Nist P-384 guts and glory

make-linux.mk

@@ -14,7 +14,6 @@ DEFS?=
 LDLIBS?=
 DESTDIR?=
 
-
 include objects.mk
 ONE_OBJS+=osdep/LinuxEthernetTap.o
 ONE_OBJS+=osdep/LinuxNetLink.o

node/C25519.cpp

@@ -2687,7 +2687,7 @@ void ge25519_scalarmult_base(ge25519_p3 *r, const sc25519 *s)
 	}
 }
 
-void get_hram(unsigned char *hram, const unsigned char *sm, const unsigned char *pk, unsigned char *playground, unsigned long long smlen)
+void get_hram(unsigned char *hram, const unsigned char *sm, const unsigned char *pk, unsigned char *playground, unsigned long smlen)
 {
 	unsigned long long i;
 
@@ -2778,13 +2778,22 @@ void C25519::sign(const C25519::Private &myPrivate,const C25519::Public &myPubli
 #endif
 }
 
-bool C25519::verify(const C25519::Public &their,const void *msg,unsigned int len,const void *signature)
+bool C25519::verify(const C25519::Public &their,const void *msg,unsigned int len,const void *signature,const unsigned int siglen)
 {
-	const unsigned char *const sig = (const unsigned char *)signature;
+	if (siglen < 64) return false;
+
+	const unsigned char *sig = (const unsigned char *)signature;
 	unsigned char digest[64]; // we sign the first 32 bytes of SHA-512(msg)
+	unsigned char sigtmp[96];
 	SHA512::hash(digest,msg,len);
-	if (!Utils::secureEq(sig + 64,digest,32))
+
+	if ((siglen == 96)&&(!Utils::secureEq(sig+64,digest,32))) {
 		return false;
+	} else if (siglen == 64) {
+		memcpy(sigtmp,sig,64);
+		memcpy(sigtmp+64,digest,32);
+		sig = sigtmp;
+	}
 
 	unsigned char t2[32];
 	ge25519 get1, get2;

node/C25519.hpp

@@ -125,6 +125,11 @@ public:
 	/**
 	 * Sign a message with a sender's key pair
 	 *
+	 * Note that this generates a 96-byte signature that contains an extra 32 bytes
+	 * of hash data. This data is included for historical reasons and is optional. The
+	 * verify function here will take the first 64 bytes only (normal ed25519 signature)
+	 * or a 96-byte length signature with the extra input hash data.
+	 * 
 	 * @param myPrivate My private key
 	 * @param myPublic My public key
 	 * @param msg Message to sign
@@ -150,10 +155,11 @@ public:
 	 * @param their Public key to verify against
 	 * @param msg Message to verify signature integrity against
 	 * @param len Length of message in bytes
-	 * @param signature 96-byte signature
+	 * @param signature Signature bytes
+	 * @param siglen Length of signature in bytes
 	 * @return True if signature is valid and the message is authentic and unmodified
 	 */
-	static bool verify(const Public &their,const void *msg,unsigned int len,const void *signature);
+	static bool verify(const Public &their,const void *msg,unsigned int len,const void *signature,const unsigned int siglen);
 
 	/**
 	 * Verify a message's signature
@@ -164,10 +170,7 @@ public:
 	 * @param signature 96-byte signature
 	 * @return True if signature is valid and the message is authentic and unmodified
 	 */
-	static inline bool verify(const Public &their,const void *msg,unsigned int len,const Signature &signature)
+	static inline bool verify(const Public &their,const void *msg,unsigned int len,const Signature &signature) { return verify(their,msg,len,signature.data,96); }
-	{
-		return verify(their,msg,len,signature.data);
-	}
 
