2012-01-12 03:38:24 +00:00
|
|
|
/*
|
2014-11-19 13:31:12 +00:00
|
|
|
Serval DNA - Rhizome cryptographic operations
|
|
|
|
|
Copyright (C) 2014 Serval Project Inc.
|
2012-01-12 03:38:24 +00:00
|
|
|
Copyright (C) 2010 Paul Gardner-Stephen
|
|
|
|
|
|
|
|
|
|
This program is free software; you can redistribute it and/or
|
|
|
|
|
modify it under the terms of the GNU General Public License
|
|
|
|
|
as published by the Free Software Foundation; either version 2
|
|
|
|
|
of the License, or (at your option) any later version.
|
|
|
|
|
|
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
|
along with this program; if not, write to the Free Software
|
|
|
|
|
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
|
|
|
*/
|
|
|
|
|
|
Refactor manifest: specific setter functions
Replace generic rhizome_manifest_set() and rhizome_manifest_set_ll()
with per-field setter functions, eg, rhizome_manifest_set_filesize().
Struct rhizome_manifest elements for all known fields, to replace the
use of rhizome_manifest_get() and rhizome_manifest_get_ll() everywhere:
sender, recipient, service, name, date, bundle_key.
Add boolean validity flags for binary blob types, to avoid having to compare
with many bytes of all-zero to detect presence, eg, has_sender, has_recipient,
has_author, has_bundle_key. These maintained by the setter functions.
Rename existing manifest struct elements to be the same as their field
names: fileLength -> filesize, journalTail -> tail.
More use of unsigned int, size_t and uint64_t for payload sizes, offsets, byte
counts, etc. especially in rhizome_store.c and meshms.c. More uniform use of
size_t to dimension memory buffers. Fix some printf(3) style format strings
for 64-bit correctness on 32-bit systems. Use new constant RHIZOME_SIZE_UNSET
instead of -1 to indicate unknown dimension, and explicitly assert its absence
before comparisons and arithmetic, for safety.
Replace some 'int' loop variables with 'unsigned' where appropriate.
Fix bugs discovered in MeshMS bundle private/public key generation and
bundle secret key handling for export/extract commands.
Instrument the first MeshMS test case to aid debugging.
New debug config flag: debug.manifest logs all modifications to all manifest
fields by setter functions.
Rename debug config flag: debug.rhizome_bind -> debug.rhizome_sql_bind.
2013-10-30 12:52:19 +00:00
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <ctype.h>
|
|
|
|
|
#include <assert.h>
|
|
|
|
|
|
2013-02-15 19:52:37 +00:00
|
|
|
#include "crypto_sign_edwards25519sha512batch.h"
|
|
|
|
|
#include "nacl/src/crypto_sign_edwards25519sha512batch_ref/ge.h"
|
2012-02-23 02:15:42 +00:00
|
|
|
#include "serval.h"
|
2012-12-11 05:29:46 +00:00
|
|
|
#include "conf.h"
|
2012-11-07 06:12:45 +00:00
|
|
|
#include "str.h"
|
2012-01-12 03:38:24 +00:00
|
|
|
#include "rhizome.h"
|
2013-07-25 05:10:59 +00:00
|
|
|
#include "crypto.h"
|
2013-10-16 03:00:00 +00:00
|
|
|
#include "keyring.h"
|
2013-11-25 02:39:54 +00:00
|
|
|
#include "dataformats.h"
|
2012-05-02 06:33:09 +00:00
|
|
|
|
2012-01-12 03:38:24 +00:00
|
|
|
int rhizome_manifest_createid(rhizome_manifest *m)
|
|
|
|
|
{
|
2013-10-03 13:46:45 +00:00
|
|
|
if (crypto_sign_edwards25519sha512batch_keypair(m->cryptoSignPublic.binary, m->cryptoSignSecret))
|
2013-07-25 05:10:59 +00:00
|
|
|
return WHY("Failed to create keypair for manifest ID.");
|
2014-11-19 12:29:59 +00:00
|
|
|
rhizome_manifest_set_id(m, &m->cryptoSignPublic); // will remove any existing BK field
|
2013-09-30 07:12:25 +00:00
|
|
|
m->haveSecret = NEW_BUNDLE_ID;
|
2013-07-25 05:10:59 +00:00
|
|
|
return 0;
|
2012-01-12 03:38:24 +00:00
|
|
|
}
|
|
|
|
|
|
2014-11-13 05:24:20 +00:00
|
|
|
struct signing_key {
|
2013-07-25 05:16:34 +00:00
|
|
|
unsigned char Private[crypto_sign_edwards25519sha512batch_SECRETKEYBYTES];
|
2013-10-03 13:46:45 +00:00
|
|
|
rhizome_bid_t Public;
|
2013-07-25 05:16:34 +00:00
|
|
|
};
|
|
|
|
|
|
2014-11-13 05:24:20 +00:00
|
|
|
/* generate a keypair from a given secret key */
|
2015-03-23 07:01:06 +00:00
|
|
|
static void generate_keypair_from_secret(const rhizome_bk_t *bsk, struct signing_key *key)
|
2013-07-25 05:16:34 +00:00
|
|
|
{
|
2014-11-13 05:24:20 +00:00
|
|
|
bcopy(bsk->binary, key->Private, sizeof bsk->binary); // first 32 bytes
|
2015-03-23 07:01:06 +00:00
|
|
|
crypto_sign_compute_public_key(key->Private, key->Public.binary);
|
Refactor manifest: specific setter functions
Replace generic rhizome_manifest_set() and rhizome_manifest_set_ll()
with per-field setter functions, eg, rhizome_manifest_set_filesize().
Struct rhizome_manifest elements for all known fields, to replace the
use of rhizome_manifest_get() and rhizome_manifest_get_ll() everywhere:
sender, recipient, service, name, date, bundle_key.
Add boolean validity flags for binary blob types, to avoid having to compare
with many bytes of all-zero to detect presence, eg, has_sender, has_recipient,
has_author, has_bundle_key. These maintained by the setter functions.
Rename existing manifest struct elements to be the same as their field
names: fileLength -> filesize, journalTail -> tail.
More use of unsigned int, size_t and uint64_t for payload sizes, offsets, byte
counts, etc. especially in rhizome_store.c and meshms.c. More uniform use of
size_t to dimension memory buffers. Fix some printf(3) style format strings
for 64-bit correctness on 32-bit systems. Use new constant RHIZOME_SIZE_UNSET
instead of -1 to indicate unknown dimension, and explicitly assert its absence
before comparisons and arithmetic, for safety.
Replace some 'int' loop variables with 'unsigned' where appropriate.
Fix bugs discovered in MeshMS bundle private/public key generation and
bundle secret key handling for export/extract commands.
Instrument the first MeshMS test case to aid debugging.
New debug config flag: debug.manifest logs all modifications to all manifest
fields by setter functions.
Rename debug config flag: debug.rhizome_bind -> debug.rhizome_sql_bind.
2013-10-30 12:52:19 +00:00
|
|
|
// The last 32 bytes of the private key should be identical to the public key. This is what
|
|
|
|
|
// crypto_sign_edwards25519sha512batch_keypair() returns, and there is code that depends on it.
|
|
|
|
|
// TODO: Refactor the Rhizome private/public keypair to eliminate this duplication.
|
|
|
|
|
bcopy(key->Public.binary, key->Private + RHIZOME_BUNDLE_KEY_BYTES, sizeof key->Public.binary);
|
2013-07-25 05:16:34 +00:00
|
|
|
}
|
|
|
|
|
|
2014-11-19 12:29:59 +00:00
|
|
|
/* Generate a new empty manifest from the given keypair.
|
|
|
|
|
*/
|
|
|
|
|
static void rhizome_new_bundle_from_keypair(rhizome_manifest *m, const struct signing_key *key)
|
|
|
|
|
{
|
|
|
|
|
rhizome_manifest_set_id(m, &key->Public); // zerofills m->cryptoSignSecret
|
|
|
|
|
m->haveSecret = NEW_BUNDLE_ID;
|
|
|
|
|
bcopy(key->Private, m->cryptoSignSecret, sizeof m->cryptoSignSecret);
|
|
|
|
|
// Disabled for performance, these asserts should nevertheless always hold.
|
|
|
|
|
//assert(cmp_rhizome_bid_t(&m->cryptoSignPublic, &key->Public) == 0);
|
|
|
|
|
//assert(memcmp(m->cryptoSignPublic.binary, m->cryptoSignSecret + RHIZOME_BUNDLE_KEY_BYTES, sizeof m->cryptoSignPublic.binary) == 0);
|
|
|
|
|
}
|
|
|
|
|
|
2013-07-25 05:16:34 +00:00
|
|
|
/* Generate a bundle id deterministically from the given seed.
