diff options
| -rw-r--r-- | ecp/src/ecp/common.mk | 3 | ||||
| -rw-r--r-- | ecp/src/ecp/core.c | 61 | ||||
| -rw-r--r-- | ecp/src/ecp/core.h | 2 | ||||
| -rw-r--r-- | ecp/src/ecp/cr.h | 4 | ||||
| -rw-r--r-- | ecp/src/ecp/crypto/Makefile | 2 | ||||
| -rw-r--r-- | ecp/src/ecp/crypto/crypto.c | 23 | ||||
| -rw-r--r-- | ecp/src/ecp/crypto/crypto.h | 9 |
7 files changed, 98 insertions, 6 deletions
diff --git a/ecp/src/ecp/common.mk b/ecp/src/ecp/common.mk index fbc935a..a07b5c5 100644 --- a/ecp/src/ecp/common.mk +++ b/ecp/src/ecp/common.mk @@ -2,11 +2,12 @@ platform ?= posix pwd := $(abspath $(dir $(firstword $(MAKEFILE_LIST)))) src_dir := $(abspath $(dir $(lastword $(MAKEFILE_LIST)))/..) +ssl_dir = $(abspath $(src_dir)/../../ext/libressl) platform_dir = $(abspath $(src_dir)/platform/$(platform)) include $(platform_dir)/platform.mk include $(platform_dir)/features.mk -CFLAGS += -I$(src_dir)/ecp -I$(platform_dir) +CFLAGS += -I$(src_dir)/ecp -I$(ssl_dir)/include -I$(platform_dir) ifeq ($(with_dirsrv),yes) with_dir = yes diff --git a/ecp/src/ecp/core.c b/ecp/src/ecp/core.c index d836ff4..a0251c8 100644 --- a/ecp/src/ecp/core.c +++ b/ecp/src/ecp/core.c @@ -288,12 +288,18 @@ static ECPConnection *conn_table_search(ECPSocket *sock, unsigned char c_idx, ec } int ecp_sock_init(ECPSocket *sock, ECPContext *ctx, ECPDHKey *key) { + int rv; + memset(sock, 0, sizeof(ECPSocket)); sock->ctx = ctx; sock->key_curr = 0; if (key) sock->key_perma = *key; - return ecp_dhkey_gen(&sock->key[sock->key_curr]); + rv = ecp_dhkey_gen(&sock->key[sock->key_curr]); + if (rv) return rv; + + rv = ecp_bc_key_gen(&sock->minkey); + return rv; } int ecp_sock_create(ECPSocket *sock, ECPContext *ctx, ECPDHKey *key) { @@ -342,6 +348,22 @@ void ecp_sock_close(ECPSocket *sock) { ecp_tr_close(sock); } +int ecp_sock_minkey_new(ECPSocket *sock) { + int rv; + +#ifdef ECP_WITH_PTHREAD + pthread_mutex_lock(&sock->mutex); +#endif + + rv = ecp_bc_key_gen(&sock->minkey); + +#ifdef ECP_WITH_PTHREAD + pthread_mutex_unlock(&sock->mutex); +#endif + + return rv; +} + int ecp_sock_dhkey_new(ECPSocket *sock) { ECPDHKey new_key; int rv; @@ -432,12 +454,45 @@ void ecp_sock_get_nonce(ECPSocket *sock, ecp_nonce_t *nonce) { } int ecp_cookie_gen(ECPSocket *sock, unsigned char *cookie, unsigned char *public_buf) { - memcpy(cookie, public_buf, ECP_SIZE_COOKIE); + ecp_bc_ctx_t bc_ctx; + int i; + +#ifdef ECP_WITH_PTHREAD + pthread_mutex_lock(&sock->mutex); +#endif + + bc_ctx = sock->minkey; + +#ifdef ECP_WITH_PTHREAD + pthread_mutex_unlock(&sock->mutex); +#endif + + for (i=0; i<ECP_SIZE_ECDH_PUB/ECP_SIZE_BC_BLOCK; i++) { + ecp_bc_encrypt_block(public_buf + i*ECP_SIZE_BC_BLOCK, cookie + i*ECP_SIZE_BC_BLOCK, &bc_ctx); + } + return ECP_OK; } int ecp_cookie_verify(ECPSocket *sock, unsigned char *cookie, unsigned char *public_buf) { - if (memcmp(cookie, public_buf, ECP_SIZE_COOKIE) == 0) return ECP_OK; + ecp_bc_ctx_t bc_ctx; + int i; + +#ifdef ECP_WITH_PTHREAD + pthread_mutex_lock(&sock->mutex); +#endif + + bc_ctx = sock->minkey; + +#ifdef ECP_WITH_PTHREAD + pthread_mutex_unlock(&sock->mutex); +#endif + + for (i=0; i<ECP_SIZE_ECDH_PUB/ECP_SIZE_BC_BLOCK; i++) { + ecp_bc_decrypt_block(cookie + i*ECP_SIZE_BC_BLOCK, cookie + i*ECP_SIZE_BC_BLOCK, &bc_ctx); + } + + if (memcmp(cookie, public_buf, ECP_SIZE_ECDH_PUB) == 0) return ECP_OK; return ECP_ERR_COOKIE; } diff --git a/ecp/src/ecp/core.h b/ecp/src/ecp/core.h index 8ac2931..810e8cd 100644 --- a/ecp/src/ecp/core.h +++ b/ecp/src/ecp/core.h @@ -272,6 +272,7 @@ typedef struct ECPSocket { ECPDHKey key_perma; ECPDHKey key[ECP_MAX_SOCK_KEY]; unsigned