ZeroTierOne/node/C25519.hpp

125 lines
4.2 KiB
C++
Raw Normal View History

/*
2019-08-23 16:23:39 +00:00
* Copyright (c)2019 ZeroTier, Inc.
*
2019-08-23 16:23:39 +00:00
* Use of this software is governed by the Business Source License included
* in the LICENSE.TXT file in the project's root directory.
*
2019-08-23 16:23:39 +00:00
* Change Date: 2023-01-01
*
2019-08-23 16:23:39 +00:00
* On the date above, in accordance with the Business Source License, use
* of this software will be governed by version 2.0 of the Apache License.
*/
2019-08-23 16:23:39 +00:00
/****/
#ifndef ZT_C25519_HPP
#define ZT_C25519_HPP
#include "Utils.hpp"
namespace ZeroTier {
2013-09-13 21:32:00 +00:00
#define ZT_C25519_PUBLIC_KEY_LEN 64
#define ZT_C25519_PRIVATE_KEY_LEN 64
#define ZT_C25519_SIGNATURE_LEN 96
2019-08-20 20:32:23 +00:00
#define ZT_C25519_SHARED_KEY_LEN 32
2013-09-13 21:32:00 +00:00
/**
* A combined Curve25519 ECDH and Ed25519 signature engine
*/
class C25519
{
public:
/**
* Generate a C25519 elliptic curve key pair
*/
2019-08-20 20:32:23 +00:00
static inline void generate(uint8_t pub[ZT_C25519_PUBLIC_KEY_LEN],uint8_t priv[ZT_C25519_PRIVATE_KEY_LEN])
{
2019-08-20 20:32:23 +00:00
Utils::getSecureRandom(priv,ZT_C25519_PRIVATE_KEY_LEN);
_calcPubDH(pub,priv);
_calcPubED(pub,priv);
}
/**
* Generate a key pair satisfying a condition
*
* This begins with a random keypair from a random secret key and then
* iteratively increments the random secret until cond(kp) returns true.
* This is used to compute key pairs in which the public key, its hash
* or some other aspect of it satisfies some condition, such as for a
* hashcash criteria.
*
* @param cond Condition function or function object
* @return Key pair where cond(kp) returns true
* @tparam F Type of 'cond'
*/
template<typename F>
2019-08-20 20:32:23 +00:00
static inline void generateSatisfying(F cond,uint8_t pub[ZT_C25519_PUBLIC_KEY_LEN],uint8_t priv[ZT_C25519_PRIVATE_KEY_LEN])
{
2018-01-27 01:00:37 +00:00
Utils::getSecureRandom(priv,ZT_C25519_PRIVATE_KEY_LEN);
2019-08-20 20:32:23 +00:00
_calcPubED(pub,priv); // do Ed25519 key -- bytes 32-63 of pub and priv
do {
++(((uint64_t *)priv)[1]);
--(((uint64_t *)priv)[2]);
2019-08-20 20:32:23 +00:00
_calcPubDH(pub,priv); // keep regenerating bytes 0-31 until satisfied
} while (!cond(pub));
}
/**
* Perform C25519 ECC key agreement
*
* Actual key bytes are generated from one or more SHA-512 digests of
* the raw result of key agreement.
*
* @param mine My private key
* @param their Their public key
2019-08-20 20:32:23 +00:00
* @param rawkey Buffer to receive raw (not hashed) agreed upon key
*/
2019-08-20 20:32:23 +00:00
static void agree(const uint8_t mine[ZT_C25519_PRIVATE_KEY_LEN],const uint8_t their[ZT_C25519_PUBLIC_KEY_LEN],uint8_t rawkey[32]);
2013-09-13 21:32:00 +00:00
2013-09-13 23:18:01 +00:00
/**
* Sign a message with a sender's key pair
*
* This takes the SHA-521 of msg[] and then signs the first 32 bytes of this
* digest, returning it and the 64-byte ed25519 signature in signature[].
* This results in a signature that verifies both the signer's authenticity
* and the integrity of the message.
*
* This is based on the original ed25519 code from NaCl and the SUPERCOP
* cipher benchmark suite, but with the modification that it always
* produces a signature of fixed 96-byte length based on the hash of an
* arbitrary-length message.
*
* @param myPrivate My private key
* @param myPublic My public key
2013-09-13 23:18:01 +00:00
* @param msg Message to sign
* @param len Length of message in bytes
* @param signature Buffer to fill with signature -- MUST be 96 bytes in length
*/
2019-08-20 20:32:23 +00:00
static void sign(const uint8_t myPrivate[ZT_C25519_PRIVATE_KEY_LEN],const uint8_t myPublic[ZT_C25519_PUBLIC_KEY_LEN],const void *msg,unsigned int len,void *signature);
2013-09-13 23:18:01 +00:00
/**
* Verify a message's signature
*
* @param their Public key to verify against
* @param msg Message to verify signature integrity against
* @param len Length of message in bytes
2019-07-16 21:09:14 +00:00
* @param signature Signature bytes
* @param siglen Length of signature in bytes
2013-09-13 23:18:01 +00:00
* @return True if signature is valid and the message is authentic and unmodified
*/
2019-08-20 20:32:23 +00:00
static bool verify(const uint8_t their[ZT_C25519_PUBLIC_KEY_LEN],const void *msg,unsigned int len,const void *signature,const unsigned int siglen);
private:
// derive first 32 bytes of kp.pub from first 32 bytes of kp.priv
// this is the ECDH key
2019-08-20 20:32:23 +00:00
static void _calcPubDH(uint8_t pub[ZT_C25519_PUBLIC_KEY_LEN],const uint8_t priv[ZT_C25519_PRIVATE_KEY_LEN]);
// derive 2nd 32 bytes of kp.pub from 2nd 32 bytes of kp.priv
// this is the Ed25519 sign/verify key
2019-08-20 20:32:23 +00:00
static void _calcPubED(uint8_t pub[ZT_C25519_PUBLIC_KEY_LEN],const uint8_t priv[ZT_C25519_PRIVATE_KEY_LEN]);
};
} // namespace ZeroTier
#endif