|
|
|
|
|
* Then either fetch it from the database or initialise a new empty manifest */
|
|
|
|
|
int rhizome_get_bundle_from_seed(rhizome_manifest *m, const char *seed)
|
|
|
|
|
{
|
2014-11-13 05:24:20 +00:00
|
|
|
union {
|
|
|
|
|
unsigned char hash[crypto_hash_sha512_BYTES];
|
|
|
|
|
rhizome_bk_t bsk;
|
|
|
|
|
} u;
|
|
|
|
|
crypto_hash_sha512(u.hash, (unsigned char *)seed, strlen(seed));
|
|
|
|
|
// The first 256 bits (32 bytes) of the hash will be used as the private key of the BID.
|
|
|
|
|
return rhizome_get_bundle_from_secret(m, &u.bsk);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Generate a bundle id deterministically from the given bundle secret key.
|
|
|
|
|
* Then either fetch it from the database or initialise a new empty manifest
|
|
|
|
|
*/
|
|
|
|
|
int rhizome_get_bundle_from_secret(rhizome_manifest *m, const rhizome_bk_t *bsk)
|
|
|
|
|
{
|
2014-11-19 12:29:59 +00:00
|
|
|
struct signing_key key;
|
2015-03-23 07:01:06 +00:00
|
|
|
generate_keypair_from_secret(bsk, &key);
|
2014-11-19 12:29:59 +00:00
|
|
|
switch (rhizome_retrieve_manifest(&key.Public, m)) {
|
2014-09-08 07:44:55 +00:00
|
|
|
case RHIZOME_BUNDLE_STATUS_NEW:
|
2014-11-19 12:29:59 +00:00
|
|
|
rhizome_new_bundle_from_keypair(m, &key);
|
2014-09-08 07:44:55 +00:00
|
|
|
break;
|
|
|
|
|
case RHIZOME_BUNDLE_STATUS_SAME:
|
|
|
|
|
m->haveSecret = EXISTING_BUNDLE_ID;
|
2014-11-19 12:29:59 +00:00
|
|
|
bcopy(key.Private, m->cryptoSignSecret, sizeof m->cryptoSignSecret);
|
2014-09-08 07:44:55 +00:00
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
return -1;
|
Refactor manifest: specific setter functions
Replace generic rhizome_manifest_set() and rhizome_manifest_set_ll()
with per-field setter functions, eg, rhizome_manifest_set_filesize().
Struct rhizome_manifest elements for all known fields, to replace the
use of rhizome_manifest_get() and rhizome_manifest_get_ll() everywhere:
sender, recipient, service, name, date, bundle_key.
Add boolean validity flags for binary blob types, to avoid having to compare
with many bytes of all-zero to detect presence, eg, has_sender, has_recipient,
has_author, has_bundle_key. These maintained by the setter functions.
Rename existing manifest struct elements to be the same as their field
names: fileLength -> filesize, journalTail -> tail.
More use of unsigned int, size_t and uint64_t for payload sizes, offsets, byte
counts, etc. especially in rhizome_store.c and meshms.c. More uniform use of
size_t to dimension memory buffers. Fix some printf(3) style format strings
for 64-bit correctness on 32-bit systems. Use new constant RHIZOME_SIZE_UNSET
instead of -1 to indicate unknown dimension, and explicitly assert its absence
before comparisons and arithmetic, for safety.
Replace some 'int' loop variables with 'unsigned' where appropriate.
Fix bugs discovered in MeshMS bundle private/public key generation and
bundle secret key handling for export/extract commands.
Instrument the first MeshMS test case to aid debugging.
New debug config flag: debug.manifest logs all modifications to all manifest
fields by setter functions.
Rename debug config flag: debug.rhizome_bind -> debug.rhizome_sql_bind.
2013-10-30 12:52:19 +00:00
|
|
|
}
|
2014-11-13 05:24:20 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Generate a bundle id deterministically from the given bundle secret key.
|
|
|
|
|
* Then initialise a new empty manifest.
|
|
|
|
|
*/
|
2015-03-23 07:01:06 +00:00
|
|
|
void rhizome_new_bundle_from_secret(rhizome_manifest *m, const rhizome_bk_t *bsk)
|
2014-11-13 05:24:20 +00:00
|
|
|
{
|
|
|
|
|
struct signing_key key;
|
2015-03-23 07:01:06 +00:00
|
|
|
generate_keypair_from_secret(bsk, &key);
|
2014-11-19 12:29:59 +00:00
|
|
|
rhizome_new_bundle_from_keypair(m, &key);
|
2013-07-25 05:16:34 +00:00
|
|
|
}
|
|
|
|
|
|
2012-10-11 07:28:24 +00:00
|
|
|
/* Given a Rhizome Secret (RS) and bundle ID (BID), XOR a bundle key 'bkin' (private or public) with
|
2012-10-09 16:37:49 +00:00
|
|
|
* RS##BID. This derives the first 32-bytes of the secret key. The BID itself as
|
|
|
|
|
* public key is also the last 32-bytes of the secret key.
|
2012-10-11 07:28:24 +00:00
|
|
|
*
|
2012-10-09 16:37:49 +00:00
|
|
|
* @author Andrew Bettison <andrew@servalproject.org>
|
|
|
|
|
* @author Paul Gardner-Stephen <paul@servalproject.org>
|
2012-10-11 07:28:24 +00:00
|
|
|
*/
|
2012-10-09 16:37:49 +00:00
|
|
|
int rhizome_bk_xor_stream(
|
2013-10-03 13:46:45 +00:00
|
|
|
const rhizome_bid_t *bidp,
|
2012-10-11 07:28:24 +00:00
|
|
|
const unsigned char *rs,
|
2012-10-09 16:37:49 +00:00
|
|
|
const size_t rs_len,
|
|
|
|
|
unsigned char *xor_stream,
|
|
|
|
|
int xor_stream_byte_count)
|
2012-10-11 07:28:24 +00:00
|
|
|
{
|
|
|
|
|
IN();
|
2013-02-16 17:47:24 +00:00
|
|
|
if (rs_len<1||rs_len>65536) RETURN(WHY("rs_len invalid"));
|
2012-10-09 16:37:49 +00:00
|
|
|
if (xor_stream_byte_count<1||xor_stream_byte_count>crypto_hash_sha512_BYTES)
|
|
|
|
|
RETURN(WHY("xor_stream_byte_count invalid"));
|
|
|
|
|
|
2012-10-11 07:28:24 +00:00
|
|
|
int combined_len = rs_len + crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES;
|
|
|
|
|
unsigned char buffer[combined_len];
|
|
|
|
|
bcopy(&rs[0], &buffer[0], rs_len);
|
2013-10-03 13:46:45 +00:00
|
|
|
bcopy(&bidp->binary[0], &buffer[rs_len], crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES);
|
2012-10-11 07:28:24 +00:00
|
|
|
unsigned char hash[crypto_hash_sha512_BYTES];
|
|
|
|
|
crypto_hash_sha512(hash,buffer,combined_len);
|
2012-10-09 16:37:49 +00:00
|
|
|
bcopy(hash,xor_stream,xor_stream_byte_count);
|
|
|
|
|
|
2013-02-16 17:47:24 +00:00
|
|
|
OUT();
|
|
|
|
|
return 0;
|
2012-10-09 16:37:49 +00:00
|
|
|
}
|
|
|
|
|
|
2013-11-05 07:28:03 +00:00
|
|
|
/* CryptoSign Secret Keys in cupercop-20120525 onwards have the public key as the second half of the
|
|
|
|
|
* secret key. The public key is the BID, so this simplifies the BK<-->SECRET conversion processes.
|
|
|
|
|
*
|
|
|
|
|
* Returns 0 if the BK decodes correctly to the bundle secret, 1 if not. Returns -1 if there is an
|
|
|
|
|
* error.
