cookie gen/verify added

author: Uros Majstorovic <majstor@majstor.org> 2022-04-07 18:07:00 +0200
committer: Uros Majstorovic <majstor@majstor.org> 2022-04-07 18:07:00 +0200
commit: d09e20a8a46a17524df0b737d85e9684006a4c74 (patch)
tree: ea383c76ff2b0f0aa6cc418d0c3f5f402d452d58 /ecp/src
parent: f7aee8daafaaf8367a47238e790dc57941cef53f (diff)
7 files changed, 98 insertions, 6 deletions
diff --git a/ecp/src/ecp/common.mk b/ecp/src/ecp/common.mk
index fbc935a..a07b5c5 100644
--- a/ecp/src/ecp/common.mk
+++ b/ecp/src/ecp/common.mk
@@ -2,11 +2,12 @@ platform ?= posix
 
 pwd := $(abspath $(dir $(firstword $(MAKEFILE_LIST))))
 src_dir := $(abspath $(dir $(lastword $(MAKEFILE_LIST)))/..)
+ssl_dir = $(abspath $(src_dir)/../../ext/libressl)
 platform_dir = $(abspath $(src_dir)/platform/$(platform))
 
 include $(platform_dir)/platform.mk
 include $(platform_dir)/features.mk
-CFLAGS += -I$(src_dir)/ecp -I$(platform_dir)
+CFLAGS += -I$(src_dir)/ecp -I$(ssl_dir)/include -I$(platform_dir)
 
 ifeq ($(with_dirsrv),yes)
 with_dir = yes
diff --git a/ecp/src/ecp/core.c b/ecp/src/ecp/core.c
index d836ff4..a0251c8 100644
--- a/ecp/src/ecp/core.c
+++ b/ecp/src/ecp/core.c
@@ -288,12 +288,18 @@ static ECPConnection *conn_table_search(ECPSocket *sock, unsigned char c_idx, ec
 }
 
 int ecp_sock_init(ECPSocket *sock, ECPContext *ctx, ECPDHKey *key) {
+    int rv;
+
     memset(sock, 0, sizeof(ECPSocket));
     sock->ctx = ctx;
     sock->key_curr = 0;
     if (key) sock->key_perma = *key;
 
-    return ecp_dhkey_gen(&sock->key[sock->key_curr]);
+    rv = ecp_dhkey_gen(&sock->key[sock->key_curr]);
+    if (rv) return rv;
+
+    rv = ecp_bc_key_gen(&sock->minkey);
+    return rv;
 }
 
 int ecp_sock_create(ECPSocket *sock, ECPContext *ctx, ECPDHKey *key) {
@@ -342,6 +348,22 @@ void ecp_sock_close(ECPSocket *sock) {
     ecp_tr_close(sock);
 }
 
+int ecp_sock_minkey_new(ECPSocket *sock) {
+    int rv;
+
+#ifdef ECP_WITH_PTHREAD
+    pthread_mutex_lock(&sock->mutex);
+#endif
+
+    rv = ecp_bc_key_gen(&sock->minkey);
+
+#ifdef ECP_WITH_PTHREAD
+    pthread_mutex_unlock(&sock->mutex);
+#endif
+
+    return rv;
+}
+
 int ecp_sock_dhkey_new(ECPSocket *sock) {
     ECPDHKey new_key;
     int rv;
@@ -432,12 +454,45 @@ void ecp_sock_get_nonce(ECPSocket *sock, ecp_nonce_t *nonce) {
 }
 
 int ecp_cookie_gen(ECPSocket *sock, unsigned char *cookie, unsigned char *public_buf) {
-    memcpy(cookie, public_buf, ECP_SIZE_COOKIE);
+    ecp_bc_ctx_t bc_ctx;
+    int i;
+
+#ifdef ECP_WITH_PTHREAD
+    pthread_mutex_lock(&sock->mutex);
+#endif
+
+    bc_ctx = sock->minkey;
+
+#ifdef ECP_WITH_PTHREAD
+    pthread_mutex_unlock(&sock->mutex);
+#endif
+
+    for (i=0; i<ECP_SIZE_ECDH_PUB/ECP_SIZE_BC_BLOCK; i++) {
+        ecp_bc_encrypt_block(public_buf + i*ECP_SIZE_BC_BLOCK, cookie + i*ECP_SIZE_BC_BLOCK, &bc_ctx);
+    }
+
     return ECP_OK;
 }
 
