summaryrefslogtreecommitdiff
path: root/ecp
diff options
context:
space:
mode:
authorUros Majstorovic <majstor@majstor.org>2022-04-07 18:07:00 +0200
committerUros Majstorovic <majstor@majstor.org>2022-04-07 18:07:00 +0200
commitd09e20a8a46a17524df0b737d85e9684006a4c74 (patch)
treeea383c76ff2b0f0aa6cc418d0c3f5f402d452d58 /ecp
parentf7aee8daafaaf8367a47238e790dc57941cef53f (diff)
cookie gen/verify added
Diffstat (limited to 'ecp')
-rw-r--r--ecp/src/ecp/common.mk3
-rw-r--r--ecp/src/ecp/core.c61
-rw-r--r--ecp/src/ecp/core.h2
-rw-r--r--ecp/src/ecp/cr.h4
-rw-r--r--ecp/src/ecp/crypto/Makefile2
-rw-r--r--ecp/src/ecp/crypto/crypto.c23
-rw-r--r--ecp/src/ecp/crypto/crypto.h9
7 files changed, 98 insertions, 6 deletions
diff --git a/ecp/src/ecp/common.mk b/ecp/src/ecp/common.mk
index fbc935a..a07b5c5 100644
--- a/ecp/src/ecp/common.mk
+++ b/ecp/src/ecp/common.mk
@@ -2,11 +2,12 @@ platform ?= posix
pwd := $(abspath $(dir $(firstword $(MAKEFILE_LIST))))
src_dir := $(abspath $(dir $(lastword $(MAKEFILE_LIST)))/..)
+ssl_dir = $(abspath $(src_dir)/../../ext/libressl)
platform_dir = $(abspath $(src_dir)/platform/$(platform))
include $(platform_dir)/platform.mk
include $(platform_dir)/features.mk
-CFLAGS += -I$(src_dir)/ecp -I$(platform_dir)
+CFLAGS += -I$(src_dir)/ecp -I$(ssl_dir)/include -I$(platform_dir)
ifeq ($(with_dirsrv),yes)
with_dir = yes
diff --git a/ecp/src/ecp/core.c b/ecp/src/ecp/core.c
index d836ff4..a0251c8 100644
--- a/ecp/src/ecp/core.c
+++ b/ecp/src/ecp/core.c
@@ -288,12 +288,18 @@ static ECPConnection *conn_table_search(ECPSocket *sock, unsigned char c_idx, ec
}
int ecp_sock_init(ECPSocket *sock, ECPContext *ctx, ECPDHKey *key) {
+ int rv;
+
memset(sock, 0, sizeof(ECPSocket));
sock->ctx = ctx;
sock->key_curr = 0;
if (key) sock->key_perma = *key;
- return ecp_dhkey_gen(&sock->key[sock->key_curr]);
+ rv = ecp_dhkey_gen(&sock->key[sock->key_curr]);
+ if (rv) return rv;
+
+ rv = ecp_bc_key_gen(&sock->minkey);
+ return rv;
}
int ecp_sock_create(ECPSocket *sock, ECPContext *ctx, ECPDHKey *key) {
@@ -342,6 +348,22 @@ void ecp_sock_close(ECPSocket *sock) {
ecp_tr_close(sock);
}
+int ecp_sock_minkey_new(ECPSocket *sock) {
+ int rv;
+
+#ifdef ECP_WITH_PTHREAD
+ pthread_mutex_lock(&sock->mutex);
+#endif
+
+ rv = ecp_bc_key_gen(&sock->minkey);
+
+#ifdef ECP_WITH_PTHREAD
+ pthread_mutex_unlock(&sock->mutex);
+#endif
+
+ return rv;
+}
+
int ecp_sock_dhkey_new(ECPSocket *sock) {
ECPDHKey new_key;
int rv;
@@ -432,12 +454,45 @@ void ecp_sock_get_nonce(ECPSocket *sock, ecp_nonce_t *nonce) {
}
int ecp_cookie_gen(ECPSocket *sock, unsigned char *cookie, unsigned char *public_buf) {
- memcpy(cookie, public_buf, ECP_SIZE_COOKIE);
+ ecp_bc_ctx_t bc_ctx;
+ int i;
+
+#ifdef ECP_WITH_PTHREAD
+ pthread_mutex_lock(&sock->mutex);