|
|
|
|
|
*/
|
2013-12-09 07:52:18 +00:00
|
|
|
int rhizome_bk2secret(
|
2013-10-03 13:46:45 +00:00
|
|
|
const rhizome_bid_t *bidp,
|
2012-10-09 16:37:49 +00:00
|
|
|
const unsigned char *rs, const size_t rs_len,
|
|
|
|
|
/* The BK need only be the length of the secret half of the secret key */
|
|
|
|
|
const unsigned char bkin[RHIZOME_BUNDLE_KEY_BYTES],
|
|
|
|
|
unsigned char secret[crypto_sign_edwards25519sha512batch_SECRETKEYBYTES]
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
IN();
|
|
|
|
|
unsigned char xor_stream[RHIZOME_BUNDLE_KEY_BYTES];
|
2013-11-05 07:28:03 +00:00
|
|
|
if (rhizome_bk_xor_stream(bidp, rs, rs_len, xor_stream, RHIZOME_BUNDLE_KEY_BYTES))
|
2012-10-09 16:37:49 +00:00
|
|
|
RETURN(WHY("rhizome_bk_xor_stream() failed"));
|
|
|
|
|
/* XOR and store secret part of secret key */
|
2013-11-05 07:28:03 +00:00
|
|
|
unsigned i;
|
|
|
|
|
for (i = 0; i != RHIZOME_BUNDLE_KEY_BYTES; ++i)
|
2012-10-09 16:37:49 +00:00
|
|
|
secret[i] = bkin[i] ^ xor_stream[i];
|
|
|
|
|
bzero(xor_stream, sizeof xor_stream);
|
2013-11-05 07:28:03 +00:00
|
|
|
/* Copy BID as public-key part of secret key */
|
|
|
|
|
bcopy(bidp->binary, secret + RHIZOME_BUNDLE_KEY_BYTES, sizeof bidp->binary);
|
|
|
|
|
RETURN(rhizome_verify_bundle_privatekey(secret, bidp->binary) ? 0 : 1);
|
2013-02-16 17:47:24 +00:00
|
|
|
OUT();
|
2012-10-09 16:37:49 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int rhizome_secret2bk(
|
2013-10-03 13:46:45 +00:00
|
|
|
const rhizome_bid_t *bidp,
|
2012-10-09 16:37:49 +00:00
|
|
|
const unsigned char *rs, const size_t rs_len,
|
|
|
|
|
/* The BK need only be the length of the secret half of the secret key */
|
|
|
|
|
unsigned char bkout[RHIZOME_BUNDLE_KEY_BYTES],
|
|
|
|
|
const unsigned char secret[crypto_sign_edwards25519sha512batch_SECRETKEYBYTES]
|
|
|
|
|
)
|
|
|
|
|
{
|
|
|
|
|
IN();
|
|
|
|
|
unsigned char xor_stream[RHIZOME_BUNDLE_KEY_BYTES];
|
2013-10-03 13:46:45 +00:00
|
|
|
if (rhizome_bk_xor_stream(bidp,rs,rs_len,xor_stream,RHIZOME_BUNDLE_KEY_BYTES))
|
2012-10-09 16:37:49 +00:00
|
|
|
RETURN(WHY("rhizome_bk_xor_stream() failed"));
|
|
|
|
|
|
2012-10-11 07:28:24 +00:00
|
|
|
int i;
|
2012-10-09 16:37:49 +00:00
|
|
|
|
|
|
|
|
/* XOR and store secret part of secret key */
|
|
|
|
|
for(i = 0; i != RHIZOME_BUNDLE_KEY_BYTES; i++)
|
|
|
|
|
bkout[i] = secret[i] ^ xor_stream[i];
|
|
|
|
|
|
|
|
|
|
bzero(xor_stream, sizeof xor_stream);
|
|
|
|
|
RETURN(0);
|
2013-02-16 17:47:24 +00:00
|
|
|
OUT();
|
2012-10-11 07:28:24 +00:00
|
|
|
}
|
|
|
|
|
|
2012-10-09 16:37:49 +00:00
|
|
|
|
2013-11-05 07:28:03 +00:00
|
|
|
/* Given a SID, search the keyring for an identity with the same SID and return its Rhizome secret
|
|
|
|
|
* if found.
|
|
|
|
|
*
|
|
|
|
|
* Returns FOUND_RHIZOME_SECRET if the author's rhizome secret is found; '*rs' is set to point to
|
|
|
|
|
* the secret key in the keyring, and '*rs_len' is set to the key length.
|
2012-10-15 08:03:44 +00:00
|
|
|
*
|
2013-11-05 07:28:03 +00:00
|
|
|
* Returns IDENTITY_NOT_FOUND if the SID is not in the keyring.
|
|
|
|
|
*
|
|
|
|
|
* Returns IDENTITY_HAS_NO_RHIZOME_SECRET if the SID is in the keyring but has no Rhizome Secret.
|
2012-10-15 08:03:44 +00:00
|
|
|
*
|
|
|
|
|
* @author Andrew Bettison <andrew@servalproject.com>
|
|
|
|
|
*/
|
2013-11-05 07:28:03 +00:00
|
|
|
enum rhizome_secret_disposition find_rhizome_secret(const sid_t *authorSidp, size_t *rs_len, const unsigned char **rs)
|
2012-10-15 08:03:44 +00:00
|
|
|
{
|
2013-11-05 07:28:03 +00:00
|
|
|
IN();
|
2014-10-31 03:13:23 +00:00
|
|
|
keyring_iterator it;
|
|
|
|
|
keyring_iterator_start(keyring, &it);
|
|
|
|
|
if (!keyring_find_sid(&it, authorSidp)) {
|
2015-07-06 08:19:49 +00:00
|
|
|
DEBUGF(rhizome, "identity sid=%s is not in keyring", alloca_tohex_sid_t(*authorSidp));
|
2013-11-05 07:28:03 +00:00
|
|
|
RETURN(IDENTITY_NOT_FOUND);
|
2012-10-15 08:03:44 +00:00
|
|
|
}
|
2014-10-31 03:13:23 +00:00
|
|
|
keypair *kp=keyring_identity_keytype(it.identity, KEYTYPE_RHIZOME);
|
|
|
|
|
if (!kp) {
|
2013-11-05 07:28:03 +00:00
|
|
|
WARNF("Identity sid=%s has no Rhizome Secret", alloca_tohex_sid_t(*authorSidp));
|
|
|
|
|
RETURN(IDENTITY_HAS_NO_RHIZOME_SECRET);
|
2012-10-15 08:03:44 +00:00
|
|
|
}
|
2014-10-31 03:13:23 +00:00
|
|
|
int rslen = kp->private_key_len;
|
2013-11-05 07:28:03 +00:00
|
|
|
assert(rslen >= 16);
|
|
|
|
|
assert(rslen <= 1024);
|
2012-10-15 08:03:44 +00:00
|
|
|
if (rs_len)
|
|
|
|
|
*rs_len = rslen;
|
|
|
|
|
if (rs)
|
2014-10-31 03:13:23 +00:00
|
|
|
*rs = kp->private_key;
|
2013-11-05 07:28:03 +00:00
|
|
|
RETURN(FOUND_RHIZOME_SECRET);
|
2012-10-15 08:03:44 +00:00
|
|
|
}
|
|
|
|
|
|
2013-11-05 07:28:03 +00:00
|
|
|
/* Attempt to authenticate the authorship of the given bundle, and set the 'authorship' element
|
2014-11-14 02:31:44 +00:00
|
|
|
* accordingly. If the manifest has no BK field, then no authentication can be performed.
