2012-01-12 03:38:24 +00:00
|
|
|
/*
|
|
|
|
Serval Distributed Numbering Architecture (DNA)
|
|
|
|
Copyright (C) 2010 Paul Gardner-Stephen
|
|
|
|
|
|
|
|
This program is free software; you can redistribute it and/or
|
|
|
|
modify it under the terms of the GNU General Public License
|
|
|
|
as published by the Free Software Foundation; either version 2
|
|
|
|
of the License, or (at your option) any later version.
|
|
|
|
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
|
|
along with this program; if not, write to the Free Software
|
|
|
|
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
|
|
|
|
*/
|
|
|
|
|
2012-02-23 02:15:42 +00:00
|
|
|
#include "serval.h"
|
2012-12-11 05:29:46 +00:00
|
|
|
#include "conf.h"
|
2012-11-07 06:12:45 +00:00
|
|
|
#include "str.h"
|
2012-01-12 03:38:24 +00:00
|
|
|
#include "rhizome.h"
|
|
|
|
#include <stdlib.h>
|
2012-05-02 06:33:09 +00:00
|
|
|
#include <ctype.h>
|
|
|
|
|
2012-05-28 05:15:54 +00:00
|
|
|
/* Work out the encrypt/decrypt key for the supplied manifest.
|
|
|
|
If the manifest is not encrypted, then return NULL.
|
|
|
|
*/
|
|
|
|
unsigned char *rhizome_bundle_shared_secret(rhizome_manifest *m)
|
|
|
|
{
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
|
2012-01-12 03:38:24 +00:00
|
|
|
int rhizome_manifest_createid(rhizome_manifest *m)
|
|
|
|
{
|
2013-01-03 00:48:30 +00:00
|
|
|
m->haveSecret=NEW_BUNDLE_ID;
|
2012-01-12 03:38:24 +00:00
|
|
|
int r=crypto_sign_edwards25519sha512batch_keypair(m->cryptoSignPublic,m->cryptoSignSecret);
|
2012-05-15 07:54:25 +00:00
|
|
|
if (!r) return 0;
|
2012-01-12 03:38:24 +00:00
|
|
|
return WHY("Failed to create keypair for manifest ID.");
|
|
|
|
}
|
|
|
|
|
2012-10-11 07:28:24 +00:00
|
|
|
/* Given a Rhizome Secret (RS) and bundle ID (BID), XOR a bundle key 'bkin' (private or public) with
|
2012-10-09 16:37:49 +00:00
|
|
|
* RS##BID. This derives the first 32-bytes of the secret key. The BID itself as
|
|
|
|
* public key is also the last 32-bytes of the secret key.
|
2012-10-11 07:28:24 +00:00
|
|
|
*
|
2012-10-09 16:37:49 +00:00
|
|
|
* @author Andrew Bettison <andrew@servalproject.org>
|
|
|
|
* @author Paul Gardner-Stephen <paul@servalproject.org>
|
2012-10-11 07:28:24 +00:00
|
|
|
*/
|
2012-10-09 16:37:49 +00:00
|
|
|
int rhizome_bk_xor_stream(
|
|
|
|
const unsigned char bid[crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES],
|
2012-10-11 07:28:24 +00:00
|
|
|
const unsigned char *rs,
|
2012-10-09 16:37:49 +00:00
|
|
|
const size_t rs_len,
|
|
|
|
unsigned char *xor_stream,
|
|
|
|
int xor_stream_byte_count)
|
2012-10-11 07:28:24 +00:00
|
|
|
{
|
|
|
|
IN();
|
2012-10-09 16:37:49 +00:00
|
|
|
if (rs_len<1||rs_len>65536) return WHY("rs_len invalid");
|
|
|
|
if (xor_stream_byte_count<1||xor_stream_byte_count>crypto_hash_sha512_BYTES)
|
|
|
|
RETURN(WHY("xor_stream_byte_count invalid"));
|
|
|
|
|
2012-10-11 07:28:24 +00:00
|
|
|
int combined_len = rs_len + crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES;
|
|
|
|
unsigned char buffer[combined_len];
|
|
|
|
bcopy(&rs[0], &buffer[0], rs_len);
|
|
|
|
bcopy(&bid[0], &buffer[rs_len], crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES);
|
|
|
|
unsigned char hash[crypto_hash_sha512_BYTES];
|
|
|
|
crypto_hash_sha512(hash,buffer,combined_len);
|
2012-10-09 16:37:49 +00:00
|
|
|
bcopy(hash,xor_stream,xor_stream_byte_count);
|
|
|
|
|
|
|
|
RETURN(0);
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
CryptoSign Secret Keys in cupercop-20120525 onwards have the public key as the
|
|
|
|
second half of the secret key. The public key is the BID, so this simplifies
|
|
|
|
the BK<-->SECRET conversion processes. */
|
|
|
|
int rhizome_bk2secret(rhizome_manifest *m,
|
|
|
|
const unsigned char bid[crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES],
|
|
|
|
const unsigned char *rs, const size_t rs_len,
|
|
|
|
/* The BK need only be the length of the secret half of the secret key */
|
|
|
|
const unsigned char bkin[RHIZOME_BUNDLE_KEY_BYTES],
|
|
|
|
unsigned char secret[crypto_sign_edwards25519sha512batch_SECRETKEYBYTES]
|
|
|
|
)
|
|
|
|
{
|
|
|
|
IN();
|
|
|
|
unsigned char xor_stream[RHIZOME_BUNDLE_KEY_BYTES];
|
|
|
|
if (rhizome_bk_xor_stream(bid,rs,rs_len,xor_stream,RHIZOME_BUNDLE_KEY_BYTES))
