lokinet/llarp/service/identity.cpp

#include <service/identity.hpp>

#include <crypto/crypto.hpp>
#include <util/fs.hpp>
#include <sodium/crypto_sign_ed25519.h>

namespace llarp
{
  namespace service
  {
    bool
    Identity::BEncode(llarp_buffer_t* buf) const
    {
      if(!bencode_start_dict(buf))
        return false;
      if(!BEncodeWriteDictEntry("e", enckey, buf))
        return false;
      if(!BEncodeWriteDictEntry("q", pq, buf))
        return false;
      if(!BEncodeWriteDictEntry("s", signkey, buf))
        return false;
      if(!BEncodeWriteDictInt("v", version, buf))
        return false;
      if(!BEncodeWriteDictEntry("x", vanity, buf))
        return false;
      return bencode_end(buf);
    }

    bool
    Identity::DecodeKey(const llarp_buffer_t& key, llarp_buffer_t* buf)
    {
      bool read = false;
      if(!BEncodeMaybeReadDictEntry("e", enckey, read, key, buf))
        return false;
      if(key == "q")
      {
        llarp_buffer_t str;
        if(!bencode_read_string(buf, &str))
          return false;
        if(str.sz == 3200 || str.sz == 2818)
        {
          pq = str.base;
          return true;
        }

        return false;
      }
      if(!BEncodeMaybeReadDictEntry("s", signkey, read, key, buf))
        return false;
      if(!BEncodeMaybeReadDictInt("v", version, read, key, buf))
        return false;
      if(!BEncodeMaybeReadDictEntry("x", vanity, read, key, buf))
        return false;
      return read;
    }

    void
    Identity::RegenerateKeys()
    {
      auto crypto = CryptoManager::instance();
      crypto->identity_keygen(signkey);
      crypto->encryption_keygen(enckey);
      pub.Update(seckey_topublic(signkey), seckey_topublic(enckey));
      crypto->pqe_keygen(pq);
      if(not crypto->derive_subkey_private(derivedSignKey, signkey, 1))
      {
        LogError("failed to generate derived key");
      }
    }

    bool
    Identity::KeyExchange(path_dh_func dh, SharedSecret& result,
                          const ServiceInfo& other,
                          const KeyExchangeNonce& N) const
    {
      return dh(result, other.EncryptionPublicKey(), enckey, N);
    }

    bool
    Identity::Sign(Signature& sig, const llarp_buffer_t& buf) const
    {
      return CryptoManager::instance()->sign(sig, signkey, buf);
    }

    bool
    Identity::EnsureKeys(const std::string& fname, bool needBackup)
    {
      std::array< byte_t, 4096 > tmp;
      llarp_buffer_t buf(tmp);
      std::error_code ec;

      bool exists = fs::exists(fname, ec);
      if(ec)
      {
        LogError("Could not query file status for ", fname, ": ", ec.message());
        return false;
      }

      if(exists and needBackup)
      {
        KeyManager::backupFileByMoving(fname);
        exists = false;
      }

      // check for file
      if(!exists)
      {
        // regen and encode
        RegenerateKeys();
        if(!BEncode(&buf))
          return false;
        // rewind
        buf.sz  = buf.cur - buf.base;
        buf.cur = buf.base;
        // write
        auto optional_f =
            util::OpenFileStream< std::ofstream >(fname, std::ios::binary);
        if(!optional_f)
          return false;
        auto& f = optional_f.value();
        if(!f.is_open())
          return false;
        f.write((char*)buf.cur, buf.sz);
      }

      if(!fs::is_regular_file(fname))
      {
        LogError("keyfile ", fname, " is not a regular file");
        return false;
      }

      // read file
      std::ifstream inf(fname, std::ios::binary);
      inf.seekg(0, std::ios::end);
      size_t sz = inf.tellg();
      inf.seekg(0, std::ios::beg);

      if(sz > sizeof(tmp))
        return false;
      // decode
      inf.read((char*)buf.base, sz);
      if(!bencode_decode_dict(*this, &buf))
        return false;

      ServiceInfo::OptNonce van;
      if(!vanity.IsZero())
        van = vanity;
      // update pubkeys
      pub.Update(seckey_topublic(signkey), seckey_topublic(enckey), van);
      auto crypto = CryptoManager::instance();
      return crypto->derive_subkey_private(derivedSignKey, signkey, 1);
    }

    absl::optional< EncryptedIntroSet >
    Identity::EncryptAndSignIntroSet(const IntroSet& other_i,
                                     llarp_time_t now) const
    {
      EncryptedIntroSet encrypted;