|
2012-10-11 07:28:24 +00:00
|
|
|
*
|
|
|
|
|
* @author Andrew Bettison <andrew@servalproject.com>
|
|
|
|
|
*/
|
2013-11-05 07:28:03 +00:00
|
|
|
void rhizome_authenticate_author(rhizome_manifest *m)
|
|
|
|
|
{
|
|
|
|
|
IN();
|
2015-07-06 08:19:49 +00:00
|
|
|
DEBUGF(rhizome, "authenticate author for bid=%s", m->has_id ? alloca_tohex_rhizome_bid_t(m->cryptoSignPublic) : "(none)");
|
2013-11-05 07:28:03 +00:00
|
|
|
switch (m->authorship) {
|
|
|
|
|
case ANONYMOUS:
|
2015-07-06 08:19:49 +00:00
|
|
|
DEBUGF(rhizome, " manifest[%d] author unknown", m->manifest_record_number);
|
2013-11-05 07:28:03 +00:00
|
|
|
rhizome_find_bundle_author_and_secret(m);
|
2015-11-09 04:43:21 +00:00
|
|
|
RETURNVOID;
|
2013-11-05 07:28:03 +00:00
|
|
|
case AUTHOR_NOT_CHECKED:
|
|
|
|
|
case AUTHOR_LOCAL: {
|
2015-07-06 08:19:49 +00:00
|
|
|
DEBUGF(rhizome, " manifest[%d] authenticate author=%s", m->manifest_record_number, alloca_tohex_sid_t(m->author));
|
2013-11-05 07:28:03 +00:00
|
|
|
size_t rs_len;
|
|
|
|
|
const unsigned char *rs;
|
|
|
|
|
enum rhizome_secret_disposition d = find_rhizome_secret(&m->author, &rs_len, &rs);
|
|
|
|
|
switch (d) {
|
|
|
|
|
case FOUND_RHIZOME_SECRET:
|
2015-07-06 08:19:49 +00:00
|
|
|
DEBUGF(rhizome, " author has Rhizome secret");
|
2013-12-09 07:52:18 +00:00
|
|
|
switch (rhizome_bk2secret(&m->cryptoSignPublic, rs, rs_len, m->bundle_key.binary, m->cryptoSignSecret)) {
|
2013-11-05 07:28:03 +00:00
|
|
|
case 0:
|
2015-07-06 08:19:49 +00:00
|
|
|
DEBUGF(rhizome, " is authentic");
|
2013-11-05 07:28:03 +00:00
|
|
|
m->authorship = AUTHOR_AUTHENTIC;
|
|
|
|
|
if (!m->haveSecret)
|
|
|
|
|
m->haveSecret = EXISTING_BUNDLE_ID;
|
|
|
|
|
break;
|
|
|
|
|
case -1:
|
2015-07-06 08:19:49 +00:00
|
|
|
DEBUGF(rhizome, " error");
|
2013-11-05 07:28:03 +00:00
|
|
|
m->authorship = AUTHENTICATION_ERROR;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
2015-07-06 08:19:49 +00:00
|
|
|
DEBUGF(rhizome, " author is impostor");
|
2013-11-05 07:28:03 +00:00
|
|
|
m->authorship = AUTHOR_IMPOSTOR;
|
|
|
|
|
break;
|
|
|
|
|
}
|
2015-11-09 04:43:21 +00:00
|
|
|
RETURNVOID;
|
2013-11-05 07:28:03 +00:00
|
|
|
case IDENTITY_NOT_FOUND:
|
2015-07-06 08:19:49 +00:00
|
|
|
DEBUGF(rhizome, " author not found");
|
2013-11-05 07:28:03 +00:00
|
|
|
m->authorship = AUTHOR_UNKNOWN;
|
2015-11-09 04:43:21 +00:00
|
|
|
RETURNVOID;
|
2013-11-05 07:28:03 +00:00
|
|
|
case IDENTITY_HAS_NO_RHIZOME_SECRET:
|
2015-07-06 08:19:49 +00:00
|
|
|
DEBUGF(rhizome, " author has no Rhizome secret");
|
2013-11-05 07:28:03 +00:00
|
|
|
m->authorship = AUTHENTICATION_ERROR;
|
2015-11-09 04:43:21 +00:00
|
|
|
RETURNVOID;
|
2013-11-05 07:28:03 +00:00
|
|
|
}
|
2015-11-09 04:43:21 +00:00
|
|
|
FATALF("find_rhizome_secret() returned unknown code %d", (int)d);
|
2013-11-05 07:28:03 +00:00
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case AUTHENTICATION_ERROR:
|
|
|
|
|
case AUTHOR_UNKNOWN:
|
|
|
|
|
case AUTHOR_IMPOSTOR:
|
|
|
|
|
case AUTHOR_AUTHENTIC:
|
|
|
|
|
// work has already been done, don't repeat it
|
2015-11-09 04:43:21 +00:00
|
|
|
RETURNVOID;
|
2013-11-05 07:28:03 +00:00
|
|
|
}
|
2015-11-09 04:43:21 +00:00
|
|
|
FATALF("m->authorship = %d", (int)m->authorship);
|
2013-11-05 07:28:03 +00:00
|
|
|
}
|
2012-05-15 07:54:25 +00:00
|
|
|
|
2013-11-05 07:28:03 +00:00
|
|
|
/* If the given bundle secret key corresponds to the bundle's ID (public key) then store it in the
|
|
|
|
|
* manifest structure and mark the secret key as known. Return 1 if the secret key was assigned,
|
|
|
|
|
* 0 if not.
|
2012-10-11 07:28:24 +00:00
|
|
|
*
|
2013-11-05 07:28:03 +00:00
|
|
|
* This function should only be called on a manifest that already has a public key (ID) and does
|
|
|
|
|
* not have a known secret key.
|
|
|
|
|
*
|
2012-10-11 07:28:24 +00:00
|
|
|
* @author Andrew Bettison <andrew@servalproject.com>
|
|
|
|
|
*/
|
2013-11-05 07:28:03 +00:00
|
|
|
int rhizome_apply_bundle_secret(rhizome_manifest *m, const rhizome_bk_t *bsk)
|
2012-05-15 10:34:41 +00:00
|
|
|
{
|
2013-11-05 07:28:03 +00:00
|
|
|
IN();
|
2015-07-06 08:19:49 +00:00
|
|
|
DEBUGF(rhizome, "manifest[%d] bsk=%s", m->manifest_record_number, bsk ? alloca_tohex_rhizome_bk_t(*bsk) : "NULL");
|
2013-11-05 07:28:03 +00:00
|
|
|
assert(m->haveSecret == SECRET_UNKNOWN);
|
|
|
|
|
assert(is_all_matching(m->cryptoSignSecret, sizeof m->cryptoSignSecret, 0));
|
2013-12-19 08:39:53 +00:00
|
|
|
assert(m->has_id);
|
2013-11-05 07:28:03 +00:00
|
|
|
assert(bsk != NULL);
|
|
|
|
|
assert(!rhizome_is_bk_none(bsk));
|
|
|
|
|
if (rhizome_verify_bundle_privatekey(bsk->binary, m->cryptoSignPublic.binary)) {
|
2015-07-06 08:19:49 +00:00
|
|
|
DEBUG(rhizome, "bundle secret verifies ok");
|
Refactor manifest: specific setter functions
Replace generic rhizome_manifest_set() and rhizome_manifest_set_ll()
with per-field setter functions, eg, rhizome_manifest_set_filesize().
Struct rhizome_manifest elements for all known fields, to replace the
use of rhizome_manifest_get() and rhizome_manifest_get_ll() everywhere:
sender, recipient, service, name, date, bundle_key.
Add boolean validity flags for binary blob types, to avoid having to compare
with many bytes of all-zero to detect presence, eg, has_sender, has_recipient,
has_author, has_bundle_key. These maintained by the setter functions.
Rename existing manifest struct elements to be the same as their field
names: fileLength -> filesize, journalTail -> tail.
More use of unsigned int, size_t and uint64_t for payload sizes, offsets, byte
counts, etc. especially in rhizome_store.c and meshms.c. More uniform use of
size_t to dimension memory buffers. Fix some printf(3) style format strings
for 64-bit correctness on 32-bit systems. Use new constant RHIZOME_SIZE_UNSET
instead of -1 to indicate unknown dimension, and explicitly assert its absence
before comparisons and arithmetic, for safety.
Replace some 'int' loop variables with 'unsigned' where appropriate.
Fix bugs discovered in MeshMS bundle private/public key generation and
bundle secret key handling for export/extract commands.
Instrument the first MeshMS test case to aid debugging.
New debug config flag: debug.manifest logs all modifications to all manifest
fields by setter functions.
Rename debug config flag: debug.rhizome_bind -> debug.rhizome_sql_bind.
2013-10-30 12:52:19 +00:00
|
|
|
bcopy(bsk->binary, m->cryptoSignSecret, sizeof bsk->binary);
|
|
|
|
|
bcopy(m->cryptoSignPublic.binary, m->cryptoSignSecret + sizeof bsk->binary, sizeof m->cryptoSignPublic.binary);
|
2013-10-30 02:44:26 +00:00
|
|
|
m->haveSecret = EXISTING_BUNDLE_ID;
|
2013-11-05 07:28:03 +00:00
|
|
|
RETURN(1);
|
2012-10-15 03:31:48 +00:00
|
|
|
}
|
2013-11-05 07:28:03 +00:00
|
|
|
RETURN(0);
|
2013-02-16 17:47:24 +00:00
|
|
|
OUT();
|
2012-06-08 08:55:43 +00:00
|
|
|
}
|
|
|
|
|
|
2015-11-09 04:43:21 +00:00
|
|
|
/* Return true if the bundle's BK field combined with the given Rhizome Secret produces the bundle's
|
|
|
|
|
* secret key.
|
|
|
|
|
*
|
|
|
|
|
* @author Andrew Bettison <andrew@servalproject.com>
|
|
|
|
|
*/
|
|
|
|
|
static int rhizome_secret_yields_bundle_secret(rhizome_manifest *m, const unsigned char *rs, size_t rs_len) {
|
|
|
|
|
assert(m->has_bundle_key);
|
|
|
|
|
if (rs_len < 16 || rs_len > 1024) {
|
|
|
|
|
// should a bad key be fatal??