|
|
|
|
RETURN(WHY("rhizome_bk_xor_stream() failed"));
|
|
|
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
/* XOR and store secret part of secret key */
|
|
|
|
for(i = 0; i != RHIZOME_BUNDLE_KEY_BYTES; i++)
|
|
|
|
secret[i] = bkin[i] ^ xor_stream[i];
|
|
|
|
/* Copy BID as public-key part of secret key */
|
|
|
|
for(;i!=crypto_sign_edwards25519sha512batch_SECRETKEYBYTES;++i)
|
|
|
|
secret[i]=bid[i-RHIZOME_BUNDLE_KEY_BYTES];
|
|
|
|
|
|
|
|
bzero(xor_stream, sizeof xor_stream);
|
|
|
|
|
|
|
|
RETURN(rhizome_verify_bundle_privatekey(m,secret,bid));
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
int rhizome_secret2bk(
|
|
|
|
const unsigned char bid[crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES],
|
|
|
|
const unsigned char *rs, const size_t rs_len,
|
|
|
|
/* The BK need only be the length of the secret half of the secret key */
|
|
|
|
unsigned char bkout[RHIZOME_BUNDLE_KEY_BYTES],
|
|
|
|
const unsigned char secret[crypto_sign_edwards25519sha512batch_SECRETKEYBYTES]
|
|
|
|
)
|
|
|
|
{
|
|
|
|
IN();
|
|
|
|
unsigned char xor_stream[RHIZOME_BUNDLE_KEY_BYTES];
|
|
|
|
if (rhizome_bk_xor_stream(bid,rs,rs_len,xor_stream,RHIZOME_BUNDLE_KEY_BYTES))
|
|
|
|
RETURN(WHY("rhizome_bk_xor_stream() failed"));
|
|
|
|
|
2012-10-11 07:28:24 +00:00
|
|
|
int i;
|
2012-10-09 16:37:49 +00:00
|
|
|
|
|
|
|
/* XOR and store secret part of secret key */
|
|
|
|
for(i = 0; i != RHIZOME_BUNDLE_KEY_BYTES; i++)
|
|
|
|
bkout[i] = secret[i] ^ xor_stream[i];
|
|
|
|
|
|
|
|
bzero(xor_stream, sizeof xor_stream);
|
|
|
|
RETURN(0);
|
2012-10-11 07:28:24 +00:00
|
|
|
}
|
|
|
|
|
2012-10-09 16:37:49 +00:00
|
|
|
|
2012-10-15 08:03:44 +00:00
|
|
|
/* Given the SID of a bundle's author, search for an identity in the keyring and return its
|
|
|
|
* Rhizome secret if found.
|
|
|
|
*
|
|
|
|
* Returns -1 if an error occurs.
|
|
|
|
* Returns 0 if the author's rhizome secret is found; '*rs' is set to point to the secret key in the
|
|
|
|
* keyring, and '*rs_len' is set to the key length.
|
|
|
|
* Returns 2 if the author's identity is not in the keyring.
|
|
|
|
* Returns 3 if the author's identity is in the keyring but has no rhizome secret.
|
|
|
|
*
|
|
|
|
* @author Andrew Bettison <andrew@servalproject.com>
|
|
|
|
*/
|
|
|
|
int rhizome_find_secret(const unsigned char *authorSid, int *rs_len, const unsigned char **rs)
|
|
|
|
{
|
|
|
|
int cn=0, in=0, kp=0;
|
|
|
|
if (!keyring_find_sid(keyring,&cn,&in,&kp,authorSid)) {
|
2012-12-11 05:29:46 +00:00
|
|
|
if (config.debug.rhizome)
|
2012-10-15 08:03:44 +00:00
|
|
|
DEBUGF("identity sid=%s is not in keyring", alloca_tohex_sid(authorSid));
|
|
|
|
return 2;
|
|
|
|
}
|
|
|
|
kp = keyring_identity_find_keytype(keyring, cn, in, KEYTYPE_RHIZOME);
|
|
|
|
if (kp == -1) {
|
2012-12-11 05:29:46 +00:00
|
|
|
if (config.debug.rhizome)
|
2012-10-15 08:03:44 +00:00
|
|
|
DEBUGF("identity sid=%s has no Rhizome Secret", alloca_tohex_sid(authorSid));
|
|
|
|
return 3;
|
|
|
|
}
|
|
|
|
int rslen = keyring->contexts[cn]->identities[in]->keypairs[kp]->private_key_len;
|
|
|
|
if (rslen < 16 || rslen > 1024)
|
|
|
|
return WHYF("identity sid=%s has invalid Rhizome Secret: length=%d", alloca_tohex_sid(authorSid), rslen);
|
|
|
|
if (rs_len)
|
|
|
|
*rs_len = rslen;
|
|
|
|
if (rs)
|
|
|
|
*rs = keyring->contexts[cn]->identities[in]->keypairs[kp]->private_key;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2012-10-11 07:28:24 +00:00
|
|
|
/* Given the SID of a bundle's author and the bundle ID, XOR a bundle key (private or public) with
|
|
|
|
* RS##BID where RS is the rhizome secret of the bundle's author, and BID is the bundle's public key
|
|
|
|
* (aka the Bundle ID).
|
|
|
|
*
|
|
|
|
* This will convert a manifest BK field into the bundle's private key, or vice versa.
|
|
|
|
*
|
|
|
|
* Returns -1 if an error occurs.
|
|
|
|
* Returns 0 if the author's private key is located and the XOR is performed successfully.
|
2012-10-15 08:03:44 +00:00
|
|
|
* Returns 2 if the author's identity is not in the keyring (this return code from
|
|
|
|
* rhizome_find_secret()).
|
|
|
|
* Returns 3 if the author's identity is in the keyring but has no rhizome secret (this return code
|
|
|
|
* from rhizome_find_secret()).