 private:
 	// derive first 32 bytes of kp.pub from first 32 bytes of kp.priv

node/ECC384.hpp

@@ -0,0 +1,74 @@
+/*
+ * ZeroTier One - Network Virtualization Everywhere
+ * Copyright (C) 2011-2019  ZeroTier, Inc.  https://www.zerotier.com/
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ *
+ * --
+ *
+ * You can be released from the requirements of the license by purchasing
+ * a commercial license. Buying such a license is mandatory as soon as you
+ * develop commercial closed-source software that incorporates or links
+ * directly against ZeroTier software without disclosing the source code
+ * of your own application.
+ */
+
+// This is glue code to ease the use of the NIST P-384 elliptic curve.
+
+// Note that some of the code inside ECC384.cpp is third party code and
+// is under the BSD 2-clause license rather than ZeroTier's license.
+
+#ifndef ZT_ECC384_HPP
+#define ZT_ECC384_HPP
+
+#include "Constants.hpp"
+
+/**
+ * Size of a (point compressed) P-384 public key
+ */
+#define ZT_ECC384_PUBLIC_KEY_SIZE 49
+
+/**
+ * Size of a P-384 private key
+ */
+#define ZT_ECC384_PRIVATE_KEY_SIZE 48
+
+/**
+ * Size of the hash that should be signed using P-384
+ */
+#define ZT_ECC384_SIGNATURE_HASH_SIZE 48
+
+/**
+ * Size of a P-384 signature
+ */
+#define ZT_ECC384_SIGNATURE_SIZE 96
+
+/**
+ * Size of shared secret generated by ECDH key agreement
+ */
+#define ZT_ECC384_SHARED_SECRET_SIZE 48
+
+namespace ZeroTier {
+
+void ECC384GenerateKey(uint8_t pub[ZT_ECC384_PUBLIC_KEY_SIZE],uint8_t priv[ZT_ECC384_PRIVATE_KEY_SIZE]);
+
+void ECC384ECDSASign(const uint8_t priv[ZT_ECC384_PRIVATE_KEY_SIZE],const uint8_t hash[ZT_ECC384_SIGNATURE_HASH_SIZE],uint8_t sig[ZT_ECC384_SIGNATURE_SIZE]);
+
+bool ECC384ECDSAVerify(const uint8_t pub[ZT_ECC384_PUBLIC_KEY_SIZE],const uint8_t hash[ZT_ECC384_SIGNATURE_HASH_SIZE],const uint8_t sig[ZT_ECC384_SIGNATURE_SIZE]);
+
+bool ECC384ECDH(const uint8_t theirPub[ZT_ECC384_PUBLIC_KEY_SIZE],const uint8_t ourPriv[ZT_ECC384_PRIVATE_KEY_SIZE],uint8_t secret[ZT_ECC384_SHARED_SECRET_SIZE]);
+
+} // namespace ZeroTier
+
+#endif

node/Identity.hpp

@@ -159,12 +159,7 @@ public:
 	 * @param siglen Length of signature in bytes
 	 * @return True if signature validates and data integrity checks
 	 */
-	inline bool verify(const void *data,unsigned int len,const void *signature,unsigned int siglen) const
+	inline bool verify(const void *data,unsigned int len,const void *signature,unsigned int siglen) const { return C25519::verify(_publicKey,data,len,signature,siglen); }
-	{
-		if (siglen != ZT_C25519_SIGNATURE_LEN)
-			return false;
-		return C25519::verify(_publicKey,data,len,signature);
-	}
 
 	/**
 	 * Verify a message signature against this identity
@@ -174,10 +169,7 @@ public:
 	 * @param signature Signature
 	 * @return True if signature validates and data integrity checks
 	 */
-	inline bool verify(const void *data,unsigned int len,const C25519::Signature &signature) const
+	inline bool verify(const void *data,unsigned int len,const C25519::Signature &signature) const { return C25519::verify(_publicKey,data,len,signature); }
-	{
-		return C25519::verify(_publicKey,data,len,signature);
-	}
 