|
|
|
|
|
WARNF("invalid Rhizome Secret: length=%zu", rs_len);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
unsigned char *secretp = m->haveSecret ? alloca(sizeof m->cryptoSignSecret) : m->cryptoSignSecret;
|
|
|
|
|
if (rhizome_bk2secret(&m->cryptoSignPublic, rs, rs_len, m->bundle_key.binary, secretp) == 0) {
|
|
|
|
|
if (m->haveSecret && memcmp(secretp, m->cryptoSignSecret, sizeof m->cryptoSignSecret) != 0)
|
|
|
|
|
FATALF("Bundle secret does not match derived secret");
|
|
|
|
|
return 1; // success
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2012-10-11 07:28:24 +00:00
|
|
|
/* Discover if the given manifest was created (signed) by any unlocked identity currently in the
|
|
|
|
|
* keyring.
|
|
|
|
|
*
|
2013-11-05 07:28:03 +00:00
|
|
|
* If the authorship is already known (ie, not ANONYMOUS) then returns without changing anything.
|
|
|
|
|
* That means this function can be called several times on the same manifest, but will only perform
|
|
|
|
|
* any work the first time.
|
2012-10-11 07:28:24 +00:00
|
|
|
*
|
2013-11-05 07:28:03 +00:00
|
|
|
* If the manifest has no bundle key (BK) field, then it is anonymous, so leaves 'authorship'
|
|
|
|
|
* unchanged and returns.
|
2012-10-11 07:28:24 +00:00
|
|
|
*
|
2013-11-05 07:28:03 +00:00
|
|
|
* If an identity is found in the keyring with permission to alter the bundle, then sets the
|
|
|
|
|
* manifest 'authorship' field to AUTHOR_AUTHENTIC, the 'author' field to the SID of the identity,
|
|
|
|
|
* the manifest 'cryptoSignSecret' field to the bundle secret key and the 'haveSecret' field to
|
|
|
|
|
* EXISTING_BUNDLE_ID.
|
2012-10-11 07:28:24 +00:00
|
|
|
*
|
2013-11-05 07:28:03 +00:00
|
|
|
* If no identity is found in the keyring that combines with the bundle key (BK) field to yield
|
|
|
|
|
* the bundle's secret key, then leaves the manifest 'authorship' field as ANONYMOUS.
|
|
|
|
|
*
|
|
|
|
|
* If an error occurs, eg, the keyring contains an invalid Rhizome Secret or a cryptographic
|
|
|
|
|
* operation fails, then sets the 'authorship' field to AUTHENTICATION_ERROR and leaves the
|
|
|
|
|
* 'author', 'haveSecret' and 'cryptoSignSecret' fields unchanged.
|
2012-10-11 07:28:24 +00:00
|
|
|
*
|
|
|
|
|
* @author Andrew Bettison <andrew@servalproject.com>
|
2012-06-08 08:55:43 +00:00
|
|
|
*/
|
2013-11-05 07:28:03 +00:00
|
|
|
void rhizome_find_bundle_author_and_secret(rhizome_manifest *m)
|
2012-06-08 08:55:43 +00:00
|
|
|
{
|
2012-06-26 06:32:49 +00:00
|
|
|
IN();
|
2015-07-06 08:19:49 +00:00
|
|
|
DEBUGF(rhizome, "Finding author and secret for bid=%s", m->has_id ? alloca_tohex_rhizome_bid_t(m->cryptoSignPublic) : "(none)");
|
2014-11-14 02:31:44 +00:00
|
|
|
if (m->authorship != ANONYMOUS) {
|
2015-11-09 04:43:21 +00:00
|
|
|
DEBUGF(rhizome, " bundle author already found");
|
2013-11-05 07:28:03 +00:00
|
|
|
RETURNVOID;
|
2014-11-14 02:31:44 +00:00
|
|
|
}
|
2013-11-05 07:28:03 +00:00
|
|
|
assert(is_sid_t_any(m->author));
|
2014-11-14 02:31:44 +00:00
|
|
|
if (!m->has_bundle_key) {
|
2015-07-06 08:19:49 +00:00
|
|
|
DEBUGF(rhizome, " bundle has no BK field");
|
2013-11-05 07:28:03 +00:00
|
|
|
RETURNVOID;
|
2014-11-14 02:31:44 +00:00
|
|
|
}
|
2015-11-09 04:43:21 +00:00
|
|
|
// Optimisation: try 'sender' SID first, if present.
|
|
|
|
|
const sid_t *author_sidp = NULL;
|
|
|
|
|
const unsigned char *sender_rs = NULL;
|
|
|
|
|
if (m->has_sender) {
|
|
|
|
|
size_t rs_len;
|
|
|
|
|
enum rhizome_secret_disposition d = find_rhizome_secret(&m->sender, &rs_len, &sender_rs);
|
|
|
|
|
switch (d) {
|
|
|
|
|
case FOUND_RHIZOME_SECRET:
|
|
|
|
|
DEBUGF(rhizome, " sender has Rhizome secret");
|
|
|
|
|
if (rhizome_secret_yields_bundle_secret(m, sender_rs, rs_len)) {
|
|
|
|
|
DEBUGF(rhizome, " ... that matches!");
|
|
|
|
|
author_sidp = &m->sender;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case IDENTITY_NOT_FOUND:
|
|
|
|
|
DEBUGF(rhizome, " sender not found");
|
|
|
|
|
break;
|
|
|
|
|
case IDENTITY_HAS_NO_RHIZOME_SECRET:
|
|
|
|
|
DEBUGF(rhizome, " sender has no Rhizome secret");
|
|
|
|
|
break;
|
2014-10-31 03:13:23 +00:00
|
|
|
}
|
2015-11-09 04:43:21 +00:00
|
|
|
}
|
|
|
|
|
// If 'sender' SID does not work, try all the other identities in the keyring.
|
|
|
|
|
if (!author_sidp) {
|
|
|
|
|
keyring_iterator it;
|
|
|
|
|
keyring_iterator_start(keyring, &it);
|
|
|
|
|
keypair *kp;
|
|
|
|
|
while ((kp = keyring_next_keytype(&it, KEYTYPE_RHIZOME))) {
|
|
|
|
|
if (kp->private_key == sender_rs)
|
|
|
|
|
continue; // don't try the same identity again
|
|
|
|
|
if (rhizome_secret_yields_bundle_secret(m, kp->private_key, kp->private_key_len)) {
|
|
|
|
|
DEBUGF(rhizome, " found matching Rhizome secret!");
|
|
|
|
|
keypair *kp_sid = keyring_identity_keytype(it.identity, KEYTYPE_CRYPTOBOX);
|
|
|
|
|
if (kp_sid)
|
|
|
|
|
author_sidp = (const sid_t *) kp_sid->public_key;
|
|
|
|
|
else
|
|
|
|
|
DEBUGF(rhizome, " ... but its identity has no SID");
|
|
|
|
|
break;
|
2012-06-08 08:55:43 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2015-11-09 04:43:21 +00:00
|
|
|
if (author_sidp) {
|
|
|
|
|
m->haveSecret = EXISTING_BUNDLE_ID;
|
|
|
|
|
DEBUGF(rhizome, " found bundle author sid=%s", alloca_tohex_sid_t(*author_sidp));
|
|
|
|
|
rhizome_manifest_set_author(m, author_sidp);
|
|
|
|
|
m->authorship = AUTHOR_AUTHENTIC;
|
|
|
|
|
// if this bundle is already in the database, update the author.
|
|
|
|
|
if (m->rowid)
|
|
|
|
|
sqlite_exec_void_loglevel(LOG_LEVEL_WARN,
|
|
|
|
|
"UPDATE MANIFESTS SET author = ? WHERE rowid = ?;",
|
|
|
|
|
SID_T, &m->author,
|
|
|
|
|
INT64, m->rowid,
|
|
|
|
|
END);
|
|
|
|
|
} else {
|
|
|
|
|
DEBUG(rhizome, " bundle author not found");
|
|
|
|
|
assert(m->authorship == ANONYMOUS);
|
|
|
|
|
}
|
2013-02-16 17:47:24 +00:00
|
|
|
OUT();
|
2012-06-05 04:28:59 +00:00
|
|
|
}
|
2012-05-15 10:34:41 +00:00
|
|
|
|
2013-11-05 07:28:03 +00:00
|
|
|
/* Verify the validity of a given secret manifest key. Return 1 if valid, 0 if not.
|
2012-10-11 07:28:24 +00:00
|
|
|
*
|
2012-10-09 16:37:49 +00:00
|
|
|
* There is no NaCl API to efficiently test this. We use a modified version of
|
|
|
|
|
* crypto_sign_keypair() to accomplish this task.