|
2012-10-11 07:28:24 +00:00
|
|
|
*
|
|
|
|
* Looks up the SID in the keyring, and if it is present and has a valid-looking RS, calls
|
|
|
|
* rhizome_bk_xor_rs() to perform the XOR.
|
|
|
|
*
|
|
|
|
* @author Andrew Bettison <andrew@servalproject.com>
|
|
|
|
*/
|
2012-05-15 07:54:25 +00:00
|
|
|
|
2012-10-11 07:28:24 +00:00
|
|
|
/* See if the manifest has a BK entry, and if so, use it to obtain the private key for the BID. The
|
|
|
|
* manifest's 'author' field must contain the (binary) SID of the purported author of the bundle,
|
|
|
|
* which is used to look up the author's rhizome secret in the keyring.
|
|
|
|
*
|
|
|
|
* Returns 0 if a valid private key was extracted, with the private key in the manifest
|
|
|
|
* 'cryptoSignSecret' field and the 'haveSecret' field set to 1.
|
|
|
|
*
|
|
|
|
* Returns 1 if the manifest does not have a BK field.
|
|
|
|
*
|
|
|
|
* Returns 2 if the author is not found in the keyring (not unlocked?) -- this return code from
|
|
|
|
* rhizome_bk_xor().
|
|
|
|
*
|
|
|
|
* Returns 3 if the author is found in the keyring but has no rhizome secret -- this return code
|
|
|
|
* from rhizome_bk_xor().
|
|
|
|
*
|
|
|
|
* Returns 4 if the author is found in the keyring and has a rhizome secret but the private bundle
|
|
|
|
* key formed using it does not verify.
|
|
|
|
*
|
|
|
|
* Returns -1 on error.
|
|
|
|
*
|
|
|
|
* @author Andrew Bettison <andrew@servalproject.com>
|
2012-10-09 16:37:49 +00:00
|
|
|
|
2012-10-11 07:28:24 +00:00
|
|
|
*/
|
2013-01-03 01:44:13 +00:00
|
|
|
int rhizome_extract_privatekey(rhizome_manifest *m, rhizome_bk_t *bsk)
|
2012-05-15 10:34:41 +00:00
|
|
|
{
|
2012-06-26 06:32:49 +00:00
|
|
|
IN();
|
2013-01-03 01:44:13 +00:00
|
|
|
unsigned char bkBytes[RHIZOME_BUNDLE_KEY_BYTES];
|
2012-05-16 05:49:24 +00:00
|
|
|
char *bk = rhizome_manifest_get(m, "BK", NULL, 0);
|
2013-01-07 06:16:09 +00:00
|
|
|
int result;
|
2013-01-03 01:44:13 +00:00
|
|
|
|
|
|
|
if (bk){
|
|
|
|
if (fromhexstr(bkBytes, bk, RHIZOME_BUNDLE_KEY_BYTES) == -1)
|
|
|
|
RETURN(WHYF("invalid BK field: %s", bk));
|
|
|
|
|
|
|
|
if (is_sid_any(m->author)) {
|
|
|
|
result=rhizome_find_bundle_author(m);
|
|
|
|
}else{
|
|
|
|
int rs_len;
|
|
|
|
const unsigned char *rs;
|
|
|
|
result = rhizome_find_secret(m->author, &rs_len, &rs);
|
2013-01-07 06:16:09 +00:00
|
|
|
if (result==0)
|
|
|
|
result = rhizome_bk2secret(m,m->cryptoSignPublic,rs,rs_len,
|
|
|
|
bkBytes,m->cryptoSignSecret);
|
2013-01-03 01:44:13 +00:00
|
|
|
}
|
|
|
|
|
2013-01-07 06:16:09 +00:00
|
|
|
if (result == 0 && bsk && !rhizome_is_bk_none(bsk)){
|
|
|
|
// If a bundle secret key was supplied that does not match the secret key derived from the
|
|
|
|
// author, then warn but carry on using the author's.
|
|
|
|
if (memcmp(bsk, m->cryptoSignSecret, RHIZOME_BUNDLE_KEY_BYTES) != 0)
|
|
|
|
WARNF("Supplied bundle secret key is invalid -- ignoring");
|
2013-01-03 01:44:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
}else if(bsk && !rhizome_is_bk_none(bsk)){
|
2013-01-04 00:14:07 +00:00
|
|
|
bcopy(m->cryptoSignPublic, &m->cryptoSignSecret[RHIZOME_BUNDLE_KEY_BYTES], sizeof(m->cryptoSignPublic));
|
|
|
|
bcopy(bsk, m->cryptoSignSecret, RHIZOME_BUNDLE_KEY_BYTES);
|
2013-01-07 06:16:09 +00:00
|
|
|
if (rhizome_verify_bundle_privatekey(m,m->cryptoSignSecret,
|
|
|
|
m->cryptoSignPublic))
|
|
|
|
result=5;
|
|
|
|
else
|
|
|
|
result=0;
|
|
|
|
}else{
|
|
|
|
result=1;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (result == 0){
|
|
|
|
m->haveSecret=EXISTING_BUNDLE_ID;
|
2013-01-03 01:44:13 +00:00
|
|
|
}else{
|
2013-01-07 06:16:09 +00:00
|
|
|
memset(m->cryptoSignSecret, 0, sizeof m->cryptoSignSecret);
|
|
|
|
m->haveSecret=0;
|
2012-10-15 03:31:48 +00:00
|
|
|
}
|
2013-01-07 06:16:09 +00:00
|
|
|
|
|
|
|
RETURN(result);
|
2012-06-08 08:55:43 +00:00
|
|
|
}
|
|
|
|
|
2013-01-03 05:42:24 +00:00
|
|
|
/* Same as rhizome_extract_privatekey, except warnings become errors and are logged */
|
|
|
|
int rhizome_extract_privatekey_required(rhizome_manifest *m, rhizome_bk_t *bsk)
|
|
|
|
{
|
|
|
|
int result = rhizome_extract_privatekey(m, bsk);
|
|
|
|
switch (result) {
|
|
|
|
case -1:
|
|
|
|
case 0:
|
|
|
|
return result;
|
|
|
|
case 1:
|
2013-01-07 06:16:09 +00:00
|
|
|
return WHY("Bundle contains no BK field, and no bundle secret supplied");
|
2013-01-03 05:42:24 +00:00
|
|
|
case 2:
|
|
|
|
return WHY("Author unknown");
|
|
|
|
case 3:
|
|
|
|
return WHY("Author does not have a Rhizome Secret");
|
|
|
|
case 4:
|
|
|
|
return WHY("Author does not have permission to modify manifest");
|
2013-01-07 06:16:09 +00:00
|
|
|
case 5:
|
|
|
|
return WHY("Bundle secret is not valid for this manifest");
|
2013-01-03 05:42:24 +00:00
|
|
|
default:
|
|
|
|
return WHYF("Unknown result from rhizome_extract_privatekey(): %d", result);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2012-10-11 07:28:24 +00:00
|
|
|
/* Discover if the given manifest was created (signed) by any unlocked identity currently in the
|
|
|
|
* keyring.