+#endif
+
+ bc_ctx = sock->minkey;
+
+#ifdef ECP_WITH_PTHREAD
+ pthread_mutex_unlock(&sock->mutex);
+#endif
+
+ for (i=0; i<ECP_SIZE_ECDH_PUB/ECP_SIZE_BC_BLOCK; i++) {
+ ecp_bc_encrypt_block(public_buf + i*ECP_SIZE_BC_BLOCK, cookie + i*ECP_SIZE_BC_BLOCK, &bc_ctx);
+ }
+
return ECP_OK;
}
int ecp_cookie_verify(ECPSocket *sock, unsigned char *cookie, unsigned char *public_buf) {
- if (memcmp(cookie, public_buf, ECP_SIZE_COOKIE) == 0) return ECP_OK;
+ ecp_bc_ctx_t bc_ctx;
+ int i;
+
+#ifdef ECP_WITH_PTHREAD
+ pthread_mutex_lock(&sock->mutex);
+#endif
+
+ bc_ctx = sock->minkey;
+
+#ifdef ECP_WITH_PTHREAD
+ pthread_mutex_unlock(&sock->mutex);
+#endif
+
+ for (i=0; i<ECP_SIZE_ECDH_PUB/ECP_SIZE_BC_BLOCK; i++) {
+ ecp_bc_decrypt_block(cookie + i*ECP_SIZE_BC_BLOCK, cookie + i*ECP_SIZE_BC_BLOCK, &bc_ctx);
+ }
+
+ if (memcmp(cookie, public_buf, ECP_SIZE_ECDH_PUB) == 0) return ECP_OK;
return ECP_ERR_COOKIE;
}
diff --git a/ecp/src/ecp/core.h b/ecp/src/ecp/core.h
index 8ac2931..810e8cd 100644
--- a/ecp/src/ecp/core.h
+++ b/ecp/src/ecp/core.h
@@ -272,6 +272,7 @@ typedef struct ECPSocket {
ECPDHKey key_perma;
ECPDHKey key[ECP_MAX_SOCK_KEY];
unsigned char key_curr;
+ ecp_bc_ctx_t minkey;
ECPConnTable conn_table;
ECPTimer timer;
#ifdef ECP_WITH_PTHREAD
@@ -321,6 +322,7 @@ int ecp_sock_create(ECPSocket *sock, ECPContext *ctx, ECPDHKey *key);
void ecp_sock_destroy(ECPSocket *sock);
int ecp_sock_open(ECPSocket *sock, void *myaddr);
void ecp_sock_close(ECPSocket *sock);
+int ecp_sock_minkey_new(ECPSocket *sock);
int ecp_sock_dhkey_new(ECPSocket *sock);
int ecp_sock_dhkey_get(ECPSocket *sock, unsigned char idx, ECPDHKey *key);
int ecp_sock_dhkey_get_pub(ECPSocket *sock, unsigned char *idx, ecp_ecdh_public_t *public);
diff --git a/ecp/src/ecp/cr.h b/ecp/src/ecp/cr.h
index bcca318..4172656 100644
--- a/ecp/src/ecp/cr.h
+++ b/ecp/src/ecp/cr.h
@@ -14,3 +14,7 @@ ssize_t ecp_aead_dec(unsigned char *pt, size_t pl, unsigned char *ct, size_t cl,
int ecp_ecdsa_mkpair(ecp_ecdsa_public_t *pub, ecp_ecdsa_private_t *priv);
int ecp_ecdsa_sign(ecp_ecdsa_signature_t *sig, unsigned char *m, size_t ml, ecp_ecdsa_private_t *k);
int ecp_ecdsa_verify(unsigned char *m, size_t ml, ecp_ecdsa_signature_t *sig, ecp_ecdsa_public_t *p);
+
+int ecp_bc_key_gen(ecp_bc_ctx_t *key);
+void ecp_bc_encrypt_block(unsigned char *in, unsigned char *out, ecp_bc_ctx_t *key);
+void ecp_bc_decrypt_block(unsigned char *in, unsigned char *out, ecp_bc_ctx_t *key);
diff --git a/ecp/src/ecp/crypto/Makefile b/ecp/src/ecp/crypto/Makefile
index 3a50965..7e2e8db 100644
--- a/ecp/src/ecp/crypto/Makefile
+++ b/ecp/src/ecp/crypto/Makefile
@@ -1,6 +1,4 @@
include ../common.mk
-ssl_dir = ../../../../ext/libressl
-CFLAGS += -I$(ssl_dir)/include
MAKEFLAGS += -I$(pwd)/..