 int ecp_cookie_verify(ECPSocket *sock, unsigned char *cookie, unsigned char *public_buf) {
-    if (memcmp(cookie, public_buf, ECP_SIZE_COOKIE) == 0) return ECP_OK;
+    ecp_bc_ctx_t bc_ctx;
+    int i;
+
+#ifdef ECP_WITH_PTHREAD
+    pthread_mutex_lock(&sock->mutex);
+#endif
+
+    bc_ctx = sock->minkey;
+
+#ifdef ECP_WITH_PTHREAD
+    pthread_mutex_unlock(&sock->mutex);
+#endif
+
+    for (i=0; i<ECP_SIZE_ECDH_PUB/ECP_SIZE_BC_BLOCK; i++) {
+        ecp_bc_decrypt_block(cookie + i*ECP_SIZE_BC_BLOCK, cookie + i*ECP_SIZE_BC_BLOCK, &bc_ctx);
+    }
+
+    if (memcmp(cookie, public_buf, ECP_SIZE_ECDH_PUB) == 0) return ECP_OK;
     return ECP_ERR_COOKIE;
 }
 
diff --git a/ecp/src/ecp/core.h b/ecp/src/ecp/core.h
index 8ac2931..810e8cd 100644
--- a/ecp/src/ecp/core.h
+++ b/ecp/src/ecp/core.h
@@ -272,6 +272,7 @@ typedef struct ECPSocket {
     ECPDHKey key_perma;
     ECPDHKey key[ECP_MAX_SOCK_KEY];
     unsigned char key_curr;
+    ecp_bc_ctx_t minkey;
     ECPConnTable conn_table;
     ECPTimer timer;
 #ifdef ECP_WITH_PTHREAD
@@ -321,6 +322,7 @@ int ecp_sock_create(ECPSocket *sock, ECPContext *ctx, ECPDHKey *key);
 void ecp_sock_destroy(ECPSocket *sock);
 int ecp_sock_open(ECPSocket *sock, void *myaddr);
 void ecp_sock_close(ECPSocket *sock);
+int ecp_sock_minkey_new(ECPSocket *sock);
 int ecp_sock_dhkey_new(ECPSocket *sock);
 int ecp_sock_dhkey_get(ECPSocket *sock, unsigned char idx, ECPDHKey *key);
 int ecp_sock_dhkey_get_pub(ECPSocket *sock, unsigned char *idx, ecp_ecdh_public_t *public);
diff --git a/ecp/src/ecp/cr.h b/ecp/src/ecp/cr.h
index bcca318..4172656 100644
--- a/ecp/src/ecp/cr.h
+++ b/ecp/src/ecp/cr.h
@@ -14,3 +14,7 @@ ssize_t ecp_aead_dec(unsigned char *pt, size_t pl, unsigned char *ct, size_t cl,
 int ecp_ecdsa_mkpair(ecp_ecdsa_public_t *pub, ecp_ecdsa_private_t *priv);
 int ecp_ecdsa_sign(ecp_ecdsa_signature_t *sig, unsigned char *m, size_t ml, ecp_ecdsa_private_t *k);
 int ecp_ecdsa_verify(unsigned char *m, size_t ml, ecp_ecdsa_signature_t *sig, ecp_ecdsa_public_t *p);
+
+int ecp_bc_key_gen(ecp_bc_ctx_t *key);
+void ecp_bc_encrypt_block(unsigned char *in, unsigned char *out, ecp_bc_ctx_t *key);
+void ecp_bc_decrypt_block(unsigned char *in, unsigned char *out, ecp_bc_ctx_t *key);
diff --git a/ecp/src/ecp/crypto/Makefile b/ecp/src/ecp/crypto/Makefile
index 3a50965..7e2e8db 100644
--- a/ecp/src/ecp/crypto/Makefile
+++ b/ecp/src/ecp/crypto/Makefile
@@ -1,6 +1,4 @@
 include ../common.mk
-ssl_dir = ../../../../ext/libressl
-CFLAGS += -I$(ssl_dir)/include
 MAKEFLAGS += -I$(pwd)/..
 