|
|
|
|
*
|
|
|
|
* Returns 0 if an identity is found with permission to alter the bundle, after setting the manifest
|
|
|
|
* 'author' field to the SID of the identity and the manifest 'cryptoSignSecret' field to the bundle
|
|
|
|
* secret key and the 'haveSecret' field to 1.
|
|
|
|
*
|
|
|
|
* Returns 1 if no identity in the keyring is the author of this bundle.
|
|
|
|
*
|
|
|
|
* Returns 4 if the manifest has no BK field.
|
|
|
|
*
|
|
|
|
* Returns -1 if an error occurs, eg, the manifest contains an invalid BK field.
|
|
|
|
*
|
|
|
|
* @author Andrew Bettison <andrew@servalproject.com>
|
2012-06-08 08:55:43 +00:00
|
|
|
*/
|
2012-10-11 07:28:24 +00:00
|
|
|
int rhizome_find_bundle_author(rhizome_manifest *m)
|
2012-06-08 08:55:43 +00:00
|
|
|
{
|
2012-06-26 06:32:49 +00:00
|
|
|
IN();
|
2012-06-08 08:55:43 +00:00
|
|
|
char *bk = rhizome_manifest_get(m, "BK", NULL, 0);
|
|
|
|
if (!bk) {
|
2012-12-11 05:29:46 +00:00
|
|
|
if (config.debug.rhizome)
|
2012-10-11 07:28:24 +00:00
|
|
|
DEBUGF("missing BK field");
|
|
|
|
RETURN(4);
|
2012-06-08 08:55:43 +00:00
|
|
|
}
|
|
|
|
unsigned char bkBytes[RHIZOME_BUNDLE_KEY_BYTES];
|
|
|
|
if (fromhexstr(bkBytes, bk, RHIZOME_BUNDLE_KEY_BYTES) == -1)
|
2012-10-11 07:28:24 +00:00
|
|
|
RETURN(WHYF("invalid BK field: %s", bk));
|
2012-06-08 08:55:43 +00:00
|
|
|
int cn = 0, in = 0, kp = 0;
|
|
|
|
for (; keyring_next_identity(keyring, &cn, &in, &kp); ++kp) {
|
|
|
|
const unsigned char *authorSid = keyring->contexts[cn]->identities[in]->keypairs[kp]->public_key;
|
2012-12-11 05:29:46 +00:00
|
|
|
//if (config.debug.rhizome) DEBUGF("try author identity sid=%s", alloca_tohex(authorSid, SID_SIZE));
|
2012-06-08 08:55:43 +00:00
|
|
|
int rkp = keyring_identity_find_keytype(keyring, cn, in, KEYTYPE_RHIZOME);
|
|
|
|
if (rkp != -1) {
|
2012-10-11 07:28:24 +00:00
|
|
|
int rs_len = keyring->contexts[cn]->identities[in]->keypairs[rkp]->private_key_len;
|
|
|
|
if (rs_len < 16 || rs_len > 1024)
|
|
|
|
RETURN(WHYF("invalid Rhizome Secret: length=%d", rs_len));
|
|
|
|
const unsigned char *rs = keyring->contexts[cn]->identities[in]->keypairs[rkp]->private_key;
|
2012-10-09 16:37:49 +00:00
|
|
|
|
|
|
|
if (!rhizome_bk2secret(m,m->cryptoSignPublic,rs,rs_len,
|
|
|
|
bkBytes,m->cryptoSignSecret)) {
|
2012-10-11 07:28:24 +00:00
|
|
|
memcpy(m->author, authorSid, sizeof m->author);
|
2013-01-03 00:48:30 +00:00
|
|
|
m->haveSecret=EXISTING_BUNDLE_ID;
|
2012-12-11 05:29:46 +00:00
|
|
|
if (config.debug.rhizome)
|
2012-10-11 07:28:24 +00:00
|
|
|
DEBUGF("found bundle author sid=%s", alloca_tohex_sid(m->author));
|
2013-01-02 00:42:15 +00:00
|
|
|
|
|
|
|
// if this bundle is already in the database, update the author.
