of the sender.
* recv_public_key is public key of receiver.
* packet must be an array of MAX_CRYPTO_REQUEST_SIZE big.
* Data represents the data we send with the request with length being the length of the data.
* request_id is the id of the request (32 = friend request, 254 = ping request).
*
* return -1 on failure.
* return the length of the created packet on success.
*/
int create_request(const uint8_t *send_public_key, const uint8_t *send_secret_key, uint8_t *packet,
const uint8_t *recv_public_key, const uint8_t *data, uint32_t length, uint8_t request_id)
{
if (!send_public_key || !packet || !recv_public_key || !data)
return -1;
if (MAX_CRYPTO_REQUEST_SIZE < length + 1 + crypto_box_PUBLICKEYBYTES * 2 + crypto_box_NONCEBYTES + 1 +
crypto_box_MACBYTES)
return -1;
uint8_t *nonce = packet + 1 + crypto_box_PUBLICKEYBYTES * 2;
new_nonce(nonce);
uint8_t temp[MAX_CRYPTO_REQUEST_SIZE]; // FIXME sodium_memzero before exit function
memcpy(temp + 1, data, length);
temp[0] = request_id;
int len = encrypt_data(recv_public_key, send_secret_key, nonce, temp, length + 1,
1 + crypto_box_PUBLICKEYBYTES * 2 + crypto_box_NONCEBYTES + packet);
if (len == -1)
return -1;
packet[0] = NET_PACKET_CRYPTO;
memcpy(packet + 1, recv_public_key, crypto_box_PUBLICKEYBYTES);
memcpy(packet + 1 + crypto_box_PUBLICKEYBYTES, send_public_key, crypto_box_PUBLICKEYBYTES);
return len + 1 + crypto_box_PUBLICKEYBYTES * 2 + crypto_box_NONCEBYTES;
}
/* Puts the senders public key in the request in public_key, the data from the request
* in data if a friend or ping request was sent to us and returns the length of the data.
* packet is the request packet and length is its length.
*
* return -1 if not valid request.
*/
int handle_request(const uint8_t *self_public_key, const uint8_t *self_secret_key, uint8_t *public_key, uint8_t *data,
uint8_t *request_id, const uint8_t *packet, uint16_t length)
{
if (!self_public_key || !public_key || !data || !request_id || !packet)
return -1;
if (length <= crypto_box_PUBLICKEYBYTES * 2 + crypto_box_NONCEBYTES + 1 + crypto_box_MACBYTES ||
length > MAX_CRYPTO_REQUEST_SIZE)
return -1;
if (public_key_cmp(packet + 1, self_public_key) != 0)
return -1;
memcpy(public_key, packet + 1 + crypto_box_PUBLICKEYBYTES, crypto_box_PUBLICKEYBYTES);
const uint8_t *nonce = packet + 1 + crypto_box_PUBLICKEYBYTES * 2;
uint8_t temp[MAX_CRYPTO_REQUEST_SIZE]; // FIXME sodium_memzero before exit function
int len1 = decrypt_data(public_key, self_secret_key, nonce,
packet + 1 + crypto_box_PUBLICKEYBYTES * 2 + crypto_box_NONCEBYTES,
length - (crypto_box_PUBLICKEYBYTES * 2 + crypto_box_NONCEBYTES + 1), temp);
if (len1 == -1 || len1 == 0)
return -1;
request_id[0] = temp[0];
--len1;
memcpy(data, temp + 1, len1);
return len1;
}
Reference in New Issue View Git Blame Copy Permalink