char key_curr; + ecp_bc_ctx_t minkey; ECPConnTable conn_table; ECPTimer timer; #ifdef ECP_WITH_PTHREAD @@ -321,6 +322,7 @@ int ecp_sock_create(ECPSocket *sock, ECPContext *ctx, ECPDHKey *key); void ecp_sock_destroy(ECPSocket *sock); int ecp_sock_open(ECPSocket *sock, void *myaddr); void ecp_sock_close(ECPSocket *sock); +int ecp_sock_minkey_new(ECPSocket *sock); int ecp_sock_dhkey_new(ECPSocket *sock); int ecp_sock_dhkey_get(ECPSocket *sock, unsigned char idx, ECPDHKey *key); int ecp_sock_dhkey_get_pub(ECPSocket *sock, unsigned char *idx, ecp_ecdh_public_t *public); diff --git a/ecp/src/ecp/cr.h b/ecp/src/ecp/cr.h index bcca318..4172656 100644 --- a/ecp/src/ecp/cr.h +++ b/ecp/src/ecp/cr.h @@ -14,3 +14,7 @@ ssize_t ecp_aead_dec(unsigned char *pt, size_t pl, unsigned char *ct, size_t cl, int ecp_ecdsa_mkpair(ecp_ecdsa_public_t *pub, ecp_ecdsa_private_t *priv); int ecp_ecdsa_sign(ecp_ecdsa_signature_t *sig, unsigned char *m, size_t ml, ecp_ecdsa_private_t *k); int ecp_ecdsa_verify(unsigned char *m, size_t ml, ecp_ecdsa_signature_t *sig, ecp_ecdsa_public_t *p); + +int ecp_bc_key_gen(ecp_bc_ctx_t *key); +void ecp_bc_encrypt_block(unsigned char *in, unsigned char *out, ecp_bc_ctx_t *key); +void ecp_bc_decrypt_block(unsigned char *in, unsigned char *out, ecp_bc_ctx_t *key); diff --git a/ecp/src/ecp/crypto/Makefile b/ecp/src/ecp/crypto/Makefile index 3a50965..7e2e8db 100644 --- a/ecp/src/ecp/crypto/Makefile +++ b/ecp/src/ecp/crypto/Makefile @@ -1,6 +1,4 @@ include ../common.mk -ssl_dir = ../../../../ext/libressl -CFLAGS += -I$(ssl_dir)/include MAKEFLAGS += -I$(pwd)/.. include $(ssl_dir)/ssl_obj.mk diff --git a/ecp/src/ecp/crypto/crypto.c b/ecp/src/ecp/crypto/crypto.c index 66ce524..6841e9d 100644 --- a/ecp/src/ecp/crypto/crypto.c +++ b/ecp/src/ecp/crypto/crypto.c @@ -103,3 +103,26 @@ int ecp_ecdsa_verify(unsigned char *m, size_t ml, ecp_ecdsa_signature_t *sig, ec if (rv == 1) return ECP_OK; return ECP_ERR_VERIFY; } + +int ecp_bc_key_gen(ecp_bc_ctx_t *key) { + unsigned char _key[ECP_SIZE_BC_KEY]; + int rv; + + arc4random_buf(_key, sizeof(_key)); + + rv = AES_set_encrypt_key(_key, ECP_SIZE_BC_KEY * 8, &key->ctx_enc); + if (rv < 0) return ECP_ERR; + + rv = AES_set_decrypt_key(_key, ECP_SIZE_BC_KEY * 8, &key->ctx_dec); + if (rv < 0) return ECP_ERR; + + return ECP_OK; +} + +void ecp_bc_encrypt_block(unsigned char *in, unsigned char *out, ecp_bc_ctx_t *key) { + AES_encrypt(in, out, &key->ctx_enc); +} + +void ecp_bc_decrypt_block(unsigned char *in, unsigned char *out, ecp_bc_ctx_t *key) { + AES_decrypt(in, out, &key->ctx_dec); +} diff --git a/ecp/src/ecp/crypto/crypto.h b/ecp/src/ecp/crypto/crypto.h index 863b25b..9e55c53 100644 --- a/ecp/src/ecp/crypto/crypto.h +++ b/ecp/src/ecp/crypto/crypto.h @@ -1,3 +1,5 @@ +#include <openssl/aes.h> + #define CURVE25519_SIZE_KEY 32 #define CHACHA20_SIZE_KEY 32 #define POLY1305_SIZE_TAG 16 @@ -13,6 +15,9 @@ #define ECP_SIZE_ECDSA_SEC 64 #define ECP_SIZE_ECDSA_SIG 32 +#define ECP_SIZE_BC_KEY 16 +#define ECP_SIZE_BC_BLOCK 16 + typedef uint8_t ecp_ecdh_public_t[ECP_SIZE_ECDH_PUB]; typedef uint8_t ecp_ecdh_private_t[ECP_SIZE_ECDH_SEC]; typedef uint8_t ecp_aead_key_t[ECP_SIZE_AEAD_KEY]; @@ -20,6 +25,10 @@ typedef uint8_t ecp_aead_nonce_t[ECP_SIZE_AEAD_NONCE]; typedef uint8_t ecp_ecdsa_public_t[ECP_SIZE_ECDSA_PUB]; typedef uint8_t ecp_ecdsa_private_t[ECP_SIZE_ECDSA_SEC]; typedef uint8_t ecp_ecdsa_signature_t[ECP_SIZE_ECDSA_SIG]; +typedef struct { + AES_KEY ctx_enc; + AES_KEY ctx_dec; +} ecp_bc_ctx_t; int aead_chacha20_poly1305_seal(unsigned char key[32], unsigned char tag_len, |