 	/**
 	 * Shortcut method to perform key agreement with another identity

objects.mk

@@ -3,6 +3,7 @@ CORE_OBJS=\
 	node/Capability.o \
 	node/CertificateOfMembership.o \
 	node/CertificateOfOwnership.o \
+	node/ECC384.o \
 	node/Identity.o \
 	node/IncomingPacket.o \
 	node/InetAddress.o \

selftest.cpp

@@ -50,6 +50,7 @@
 #include "node/Dictionary.hpp"
 #include "node/SHA512.hpp"
 #include "node/C25519.hpp"
+#include "node/ECC384.hpp"
 #include "node/Poly1305.hpp"
 #include "node/CertificateOfMembership.hpp"
 #include "node/Node.hpp"
@@ -305,18 +306,35 @@ static int testCrypto()
 		::free((void *)bb);
 	}
 
-	/*
+	std::cout << "[crypto] Testing ECC384 (NIST P-384)..." << std::endl;
-	for(unsigned int d=8;d<=10;++d) {
+	{
-		for(int k=0;k<8;++k) {
+		uint8_t p384pub[ZT_ECC384_PUBLIC_KEY_SIZE],p384priv[ZT_ECC384_PRIVATE_KEY_SIZE],p384sig[ZT_ECC384_SIGNATURE_SIZE],p384hash[ZT_ECC384_SIGNATURE_HASH_SIZE];
-			std::cout << "[crypto] computeSalsa2012Sha512ProofOfWork(" << d << ",\"foobarbaz\",9) == "; std::cout.flush();
+		char p384hex[256];
-			unsigned char result[16];
+		ECC384GenerateKey(p384pub,p384priv);
-			uint64_t start = OSUtils::now();
+		std::cout << "[crypto]   Public Key: " << Utils::hex(p384pub,sizeof(p384pub),p384hex) << std::endl;
-			IncomingPacket::computeSalsa2012Sha512ProofOfWork(d,"foobarbaz",9,result);
+		Utils::getSecureRandom(p384hash,sizeof(p384hash));
-			uint64_t end = OSUtils::now();
+		ECC384ECDSASign(p384priv,p384hash,p384sig);
-			std::cout << Utils::hex(result,16) << " -- valid: " << IncomingPacket::testSalsa2012Sha512ProofOfWorkResult(d,"foobarbaz",9,result) << ", " << (end - start) << "ms" << std::endl;
+		if (!ECC384ECDSAVerify(p384pub,p384hash,p384sig)) {
+			std::cout << "[crypto]   Signature: FAILED (verify good signature)" << std::endl;
+			return -1;
 		}
+		++p384sig[0];
+		if (ECC384ECDSAVerify(p384pub,p384hash,p384sig)) {
+			std::cout << "[crypto]   Signature: FAILED (verify bad signature)" << std::endl;
+			return -1;
+		}
+		--p384sig[0];
+		std::cout << "[crypto]   Signature: " << Utils::hex(p384sig,sizeof(p384sig),p384hex) << std::endl;
+		uint8_t p384pub2[ZT_ECC384_PUBLIC_KEY_SIZE],p384priv2[ZT_ECC384_PRIVATE_KEY_SIZE],p384sec[ZT_ECC384_SHARED_SECRET_SIZE],p384sec2[ZT_ECC384_SHARED_SECRET_SIZE];
+		ECC384GenerateKey(p384pub2,p384priv2);
+		ECC384ECDH(p384pub,p384priv2,p384sec);
+		ECC384ECDH(p384pub2,p384priv,p384sec2);
+		if (memcmp(p384sec,p384sec2,ZT_ECC384_SHARED_SECRET_SIZE)) {
+			std::cout << "[crypto]   ECDH Agree: FAILED (secrets do not match)" << std::endl;
+			return -1;
+		}
+		std::cout << "[crypto]   ECDH Agree: " << Utils::hex(p384sec,sizeof(p384sec),p384hex) << std::endl;
 	}
-	*/
 
 	std::cout << "[crypto] Testing C25519 and Ed25519 against test vectors... "; std::cout.flush();
 	for(int k=0;k<ZT_NUM_C25519_TEST_VECTORS;++k) {