 include $(ssl_dir)/ssl_obj.mk
diff --git a/ecp/src/ecp/crypto/crypto.c b/ecp/src/ecp/crypto/crypto.c
index 66ce524..6841e9d 100644
--- a/ecp/src/ecp/crypto/crypto.c
+++ b/ecp/src/ecp/crypto/crypto.c
@@ -103,3 +103,26 @@ int ecp_ecdsa_verify(unsigned char *m, size_t ml, ecp_ecdsa_signature_t *sig, ec
     if (rv == 1) return ECP_OK;
     return ECP_ERR_VERIFY;
 }
+
+int ecp_bc_key_gen(ecp_bc_ctx_t *key) {
+    unsigned char _key[ECP_SIZE_BC_KEY];
+    int rv;
+
+    arc4random_buf(_key, sizeof(_key));
+
+    rv = AES_set_encrypt_key(_key, ECP_SIZE_BC_KEY * 8, &key->ctx_enc);
+    if (rv < 0) return ECP_ERR;
+
+    rv = AES_set_decrypt_key(_key, ECP_SIZE_BC_KEY * 8, &key->ctx_dec);
+    if (rv < 0) return ECP_ERR;
+
+    return ECP_OK;
+}
+
+void ecp_bc_encrypt_block(unsigned char *in, unsigned char *out, ecp_bc_ctx_t *key) {
+    AES_encrypt(in, out, &key->ctx_enc);
+}
+
+void ecp_bc_decrypt_block(unsigned char *in, unsigned char *out, ecp_bc_ctx_t *key) {
+    AES_decrypt(in, out, &key->ctx_dec);
+}
diff --git a/ecp/src/ecp/crypto/crypto.h b/ecp/src/ecp/crypto/crypto.h
index 863b25b..9e55c53 100644
--- a/ecp/src/ecp/crypto/crypto.h
+++ b/ecp/src/ecp/crypto/crypto.h
@@ -1,3 +1,5 @@
+#include <openssl/aes.h>
+
 #define CURVE25519_SIZE_KEY     32
 #define CHACHA20_SIZE_KEY       32
 #define POLY1305_SIZE_TAG       16
@@ -13,6 +15,9 @@
 #define ECP_SIZE_ECDSA_SEC      64
 #define ECP_SIZE_ECDSA_SIG      32
 
+#define ECP_SIZE_BC_KEY         16
+#define ECP_SIZE_BC_BLOCK       16
+
 typedef uint8_t ecp_ecdh_public_t[ECP_SIZE_ECDH_PUB];
 typedef uint8_t ecp_ecdh_private_t[ECP_SIZE_ECDH_SEC];
 typedef uint8_t ecp_aead_key_t[ECP_SIZE_AEAD_KEY];
@@ -20,6 +25,10 @@ typedef uint8_t ecp_aead_nonce_t[ECP_SIZE_AEAD_NONCE];
 typedef uint8_t ecp_ecdsa_public_t[ECP_SIZE_ECDSA_PUB];
 typedef uint8_t ecp_ecdsa_private_t[ECP_SIZE_ECDSA_SEC];
 typedef uint8_t ecp_ecdsa_signature_t[ECP_SIZE_ECDSA_SIG];
+typedef struct {
+    AES_KEY ctx_enc;
+    AES_KEY ctx_dec;
+} ecp_bc_ctx_t;
 
 int
 aead_chacha20_poly1305_seal(unsigned char key[32], unsigned char tag_len,
author	Uros Majstorovic <majstor@majstor.org>	2022-04-07 18:07:00 +0200
committer	Uros Majstorovic <majstor@majstor.org>	2022-04-07 18:07:00 +0200
commit	d09e20a8a46a17524df0b737d85e9684006a4c74 (patch)
tree	ea383c76ff2b0f0aa6cc418d0c3f5f402d452d58 /ecp/src
parent	f7aee8daafaaf8367a47238e790dc57941cef53f (diff)