|
|
|
|
if (m->inserttime){
|
|
|
|
const char *id = rhizome_manifest_get(m, "id", NULL, 0);
|
|
|
|
if (sqlite_exec_void("UPDATE MANIFESTS SET author='%s' WHERE id='%s';", alloca_tohex_sid(m->author), id) == -1)
|
|
|
|
WARN("Error updating MANIFESTS author column");
|
|
|
|
}
|
|
|
|
|
2012-10-11 07:28:24 +00:00
|
|
|
RETURN(0); // bingo
|
2012-06-08 08:55:43 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2012-12-11 05:29:46 +00:00
|
|
|
if (config.debug.rhizome)
|
2012-10-11 07:28:24 +00:00
|
|
|
DEBUG("bundle author not found");
|
|
|
|
RETURN(1);
|
2012-06-05 04:28:59 +00:00
|
|
|
}
|
2012-05-15 10:34:41 +00:00
|
|
|
|
2012-10-11 07:28:24 +00:00
|
|
|
/* Verify the validity of the manifest's secret key, ie, is the given manifest's 'cryptoSignSecret'
|
|
|
|
* field actually the secret key corresponding to the public key in 'cryptoSignPublic'?
|
|
|
|
* Return 0 if valid, 1 if not. Return -1 if an error occurs.
|
|
|
|
*
|
2012-10-09 16:37:49 +00:00
|
|
|
* There is no NaCl API to efficiently test this. We use a modified version of
|
|
|
|
* crypto_sign_keypair() to accomplish this task.
|
2012-06-05 04:28:59 +00:00
|
|
|
*/
|
2012-10-09 16:37:49 +00:00
|
|
|
int rhizome_verify_bundle_privatekey(rhizome_manifest *m,
|
|
|
|
const unsigned char *sk,
|
|
|
|
const unsigned char *pkin)
|
2012-06-05 04:28:59 +00:00
|
|
|
{
|
2012-06-26 06:32:49 +00:00
|
|
|
IN();
|
2012-10-09 16:37:49 +00:00
|
|
|
|
|
|
|
#include "crypto_sign_edwards25519sha512batch.h"
|
2012-10-18 06:40:45 +00:00
|
|
|
#include "nacl/src/crypto_sign_edwards25519sha512batch_ref/ge.h"
|
2012-10-09 16:37:49 +00:00
|
|
|
|
|
|
|
unsigned char h[64];
|
|
|
|
unsigned char pk[32];
|
|
|
|
ge_p3 A;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
crypto_hash_sha512(h,sk,32);
|
|
|
|
h[0] &= 248;
|
|
|
|
h[31] &= 63;
|
|
|
|
h[31] |= 64;
|
|
|
|
|
|
|
|
ge_scalarmult_base(&A,h);
|
|
|
|
ge_p3_tobytes(pk,&A);
|
|
|
|
|
2012-11-16 02:50:32 +00:00
|
|
|
for (i = 0;i < 32;++i)
|
|
|
|
if (pkin[i] != pk[i]) {
|
2012-10-18 05:16:16 +00:00
|
|
|
if (m&&sk==m->cryptoSignSecret&&pkin==m->cryptoSignPublic)
|
2012-10-09 16:37:49 +00:00
|
|
|
m->haveSecret=0;
|
|
|
|
RETURN(-1);
|
|
|
|
}
|
2012-12-11 05:29:46 +00:00
|
|
|
if (config.debug.rhizome)
|
2012-11-16 02:50:32 +00:00
|
|
|
DEBUGF("We have the private key for this bundle.");
|
2012-10-18 05:16:16 +00:00
|
|
|
if (m&&sk==m->cryptoSignSecret&&pkin==m->cryptoSignPublic) {
|
2013-01-03 00:48:30 +00:00
|
|
|
DEBUGF("Set haveSecret=%d in manifest",EXISTING_BUNDLE_ID);
|
|
|
|
m->haveSecret=EXISTING_BUNDLE_ID;
|
2012-06-05 04:28:59 +00:00
|
|
|
}
|
2012-10-09 16:37:49 +00:00
|
|
|
RETURN(0);
|
2012-05-15 10:34:41 +00:00
|
|
|
}
|
|
|
|
|
2012-10-09 16:37:49 +00:00
|
|
|
int rhizome_sign_hash(rhizome_manifest *m,
|
|
|
|
rhizome_signature *out)
|
2012-05-15 07:54:25 +00:00
|
|
|
{
|
2012-06-26 06:32:49 +00:00
|
|
|
IN();
|
2013-01-03 05:42:24 +00:00
|
|
|
if (!m->haveSecret && rhizome_extract_privatekey_required(m, NULL))
|
|
|
|
RETURN(-1);
|
2012-10-09 16:37:49 +00:00
|
|
|
|
2013-01-03 05:42:24 +00:00
|
|
|
int ret=rhizome_sign_hash_with_key(m,m->cryptoSignSecret,m->cryptoSignPublic,out);
|
|
|
|
RETURN(ret);
|
2012-10-09 16:37:49 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
int rhizome_sign_hash_with_key(rhizome_manifest *m,const unsigned char *sk,
|
|
|
|
const unsigned char *pk,rhizome_signature *out)
|
|
|
|
{
|
|
|
|
IN();
|
2012-10-11 07:28:24 +00:00
|
|
|
unsigned char signatureBuffer[crypto_sign_edwards25519sha512batch_BYTES + crypto_hash_sha512_BYTES];
|
2012-10-09 16:37:49 +00:00
|
|
|
unsigned char *hash = m->manifesthash;
|
2012-10-11 07:28:24 +00:00
|
|
|
unsigned long long sigLen = 0;
|
|
|
|
int mLen = crypto_hash_sha512_BYTES;
|
2012-10-09 16:37:49 +00:00
|
|
|
int r = crypto_sign_edwards25519sha512batch(signatureBuffer, &sigLen, &hash[0], mLen, sk);
|
2012-10-11 07:28:24 +00:00
|
|
|
if (r)
|
|
|
|
RETURN(WHY("crypto_sign_edwards25519sha512batch() failed."));
|
2012-01-12 03:38:24 +00:00
|
|
|
/* Here we use knowledge of the internal structure of the signature block
|
|
|
|
to remove the hash, since that is implicitly transported, thus reducing the
|
|
|
|
actual signature size down to 64 bytes.