|
2012-06-05 04:28:59 +00:00
|
|
|
*/
|
2013-11-05 07:28:03 +00:00
|
|
|
int rhizome_verify_bundle_privatekey(const unsigned char *sk, const unsigned char *pkin)
|
2012-06-05 04:28:59 +00:00
|
|
|
{
|
2012-06-26 06:32:49 +00:00
|
|
|
IN();
|
2013-11-05 07:28:03 +00:00
|
|
|
rhizome_bid_t pk;
|
2015-03-23 07:01:06 +00:00
|
|
|
crypto_sign_compute_public_key(sk, pk.binary);
|
|
|
|
|
RETURN(bcmp(pkin, pk.binary, sizeof pk.binary) == 0);
|
2012-05-15 10:34:41 +00:00
|
|
|
}
|
|
|
|
|
|
2013-11-05 07:28:03 +00:00
|
|
|
int rhizome_sign_hash(rhizome_manifest *m, rhizome_signature *out)
|
2012-05-15 07:54:25 +00:00
|
|
|
{
|
2012-06-26 06:32:49 +00:00
|
|
|
IN();
|
2013-11-05 07:28:03 +00:00
|
|
|
assert(m->haveSecret);
|
|
|
|
|
int ret = rhizome_sign_hash_with_key(m, m->cryptoSignSecret, m->cryptoSignPublic.binary, out);
|
2013-01-03 05:42:24 +00:00
|
|
|
RETURN(ret);
|
2013-02-16 17:47:24 +00:00
|
|
|
OUT();
|
2012-10-09 16:37:49 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
int rhizome_sign_hash_with_key(rhizome_manifest *m,const unsigned char *sk,
|
|
|
|
|
const unsigned char *pk,rhizome_signature *out)
|
|
|
|
|
{
|
|
|
|
|
IN();
|
2012-10-11 07:28:24 +00:00
|
|
|
unsigned char signatureBuffer[crypto_sign_edwards25519sha512batch_BYTES + crypto_hash_sha512_BYTES];
|
2012-10-09 16:37:49 +00:00
|
|
|
unsigned char *hash = m->manifesthash;
|
2012-10-11 07:28:24 +00:00
|
|
|
unsigned long long sigLen = 0;
|
|
|
|
|
int mLen = crypto_hash_sha512_BYTES;
|
2012-10-09 16:37:49 +00:00
|
|
|
int r = crypto_sign_edwards25519sha512batch(signatureBuffer, &sigLen, &hash[0], mLen, sk);
|
2012-10-11 07:28:24 +00:00
|
|
|
if (r)
|
2013-11-28 07:14:37 +00:00
|
|
|
RETURN(WHY("crypto_sign_edwards25519sha512batch() failed"));
|
2012-01-12 03:38:24 +00:00
|
|
|
/* Here we use knowledge of the internal structure of the signature block
|
|
|
|
|
to remove the hash, since that is implicitly transported, thus reducing the
|
|
|
|
|
actual signature size down to 64 bytes.
|
|
|
|
|
We do then need to add the public key of the signatory on. */
|
2012-10-09 16:37:49 +00:00
|
|
|
bcopy(signatureBuffer, &out->signature[1], 64);
|
|
|
|
|
bcopy(pk, &out->signature[65], crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES);
|
2012-10-11 07:28:24 +00:00
|
|
|
out->signatureLength = 65 + crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES;
|
2012-10-29 05:37:42 +00:00
|
|
|
out->signature[0] = 0x17; // CryptoSign
|
2012-10-11 07:28:24 +00:00
|
|
|
RETURN(0);
|
2013-02-16 17:47:24 +00:00
|
|
|
OUT();
|
2012-01-12 03:38:24 +00:00
|
|
|
}
|
|
|
|
|
|
2012-06-26 11:51:46 +00:00
|
|
|
typedef struct manifest_signature_block_cache {
|
|
|
|
|
unsigned char manifest_hash[crypto_hash_sha512_BYTES];
|
|
|
|
|
unsigned char signature_bytes[256];
|
|
|
|
|
int signature_length;
|
|
|
|
|
int signature_valid;
|
|
|
|
|
} manifest_signature_block_cache;
|
|
|
|
|
|
|
|
|
|
#define SIG_CACHE_SIZE 1024
|
|
|
|
|
manifest_signature_block_cache sig_cache[SIG_CACHE_SIZE];
|
|
|
|
|
|
2013-12-27 18:56:22 +00:00
|
|
|
static int rhizome_manifest_lookup_signature_validity(const unsigned char *hash, const unsigned char *sig, int sig_len)
|
2012-06-26 11:51:46 +00:00
|
|
|
{
|
|
|
|
|
IN();
|
|
|
|
|
unsigned int slot=0;
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
for(i=0;i<crypto_hash_sha512_BYTES;i++) {
|
|
|
|
|
slot=(slot<<1)+(slot&0x80000000?1:0);
|
|
|
|
|
slot+=hash[i];
|
|
|
|
|
}
|
|
|
|
|
for(i=0;i<sig_len;i++) {
|
|
|
|
|
slot=(slot<<1)+(slot&0x80000000?1:0);
|
|
|
|
|
slot+=sig[i];
|
|
|
|
|
}
|
|
|
|
|
slot%=SIG_CACHE_SIZE;
|
|
|
|
|
|
2013-09-24 04:52:37 +00:00
|
|
|
if (sig_cache[slot].signature_length!=sig_len ||
|
|
|
|
|
memcmp(hash, sig_cache[slot].manifest_hash, crypto_hash_sha512_BYTES) ||
|
|
|
|
|
memcmp(sig, sig_cache[slot].signature_bytes, sig_len)){
|
|
|
|
|
bcopy(hash, sig_cache[slot].manifest_hash, crypto_hash_sha512_BYTES);
|
|
|
|
|
bcopy(sig, sig_cache[slot].signature_bytes, sig_len);
|
|
|
|
|
sig_cache[slot].signature_length=sig_len;
|
2012-06-26 11:51:46 +00:00
|
|
|
|
|
|
|
|
unsigned char sigBuf[256];
|
|
|
|
|
unsigned char verifyBuf[256];
|
|
|
|
|
unsigned char publicKey[256];
|
|
|
|
|
|
|
|
|
|
/* Reconstitute signature by putting manifest hash between the two
|
|
|
|
|
32-byte halves */
|
2012-10-09 16:37:49 +00:00
|
|
|
bcopy(&sig[0],&sigBuf[0],64);
|
|
|
|
|
bcopy(hash,&sigBuf[64],crypto_hash_sha512_BYTES);
|
2012-06-26 11:51:46 +00:00
|
|
|
|
|
|
|
|
/* Get public key of signatory */
|
|
|
|
|
bcopy(&sig[64],&publicKey[0],crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES);
|
|
|
|
|
|
|
|
|
|
unsigned long long mlen=0;
|
2013-09-24 04:52:37 +00:00
|
|
|
sig_cache[slot].signature_valid=
|
2012-06-26 11:51:46 +00:00
|
|
|
crypto_sign_edwards25519sha512batch_open(verifyBuf,&mlen,&sigBuf[0],128,
|
|
|
|
|
publicKey)
|
|
|
|
|
? -1 : 0;
|
|
|
|
|
}
|
2013-09-24 04:52:37 +00:00
|
|
|
RETURN(sig_cache[slot].signature_valid);
|
2013-02-16 17:47:24 +00:00
|
|
|
OUT();
|
2012-06-26 11:51:46 +00:00
|
|
|
}
|
|
|
|
|
|
2013-10-30 03:15:51 +00:00
|
|
|
int rhizome_manifest_extract_signature(rhizome_manifest *m, unsigned *ofs)
|
2012-01-12 03:38:24 +00:00
|
|
|
{
|
2012-06-26 06:32:49 +00:00
|
|
|
IN();
|
2015-07-06 08:19:49 +00:00
|
|
|
DEBUGF(rhizome_manifest, "*ofs=%u m->manifest_all_bytes=%zu", *ofs, m->manifest_all_bytes);
|
2013-11-28 07:14:37 +00:00
|
|
|
assert((*ofs) < m->manifest_all_bytes);
|
|
|
|
|
const unsigned char *sig = m->manifestdata + *ofs;
|
2013-10-30 03:15:51 +00:00
|
|
|
uint8_t sigType = m->manifestdata[*ofs];
|
|
|
|
|
uint8_t len = (sigType << 2) + 4 + 1;
|
2013-11-28 07:14:37 +00:00
|
|
|
if (*ofs + len > m->manifest_all_bytes) {
|
|
|
|
|
WARNF("Invalid signature at offset %u: type=%#02x gives len=%u that overruns manifest size",
|
|
|
|
|
*ofs, sigType, len);
|
2014-04-29 05:38:02 +00:00
|
|
|
*ofs = m->manifest_all_bytes;
|
2013-11-28 07:14:37 +00:00
|
|
|
RETURN(1);
|
|
|
|
|
}
|
|
|
|
|
*ofs += len;
|
|
|
|
|
assert (m->sig_count <= NELS(m->signatories));
|
|
|
|
|
if (m->sig_count == NELS(m->signatories)) {
|
|
|
|
|
WARN("Too many signature blocks in manifest");
|
|
|
|
|
RETURN(2);
|
|
|
|
|
}
|
|
|
|
|
switch (sigType) {
|
|
|
|
|
case 0x17: // crypto_sign_edwards25519sha512batch()
|
2012-01-12 03:38:24 +00:00
|
|
|
{
|
2013-11-28 07:14:37 +00:00
|
|
|
assert(len == 97);
|
|
|
|
|
/* Reconstitute signature block */
|
|
|
|
|
int r = rhizome_manifest_lookup_signature_validity(m->manifesthash, sig + 1, 96);
|
|
|
|
|
if (r) {
|
|
|
|
|
WARN("Signature verification failed");
|
|
|
|
|
RETURN(4);
|
|
|
|
|
}
|
|
|
|
|
m->signatureTypes[m->sig_count] = len;
|
|
|
|
|
if ((m->signatories[m->sig_count] = emalloc(crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES)) == NULL)
|
|
|
|
|
RETURN(-1);
|
|
|
|
|
bcopy(sig + 1 + 64, m->signatories[m->sig_count], crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES);
|
|
|
|
|
m->sig_count++;
|
2015-07-06 08:19:49 +00:00
|
|
|
DEBUG(rhizome, "Signature verified");
|
2013-11-28 07:14:37 +00:00
|
|
|
RETURN(0);
|
2012-01-12 03:38:24 +00:00
|
|
|
}
|
2013-11-28 07:14:37 +00:00
|
|
|
}
|
2013-12-06 01:40:08 +00:00
|
|
|
WARNF("Unsupported signature at ofs=%u: type=%#02x", (unsigned)(sig - m->manifestdata), sigType);
|
2013-11-28 07:14:37 +00:00
|
|
|
RETURN(3);
|
2012-01-12 03:38:24 +00:00
|
|
|
}
|
2012-12-21 00:23:47 +00:00
|
|
|
|
2013-01-02 04:35:22 +00:00
|
|
|
// add value to nonce, with the same result regardless of CPU endian order
|
|
|
|
|
// allowing for any carry value up to the size of the whole nonce
|
Refactor manifest: specific setter functions
Replace generic rhizome_manifest_set() and rhizome_manifest_set_ll()
with per-field setter functions, eg, rhizome_manifest_set_filesize().