include $(ssl_dir)/ssl_obj.mk
diff --git a/ecp/src/ecp/crypto/crypto.c b/ecp/src/ecp/crypto/crypto.c
index 66ce524..6841e9d 100644
--- a/ecp/src/ecp/crypto/crypto.c
+++ b/ecp/src/ecp/crypto/crypto.c
@@ -103,3 +103,26 @@ int ecp_ecdsa_verify(unsigned char *m, size_t ml, ecp_ecdsa_signature_t *sig, ec
if (rv == 1) return ECP_OK;
return ECP_ERR_VERIFY;
}
+
+int ecp_bc_key_gen(ecp_bc_ctx_t *key) {
+ unsigned char _key[ECP_SIZE_BC_KEY];
+ int rv;
+
+ arc4random_buf(_key, sizeof(_key));
+
+ rv = AES_set_encrypt_key(_key, ECP_SIZE_BC_KEY * 8, &key->ctx_enc);
+ if (rv < 0) return ECP_ERR;
+
+ rv = AES_set_decrypt_key(_key, ECP_SIZE_BC_KEY * 8, &key->ctx_dec);
+ if (rv < 0) return ECP_ERR;
+
+ return ECP_OK;
+}
+
+void ecp_bc_encrypt_block(unsigned char *in, unsigned char *out, ecp_bc_ctx_t *key) {
+ AES_encrypt(in, out, &key->ctx_enc);
+}
+
+void ecp_bc_decrypt_block(unsigned char *in, unsigned char *out, ecp_bc_ctx_t *key) {
+ AES_decrypt(in, out, &key->ctx_dec);
+}
diff --git a/ecp/src/ecp/crypto/crypto.h b/ecp/src/ecp/crypto/crypto.h
index 863b25b..9e55c53 100644
--- a/ecp/src/ecp/crypto/crypto.h
+++ b/ecp/src/ecp/crypto/crypto.h
@@ -1,3 +1,5 @@
+#include <openssl/aes.h>
+
#define CURVE25519_SIZE_KEY 32
#define CHACHA20_SIZE_KEY 32
#define POLY1305_SIZE_TAG 16
@@ -13,6 +15,9 @@
#define ECP_SIZE_ECDSA_SEC 64
#define ECP_SIZE_ECDSA_SIG 32
+#define ECP_SIZE_BC_KEY 16
+#define ECP_SIZE_BC_BLOCK 16
+
typedef uint8_t ecp_ecdh_public_t[ECP_SIZE_ECDH_PUB];
typedef uint8_t ecp_ecdh_private_t[ECP_SIZE_ECDH_SEC];
typedef uint8_t ecp_aead_key_t[ECP_SIZE_AEAD_KEY];
@@ -20,6 +25,10 @@ typedef uint8_t ecp_aead_nonce_t[ECP_SIZE_AEAD_NONCE];
typedef uint8_t ecp_ecdsa_public_t[ECP_SIZE_ECDSA_PUB];
typedef uint8_t ecp_ecdsa_private_t[ECP_SIZE_ECDSA_SEC];
typedef uint8_t ecp_ecdsa_signature_t[ECP_SIZE_ECDSA_SIG];
+typedef struct {
+ AES_KEY ctx_enc;
+ AES_KEY ctx_dec;
+} ecp_bc_ctx_t;
int
aead_chacha20_poly1305_seal(unsigned char key[32], unsigned char tag_len,