|
|
|
|
We do then need to add the public key of the signatory on. */
|
2012-10-09 16:37:49 +00:00
|
|
|
bcopy(signatureBuffer, &out->signature[1], 64);
|
|
|
|
bcopy(pk, &out->signature[65], crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES);
|
2012-10-11 07:28:24 +00:00
|
|
|
out->signatureLength = 65 + crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES;
|
2012-10-29 05:37:42 +00:00
|
|
|
out->signature[0] = 0x17; // CryptoSign
|
2012-10-11 07:28:24 +00:00
|
|
|
RETURN(0);
|
2012-01-12 03:38:24 +00:00
|
|
|
}
|
|
|
|
|
2012-06-26 11:51:46 +00:00
|
|
|
typedef struct manifest_signature_block_cache {
|
|
|
|
unsigned char manifest_hash[crypto_hash_sha512_BYTES];
|
|
|
|
unsigned char signature_bytes[256];
|
|
|
|
int signature_length;
|
|
|
|
int signature_valid;
|
|
|
|
} manifest_signature_block_cache;
|
|
|
|
|
|
|
|
#define SIG_CACHE_SIZE 1024
|
|
|
|
manifest_signature_block_cache sig_cache[SIG_CACHE_SIZE];
|
|
|
|
|
|
|
|
int rhizome_manifest_lookup_signature_validity(unsigned char *hash,unsigned char *sig,int sig_len)
|
|
|
|
{
|
|
|
|
IN();
|
|
|
|
unsigned int slot=0;
|
|
|
|
int i;
|
|
|
|
|
|
|
|
for(i=0;i<crypto_hash_sha512_BYTES;i++) {
|
|
|
|
slot=(slot<<1)+(slot&0x80000000?1:0);
|
|
|
|
slot+=hash[i];
|
|
|
|
}
|
|
|
|
for(i=0;i<sig_len;i++) {
|
|
|
|
slot=(slot<<1)+(slot&0x80000000?1:0);
|
|
|
|
slot+=sig[i];
|
|
|
|
}
|
|
|
|
slot%=SIG_CACHE_SIZE;
|
|
|
|
|
|
|
|
int replace=0;
|
|
|
|
if (sig_cache[slot].signature_length!=sig_len) replace=1;
|
|
|
|
for(i=0;i<crypto_hash_sha512_BYTES;i++)
|
|
|
|
if (hash[i]!=sig_cache[i].manifest_hash[i]) { replace=1; break; }
|
|
|
|
for(i=0;i<sig_len;i++)
|
|
|
|
if (sig[i]!=sig_cache[i].signature_bytes[i]) { replace=1; break; }
|
|
|
|
|
|
|
|
if (replace) {
|
|
|
|
for(i=0;i<crypto_hash_sha512_BYTES;i++)
|
|
|
|
sig_cache[i].manifest_hash[i]=hash[i];
|
|
|
|
for(i=0;i<sig_len;i++)
|
|
|
|
sig_cache[i].signature_bytes[i]=sig[i];
|
|
|
|
sig_cache[i].signature_length=sig_len;
|
|
|
|
|
|
|
|
unsigned char sigBuf[256];
|
|
|
|
unsigned char verifyBuf[256];
|
|
|
|
unsigned char publicKey[256];
|
|
|
|
|
|
|
|
/* Reconstitute signature by putting manifest hash between the two
|
|
|
|
32-byte halves */
|
2012-10-09 16:37:49 +00:00
|
|
|
bcopy(&sig[0],&sigBuf[0],64);
|
|
|
|
bcopy(hash,&sigBuf[64],crypto_hash_sha512_BYTES);
|
2012-06-26 11:51:46 +00:00
|
|
|
|
|
|
|
/* Get public key of signatory */
|
|
|
|
bcopy(&sig[64],&publicKey[0],crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES);
|
|
|
|
|
|
|
|
unsigned long long mlen=0;
|
|
|
|
sig_cache[i].signature_valid=
|
|
|
|
crypto_sign_edwards25519sha512batch_open(verifyBuf,&mlen,&sigBuf[0],128,
|
|
|
|
publicKey)
|
|
|
|
? -1 : 0;
|
|
|
|
}
|
|
|
|
RETURN(sig_cache[i].signature_valid);
|
|
|
|
}
|
|
|
|
|
2012-01-12 03:38:24 +00:00
|
|
|
int rhizome_manifest_extract_signature(rhizome_manifest *m,int *ofs)
|
|
|
|
{
|
2012-06-26 06:32:49 +00:00
|
|
|
IN();
|
2012-10-02 07:02:48 +00:00
|
|
|
if (!m)
|
|
|
|
RETURN(WHY("NULL pointer passed in as manifest"));
|
2012-12-11 05:29:46 +00:00
|
|
|
if (config.debug.rhizome)
|
2012-10-02 07:02:48 +00:00
|
|
|
DEBUGF("m->manifest_all_bytes=%d m->manifest_bytes=%d *ofs=%d", m->manifest_all_bytes, m->manifest_bytes, *ofs);
|
2012-01-12 03:38:24 +00:00
|
|
|
|
2012-06-26 06:32:49 +00:00
|
|
|
if ((*ofs)>=m->manifest_all_bytes) { RETURN(0); }
|
2012-01-12 03:38:24 +00:00
|
|
|
|
2012-10-29 05:37:42 +00:00
|
|
|
int sigType=m->manifestdata[*ofs];
|
|
|
|
int len=(sigType&0x3f)*4+4+1;
|
2012-01-12 03:38:24 +00:00
|
|
|
|
|
|
|
/* Each signature type is required to have a different length to detect it.