Struct rhizome_manifest elements for all known fields, to replace the
use of rhizome_manifest_get() and rhizome_manifest_get_ll() everywhere:
sender, recipient, service, name, date, bundle_key.
Add boolean validity flags for binary blob types, to avoid having to compare
with many bytes of all-zero to detect presence, eg, has_sender, has_recipient,
has_author, has_bundle_key. These maintained by the setter functions.
Rename existing manifest struct elements to be the same as their field
names: fileLength -> filesize, journalTail -> tail.
More use of unsigned int, size_t and uint64_t for payload sizes, offsets, byte
counts, etc. especially in rhizome_store.c and meshms.c. More uniform use of
size_t to dimension memory buffers. Fix some printf(3) style format strings
for 64-bit correctness on 32-bit systems. Use new constant RHIZOME_SIZE_UNSET
instead of -1 to indicate unknown dimension, and explicitly assert its absence
before comparisons and arithmetic, for safety.
Replace some 'int' loop variables with 'unsigned' where appropriate.
Fix bugs discovered in MeshMS bundle private/public key generation and
bundle secret key handling for export/extract commands.
Instrument the first MeshMS test case to aid debugging.
New debug config flag: debug.manifest logs all modifications to all manifest
fields by setter functions.
Rename debug config flag: debug.rhizome_bind -> debug.rhizome_sql_bind.
2013-10-30 12:52:19 +00:00
|
|
|
static void add_nonce(unsigned char *nonce, uint64_t value)
|
|
|
|
|
{
|
2013-01-02 04:35:22 +00:00
|
|
|
int i=crypto_stream_xsalsa20_NONCEBYTES -1;
|
|
|
|
|
while(i>=0 && value>0){
|
|
|
|
|
int x = nonce[i]+(value & 0xFF);
|
|
|
|
|
nonce[i]=x&0xFF;
|
|
|
|
|
value = (value>>8)+(x>>8);
|
|
|
|
|
i--;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2013-12-30 05:29:59 +00:00
|
|
|
/* Encrypt a block of a stream in-place, allowing for offsets that don't align perfectly to block
|
|
|
|
|
* boundaries for efficiency the caller should use a buffer size of (n*RHIZOME_CRYPT_PAGE_SIZE).
|
2013-01-02 04:35:22 +00:00
|
|
|
*/
|
Refactor manifest: specific setter functions
Replace generic rhizome_manifest_set() and rhizome_manifest_set_ll()
with per-field setter functions, eg, rhizome_manifest_set_filesize().
Struct rhizome_manifest elements for all known fields, to replace the
use of rhizome_manifest_get() and rhizome_manifest_get_ll() everywhere:
sender, recipient, service, name, date, bundle_key.
Add boolean validity flags for binary blob types, to avoid having to compare
with many bytes of all-zero to detect presence, eg, has_sender, has_recipient,
has_author, has_bundle_key. These maintained by the setter functions.
Rename existing manifest struct elements to be the same as their field
names: fileLength -> filesize, journalTail -> tail.
More use of unsigned int, size_t and uint64_t for payload sizes, offsets, byte
counts, etc. especially in rhizome_store.c and meshms.c. More uniform use of
size_t to dimension memory buffers. Fix some printf(3) style format strings
for 64-bit correctness on 32-bit systems. Use new constant RHIZOME_SIZE_UNSET
instead of -1 to indicate unknown dimension, and explicitly assert its absence
before comparisons and arithmetic, for safety.
Replace some 'int' loop variables with 'unsigned' where appropriate.
Fix bugs discovered in MeshMS bundle private/public key generation and
bundle secret key handling for export/extract commands.
Instrument the first MeshMS test case to aid debugging.
New debug config flag: debug.manifest logs all modifications to all manifest
fields by setter functions.
Rename debug config flag: debug.rhizome_bind -> debug.rhizome_sql_bind.
2013-10-30 12:52:19 +00:00
|
|
|
int rhizome_crypt_xor_block(unsigned char *buffer, size_t buffer_size, uint64_t stream_offset,
|
|
|
|
|
const unsigned char *key, const unsigned char *nonce)
|
|
|
|
|
{
|
|
|
|
|
uint64_t nonce_offset = stream_offset & ~(RHIZOME_CRYPT_PAGE_SIZE -1);
|
2013-10-17 12:47:41 +00:00
|
|
|
size_t offset=0;
|
2012-12-21 00:23:47 +00:00
|
|
|
|
2013-01-02 04:35:22 +00:00
|
|
|
unsigned char block_nonce[crypto_stream_xsalsa20_NONCEBYTES];
|
|
|
|
|
bcopy(nonce, block_nonce, sizeof(block_nonce));
|
|
|
|
|
add_nonce(block_nonce, nonce_offset);
|
|
|
|
|
|
2012-12-21 00:23:47 +00:00
|
|
|
if (nonce_offset < stream_offset){
|
2013-10-17 12:47:41 +00:00
|
|
|
size_t padding = stream_offset & (RHIZOME_CRYPT_PAGE_SIZE -1);
|
|
|
|
|
size_t size = RHIZOME_CRYPT_PAGE_SIZE - padding;
|
2012-12-21 00:23:47 +00:00
|
|
|
if (size>buffer_size)
|
|
|
|
|
size=buffer_size;
|
|
|
|
|
|
|
|
|
|
unsigned char temp[RHIZOME_CRYPT_PAGE_SIZE];
|
|
|
|
|
bcopy(buffer, temp + padding, size);
|
2013-07-19 06:45:05 +00:00
|
|
|
crypto_stream_xsalsa20_xor(temp, temp, size+padding, block_nonce, key);
|
|
|
|
|
bcopy(temp + padding, buffer, size);
|
2012-12-21 00:23:47 +00:00
|
|
|
|
2013-01-02 04:35:22 +00:00
|
|
|
add_nonce(block_nonce, RHIZOME_CRYPT_PAGE_SIZE);
|
2012-12-21 00:23:47 +00:00
|
|
|
offset+=size;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
while(offset < buffer_size){
|
2013-10-17 12:47:41 +00:00
|
|
|
size_t size = buffer_size - offset;
|
2012-12-21 00:23:47 +00:00
|
|
|
if (size>RHIZOME_CRYPT_PAGE_SIZE)
|
|
|
|
|
size=RHIZOME_CRYPT_PAGE_SIZE;
|
|
|
|
|
|
2013-10-17 12:47:41 +00:00
|
|
|
crypto_stream_xsalsa20_xor(buffer+offset, buffer+offset, (unsigned long long) size, block_nonce, key);
|
2012-12-21 00:23:47 +00:00
|
|
|
|
2013-01-02 04:35:22 +00:00
|
|
|
add_nonce(block_nonce, RHIZOME_CRYPT_PAGE_SIZE);
|
2012-12-21 00:23:47 +00:00
|
|
|
offset+=size;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2013-01-03 05:42:24 +00:00
|
|
|
|
2013-12-27 18:56:22 +00:00
|
|
|
/* If payload key is known, sets m->payloadKey and m->payloadNonce and returns 1.
|
|
|
|
|
* Otherwise, returns 0;
|
|
|
|
|
*/
|
2013-11-05 07:28:03 +00:00
|
|
|
int rhizome_derive_payload_key(rhizome_manifest *m)
|
2013-01-03 05:42:24 +00:00
|
|
|
{
|
2013-12-27 18:56:22 +00:00
|
|
|
assert(m->payloadEncryption == PAYLOAD_ENCRYPTED);
|
2013-12-30 05:29:59 +00:00
|
|
|
unsigned char hash[crypto_hash_sha512_BYTES];
|
|
|
|
|
if (m->has_sender && m->has_recipient) {
|
2013-01-03 05:42:24 +00:00
|
|
|
unsigned char *nm_bytes=NULL;
|
2014-10-31 03:13:23 +00:00
|
|
|
keyring_iterator it;
|
|
|
|
|
keyring_iterator_start(keyring, &it);
|
|
|
|
|
|
|
|
|
|
if (!keyring_find_sid(&it, &m->sender)){
|
|
|
|
|
keyring_iterator_start(keyring, &it);
|
|
|
|
|
if (!keyring_find_sid(&it, &m->recipient)){
|
2013-12-27 18:56:22 +00:00
|
|
|
WARNF("Neither sender=%s nor recipient=%s is in keyring",
|
Refactor manifest: specific setter functions
Replace generic rhizome_manifest_set() and rhizome_manifest_set_ll()
with per-field setter functions, eg, rhizome_manifest_set_filesize().
Struct rhizome_manifest elements for all known fields, to replace the
use of rhizome_manifest_get() and rhizome_manifest_get_ll() everywhere:
sender, recipient, service, name, date, bundle_key.
Add boolean validity flags for binary blob types, to avoid having to compare
with many bytes of all-zero to detect presence, eg, has_sender, has_recipient,
has_author, has_bundle_key. These maintained by the setter functions.
Rename existing manifest struct elements to be the same as their field
names: fileLength -> filesize, journalTail -> tail.
More use of unsigned int, size_t and uint64_t for payload sizes, offsets, byte
counts, etc. especially in rhizome_store.c and meshms.c. More uniform use of
size_t to dimension memory buffers. Fix some printf(3) style format strings
for 64-bit correctness on 32-bit systems. Use new constant RHIZOME_SIZE_UNSET
instead of -1 to indicate unknown dimension, and explicitly assert its absence
before comparisons and arithmetic, for safety.
Replace some 'int' loop variables with 'unsigned' where appropriate.
Fix bugs discovered in MeshMS bundle private/public key generation and
bundle secret key handling for export/extract commands.
Instrument the first MeshMS test case to aid debugging.
New debug config flag: debug.manifest logs all modifications to all manifest
fields by setter functions.
Rename debug config flag: debug.rhizome_bind -> debug.rhizome_sql_bind.
2013-10-30 12:52:19 +00:00
|
|
|
alloca_tohex_sid_t(m->sender),
|
|
|
|
|
alloca_tohex_sid_t(m->recipient));
|
2013-12-27 18:56:22 +00:00
|
|
|
return 0;
|
2013-01-03 05:42:24 +00:00
|
|
|
}
|
2013-12-30 05:29:59 +00:00
|
|
|
nm_bytes = keyring_get_nm_bytes(&m->recipient, &m->sender);
|
2015-07-06 08:19:49 +00:00
|
|
|
DEBUGF(rhizome, "derived payload key from recipient=%s* to sender=%s*",
|
|
|
|
|
alloca_tohex_sid_t_trunc(m->recipient, 7),
|
|
|
|
|
alloca_tohex_sid_t_trunc(m->sender, 7)
|
2013-12-30 05:29:59 +00:00
|
|
|
);
|
2013-01-03 05:42:24 +00:00
|
|
|
}else{
|
2013-12-30 05:29:59 +00:00
|
|
|
nm_bytes = keyring_get_nm_bytes(&m->sender, &m->recipient);
|
2015-07-06 08:19:49 +00:00
|
|
|
DEBUGF(rhizome, "derived payload key from sender=%s* to recipient=%s*",
|
|
|
|
|
alloca_tohex_sid_t_trunc(m->sender, 7),
|
|
|
|
|
alloca_tohex_sid_t_trunc(m->recipient, 7)
|
2013-12-30 05:29:59 +00:00
|
|
|
);
|
2013-01-03 05:42:24 +00:00
|
|
|
}
|
2013-12-27 18:56:22 +00:00
|
|
|
assert(nm_bytes != NULL);
|
2013-01-03 05:42:24 +00:00
|
|
|
crypto_hash_sha512(hash, nm_bytes, crypto_box_curve25519xsalsa20poly1305_BEFORENMBYTES);
|
|
|
|
|
|
|
|
|
|
}else{
|
2013-12-27 18:56:22 +00:00
|
|
|
if (!m->haveSecret) {
|
|
|
|
|
WHY("Cannot derive payload key because bundle secret is unknown");
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2015-07-06 08:19:49 +00:00
|
|
|
DEBUGF(rhizome, "derived payload key from bundle secret bsk=%s", alloca_tohex(m->cryptoSignSecret, sizeof m->cryptoSignSecret));
|
2013-01-03 05:42:24 +00:00
|
|
|
unsigned char raw_key[9+crypto_sign_edwards25519sha512batch_SECRETKEYBYTES]="sasquatch";
|
|
|
|
|
bcopy(m->cryptoSignSecret, &raw_key[9], crypto_sign_edwards25519sha512batch_SECRETKEYBYTES);
|
|
|
|
|
crypto_hash_sha512(hash, raw_key, sizeof(raw_key));
|
|
|
|
|
}
|
2013-12-30 05:29:59 +00:00
|
|
|
bcopy(hash, m->payloadKey, RHIZOME_CRYPT_KEY_BYTES);
|
2015-07-06 08:19:49 +00:00
|
|
|
DEBUGF(rhizome_manifest, "SET manifest[%d].payloadKey = %s", m->manifest_record_number, alloca_tohex(m->payloadKey, sizeof m->payloadKey));
|
2013-12-30 05:29:59 +00:00
|
|
|
|
2013-07-19 06:45:05 +00:00
|
|
|
// journal bundles must always have the same nonce, regardless of version.
|
|
|
|
|
// otherwise, generate nonce from version#bundle id#version;
|
2013-10-03 13:46:45 +00:00
|
|
|
unsigned char raw_nonce[8 + 8 + sizeof m->cryptoSignPublic.binary];
|
2013-12-30 05:29:59 +00:00
|
|
|
uint64_t nonce_version = m->is_journal ? 0 : m->version;
|
|
|
|
|
write_uint64(&raw_nonce[0], nonce_version);
|
2013-10-03 13:46:45 +00:00
|
|
|
bcopy(m->cryptoSignPublic.binary, &raw_nonce[8], sizeof m->cryptoSignPublic.binary);
|
2013-12-30 05:29:59 +00:00
|
|
|
write_uint64(&raw_nonce[8 + sizeof m->cryptoSignPublic.binary], nonce_version);
|
2015-07-06 08:19:49 +00:00
|
|
|
DEBUGF(rhizome, "derived payload nonce from bid=%s version=%"PRIu64, alloca_tohex_sid_t(m->cryptoSignPublic), nonce_version);
|
2013-01-03 05:42:24 +00:00
|
|
|
crypto_hash_sha512(hash, raw_nonce, sizeof(raw_nonce));
|
|
|
|
|
bcopy(hash, m->payloadNonce, sizeof(m->payloadNonce));
|
2015-07-06 08:19:49 +00:00
|
|
|
DEBUGF(rhizome_manifest, "SET manifest[%d].payloadNonce = %s", m->manifest_record_number, alloca_tohex(m->payloadNonce, sizeof m->payloadNonce));
|
2013-12-27 18:56:22 +00:00
|
|
|
|
|
|
|
|
return 1;
|
2013-02-15 19:52:37 +00:00
|
|
|
}
|