|
|
|
|
At present only crypto_sign_edwards25519sha512batch() signatures are
|
|
|
|
supported. */
|
2012-06-26 11:51:46 +00:00
|
|
|
int r;
|
2012-01-12 03:38:24 +00:00
|
|
|
if (m->sig_count<MAX_MANIFEST_VARS)
|
2012-10-29 05:37:42 +00:00
|
|
|
switch(sigType)
|
2012-01-12 03:38:24 +00:00
|
|
|
{
|
2012-10-29 05:37:42 +00:00
|
|
|
case 0x17: /* crypto_sign_edwards25519sha512batch() */
|
2012-01-12 03:38:24 +00:00
|
|
|
/* Reconstitute signature block */
|
2012-06-26 11:51:46 +00:00
|
|
|
r=rhizome_manifest_lookup_signature_validity
|
|
|
|
(m->manifesthash,&m->manifestdata[(*ofs)+1],96);
|
|
|
|
#ifdef DEPRECATED
|
|
|
|
unsigned char sigBuf[256];
|
|
|
|
unsigned char verifyBuf[256];
|
|
|
|
unsigned char publicKey[256];
|
2012-10-09 16:37:49 +00:00
|
|
|
bcopy(&m->manifestdata[(*ofs)+1],&sigBuf[0],64);
|
|
|
|
bcopy(&m->manifesthash[0],&sigBuf[64],crypto_hash_sha512_BYTES);
|
2012-01-12 03:38:24 +00:00
|
|
|
/* Get public key of signatory */
|
|
|
|
bcopy(&m->manifestdata[(*ofs)+1+64],&publicKey[0],crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES);
|
|
|
|
unsigned long long mlen=0;
|
2012-08-01 08:24:02 +00:00
|
|
|
int r=crypto_sign_edwards25519sha512batch_open(verifyBuf,&mlen,&sigBuf[0],128, publicKey);
|
2012-06-26 11:51:46 +00:00
|
|
|
#endif
|
2012-01-12 03:38:24 +00:00
|
|
|
if (r) {
|
|
|
|
(*ofs)+=len;
|
|
|
|
m->errors++;
|
2012-06-26 06:32:49 +00:00
|
|
|
RETURN(WHY("Error in signature block (verification failed)."));
|
2012-01-12 03:38:24 +00:00
|
|
|
} else {
|
|
|
|
/* Signature block passes, so add to list of signatures */
|
|
|
|
m->signatureTypes[m->sig_count]=len;
|
|
|
|
m->signatories[m->sig_count]
|
|
|
|
=malloc(crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES);
|
|
|
|
if(!m->signatories[m->sig_count]) {
|
|
|
|
(*ofs)+=len;
|
2012-06-26 06:32:49 +00:00
|
|
|
RETURN(WHY("malloc() failed when reading signature block"));
|
2012-01-12 03:38:24 +00:00
|
|
|
}
|
2012-06-26 11:51:46 +00:00
|
|
|
bcopy(&m->manifestdata[(*ofs)+1+64],m->signatories[m->sig_count],
|
2012-01-12 03:38:24 +00:00
|
|
|
crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES);
|
|
|
|
m->sig_count++;
|
2012-12-11 05:29:46 +00:00
|
|
|
if (config.debug.rhizome) DEBUG("Signature passed.");
|
2012-01-12 03:38:24 +00:00
|
|
|
}
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
(*ofs)+=len;
|
|
|
|
m->errors++;
|
2012-10-29 05:37:42 +00:00
|
|
|
RETURN(WHYF("Encountered illegal or malformed signature block (unknown type=0x%02x @ offset 0x%x)",sigType,(*ofs)-len));
|
2012-01-12 03:38:24 +00:00
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
(*ofs)+=len;
|
|
|
|
WHY("Too many signature blocks in manifest.");
|
|
|
|
m->errors++;
|
|
|
|
}
|
|
|
|
|
|
|
|
(*ofs)+=len;
|
2012-06-26 06:32:49 +00:00
|
|
|
RETURN(0);
|
2012-01-12 03:38:24 +00:00
|
|
|
}
|
2012-12-21 00:23:47 +00:00
|
|
|
|
2013-01-02 04:35:22 +00:00
|
|
|
// add value to nonce, with the same result regardless of CPU endian order
|
|
|
|
// allowing for any carry value up to the size of the whole nonce
|
|
|
|
static void add_nonce(unsigned char *nonce, int64_t value){
|
|
|
|
int i=crypto_stream_xsalsa20_NONCEBYTES -1;
|
|
|
|
while(i>=0 && value>0){
|
|
|
|
int x = nonce[i]+(value & 0xFF);
|
|
|
|
nonce[i]=x&0xFF;
|
|
|
|
value = (value>>8)+(x>>8);
|
|
|
|
i--;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* crypt a block of a stream, allowing for offsets that don't align perfectly to block boundaries
|
|
|
|
* for efficiency the caller should use a buffer size of (n*RHIZOME_CRYPT_PAGE_SIZE)
|
|
|
|
*/
|
2012-12-21 00:23:47 +00:00
|
|
|
int rhizome_crypt_xor_block(unsigned char *buffer, int buffer_size, int64_t stream_offset,
|
2013-01-02 04:35:22 +00:00
|
|
|
const unsigned char *key, const unsigned char *nonce){
|
2012-12-21 00:23:47 +00:00
|
|
|
int64_t nonce_offset = stream_offset & ~(RHIZOME_CRYPT_PAGE_SIZE -1);
|
|
|
|
int offset=0;
|
|
|
|
|
2013-01-02 04:35:22 +00:00
|
|
|
unsigned char block_nonce[crypto_stream_xsalsa20_NONCEBYTES];
|
|
|
|
bcopy(nonce, block_nonce, sizeof(block_nonce));
|
|
|
|
add_nonce(block_nonce, nonce_offset);
|
|
|
|
|
2012-12-21 00:23:47 +00:00
|
|
|
if (nonce_offset < stream_offset){
|
|
|
|
int padding = stream_offset & (RHIZOME_CRYPT_PAGE_SIZE -1);
|
|
|
|
int size = RHIZOME_CRYPT_PAGE_SIZE - padding;
|
|
|
|
if (size>buffer_size)
|
|
|
|
size=buffer_size;
|
|
|
|
|
|
|
|
unsigned char temp[RHIZOME_CRYPT_PAGE_SIZE];
|
|
|
|
bcopy(temp + padding, buffer, size);
|
2013-01-02 04:35:22 +00:00
|
|
|
crypto_stream_xsalsa20_xor(temp, temp, size, block_nonce, key);
|
2012-12-21 00:23:47 +00:00
|
|
|
bcopy(buffer, temp + padding, size);
|
|
|
|
|
2013-01-02 04:35:22 +00:00
|
|
|
add_nonce(block_nonce, RHIZOME_CRYPT_PAGE_SIZE);
|
2012-12-21 00:23:47 +00:00
|
|
|
offset+=size;
|
|
|
|
}
|
|
|
|
|
|
|
|
while(offset < buffer_size){
|
|
|
|
int size = buffer_size - offset;
|
|
|
|
if (size>RHIZOME_CRYPT_PAGE_SIZE)
|
|
|
|
size=RHIZOME_CRYPT_PAGE_SIZE;
|
|
|
|
|
2013-01-02 04:35:22 +00:00
|
|
|
crypto_stream_xsalsa20_xor(buffer+offset, buffer+offset, size, block_nonce, key);
|
2012-12-21 00:23:47 +00:00
|
|
|
|
2013-01-02 04:35:22 +00:00
|
|
|
add_nonce(block_nonce, RHIZOME_CRYPT_PAGE_SIZE);
|
2012-12-21 00:23:47 +00:00
|
|
|
offset+=size;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
2013-01-03 05:42:24 +00:00
|
|
|
|
|
|
|
int rhizome_derive_key(rhizome_manifest *m, rhizome_bk_t *bsk)
|
|
|
|
{
|
|
|
|
// don't do anything if the manifest isn't flagged as being encrypted
|
|
|
|
if (!m->payloadEncryption)
|
|
|
|
return 0;
|
|
|
|
if (m->payloadEncryption!=1)
|
|
|
|
return WHYF("Unsupported encryption scheme %d", m->payloadEncryption);
|
|
|
|
|
|
|
|
char *sender = rhizome_manifest_get(m, "sender", NULL, 0);
|
|
|
|
char *recipient = rhizome_manifest_get(m, "recipient", NULL, 0);
|
|
|
|
|
|
|
|
if (sender && recipient){
|
|
|
|
sid_t sender_sid, recipient_sid;
|
|
|
|
if (cf_opt_sid(&sender_sid, sender)!=CFOK)
|
|
|
|
return WHYF("Unable to parse sender sid");
|
|
|
|
if (cf_opt_sid(&recipient_sid, recipient)!=CFOK)
|
|
|
|
return WHYF("Unable to parse recipient sid");
|
|
|
|
|
|
|
|
unsigned char *nm_bytes=NULL;
|
|
|
|
int cn=0,in=0,kp=0;
|
|
|
|
if (!keyring_find_sid(keyring,&cn,&in,&kp,sender_sid.binary)){
|
|
|
|
cn=in=kp=0;
|
|
|
|
if (!keyring_find_sid(keyring,&cn,&in,&kp,recipient_sid.binary)){
|
|
|
|
return WHYF("Neither the sender %s nor the recipient %s appears in our keyring", sender, recipient);
|
|
|
|
}
|
|
|
|
nm_bytes=keyring_get_nm_bytes(recipient_sid.binary, sender_sid.binary);
|
|
|
|
}else{
|
|
|
|
nm_bytes=keyring_get_nm_bytes(sender_sid.binary, recipient_sid.binary);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!nm_bytes)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
unsigned char hash[crypto_hash_sha512_BYTES];
|
|
|
|
crypto_hash_sha512(hash, nm_bytes, crypto_box_curve25519xsalsa20poly1305_BEFORENMBYTES);
|
|
|
|
bcopy(hash, m->payloadKey, RHIZOME_CRYPT_KEY_BYTES);
|
|
|
|
|
|
|
|
}else{
|
|
|
|
if(!m->haveSecret){
|
|
|
|
if (rhizome_extract_privatekey_required(m, bsk))
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
unsigned char raw_key[9+crypto_sign_edwards25519sha512batch_SECRETKEYBYTES]="sasquatch";
|
|
|
|
bcopy(m->cryptoSignSecret, &raw_key[9], crypto_sign_edwards25519sha512batch_SECRETKEYBYTES);
|
|
|
|
|
|
|
|
unsigned char hash[crypto_hash_sha512_BYTES];
|
|
|
|
|
|
|
|
crypto_hash_sha512(hash, raw_key, sizeof(raw_key));
|
|
|
|
bcopy(hash, m->payloadKey, RHIZOME_CRYPT_KEY_BYTES);
|
|
|
|
}
|
|
|
|
|
|
|
|
// generate nonce from version#bundle id#version;
|
|
|
|
unsigned char raw_nonce[8+8+sizeof(m->cryptoSignPublic)];
|
|
|
|
|
|
|
|
write_uint64(&raw_nonce[0], m->version);
|
|
|
|
bcopy(m->cryptoSignPublic, &raw_nonce[8], sizeof(m->cryptoSignPublic));
|
|
|
|
write_uint64(&raw_nonce[8+sizeof(m->cryptoSignPublic)], m->version);
|
|
|
|
|
|
|
|
unsigned char hash[crypto_hash_sha512_BYTES];
|
|
|
|
|
|
|
|
crypto_hash_sha512(hash, raw_nonce, sizeof(raw_nonce));
|
|
|
|
bcopy(hash, m->payloadNonce, sizeof(m->payloadNonce));
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|