      if(other_i.I.size() == 0)
        return {};
      IntroSet i(other_i);
      encrypted.nounce.Randomize();
      // set timestamp
      // TODO: round to nearest 1000 ms
      i.T                = now;
      encrypted.signedAt = now;
      // set service info
      i.A = pub;
      // set public encryption key
      i.K = pq_keypair_to_public(pq);
      std::array< byte_t, MAX_INTROSET_SIZE > tmp;
      llarp_buffer_t buf(tmp);
      if(not i.BEncode(&buf))
        return {};
      // rewind and resize buffer
      buf.sz  = buf.cur - buf.base;
      buf.cur = buf.base;
      const SharedSecret k(i.A.Addr());
      CryptoManager::instance()->xchacha20(buf, k, encrypted.nounce);
      encrypted.introsetPayload.resize(buf.sz);
      std::copy_n(buf.base, buf.sz, encrypted.introsetPayload.data());
      if(not encrypted.Sign(derivedSignKey))
        return {};
      return encrypted;
    }
  }  // namespace service
}  // namespace llarp
Tidy up more parts of the service/ directory 2019-04-22 18:35:19 +00:00			`#include <service/identity.hpp>`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00
Port code to use CryptoManager over passing Crypto pointers 2019-05-28 19:45:08 +00:00			`#include <crypto/crypto.hpp>`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`#include <util/fs.hpp>`
initial dht key blinding 2020-01-27 21:30:41 +00:00			`#include <sodium/crypto_sign_ed25519.h>`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00
			`namespace llarp`
			`{`
			`namespace service`
			`{`
			`bool`
			`Identity::BEncode(llarp_buffer_t* buf) const`
			`{`
			`if(!bencode_start_dict(buf))`
			`return false;`
			`if(!BEncodeWriteDictEntry("e", enckey, buf))`
			`return false;`
			`if(!BEncodeWriteDictEntry("q", pq, buf))`
			`return false;`
			`if(!BEncodeWriteDictEntry("s", signkey, buf))`
			`return false;`
			`if(!BEncodeWriteDictInt("v", version, buf))`
			`return false;`
			`if(!BEncodeWriteDictEntry("x", vanity, buf))`
			`return false;`
			`return bencode_end(buf);`
			`}`

			`bool`
Disable copy constructing llarp_buffer_t 2019-02-01 01:58:06 +00:00			`Identity::DecodeKey(const llarp_buffer_t& key, llarp_buffer_t* buf)`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`{`
			`bool read = false;`
			`if(!BEncodeMaybeReadDictEntry("e", enckey, read, key, buf))`
			`return false;`
Convert llarp_buffer_t to be a class with methods 2019-02-17 12:13:34 +00:00			`if(key == "q")`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`{`
			`llarp_buffer_t str;`
			`if(!bencode_read_string(buf, &str))`
			`return false;`
			`if(str.sz == 3200 \|\| str.sz == 2818)`
			`{`
			`pq = str.base;`
			`return true;`
			`}`
Remove redundant else blocks 2019-07-06 17:03:40 +00:00
			`return false;`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`}`
			`if(!BEncodeMaybeReadDictEntry("s", signkey, read, key, buf))`
			`return false;`
			`if(!BEncodeMaybeReadDictInt("v", version, read, key, buf))`
			`return false;`
			`if(!BEncodeMaybeReadDictEntry("x", vanity, read, key, buf))`
			`return false;`
			`return read;`
			`}`

			`void`
Port code to use CryptoManager over passing Crypto pointers 2019-05-28 19:45:08 +00:00			`Identity::RegenerateKeys()`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`{`
Port code to use CryptoManager over passing Crypto pointers 2019-05-28 19:45:08 +00:00			`auto crypto = CryptoManager::instance();`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`crypto->identity_keygen(signkey);`
don't derive x25519 key from ed25519 key 2020-02-03 22:20:56 +00:00			`crypto->encryption_keygen(enckey);`
			`pub.Update(seckey_topublic(signkey), seckey_topublic(enckey));`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`crypto->pqe_keygen(pq);`
Derived key fixes The reason things weren't working here is because libsodium does something completely unintuitive and called the seed the "secret key" when it isn't, it's the seed. This adds a new PrivateKey class (alongside the existing SecretKey and PubKey) that holds just a private key value but no seed -- which we need to do because there is no way we can get a seed after calculating a derived keypair. With these changes, we now generate exactly the same keys and subkeys as Tor (and a new test case uses values generated in Tor to verify this). This is incomplete -- the subkey signing code is still not implemented; it has to be adapted to create a signature from a PrivateKey rather than a SecretKey which will probably requiring working around/reimplementing some of what libsodium does for creating a signature since it expects "secret keys" i.e. the seed. 2020-01-30 16:34:05 +00:00			`if(not crypto->derive_subkey_private(derivedSignKey, signkey, 1))`
does not work 2020-01-28 21:55:36 +00:00			`{`
			`LogError("failed to generate derived key");`
			`}`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`}`

			`bool`
			`Identity::KeyExchange(path_dh_func dh, SharedSecret& result,`
			`const ServiceInfo& other,`
			`const KeyExchangeNonce& N) const`
			`{`
			`return dh(result, other.EncryptionPublicKey(), enckey, N);`
			`}`

			`bool`
Port code to use CryptoManager over passing Crypto pointers 2019-05-28 19:45:08 +00:00			`Identity::Sign(Signature& sig, const llarp_buffer_t& buf) const`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`{`
Port code to use CryptoManager over passing Crypto pointers 2019-05-28 19:45:08 +00:00			`return CryptoManager::instance()->sign(sig, signkey, buf);`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`}`

			`bool`
Backup SNApp keys when migrating to new ed25519 crypto 2019-12-06 18:21:14 +00:00			`Identity::EnsureKeys(const std::string& fname, bool needBackup)`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`{`
Create CopyableBuffer type 2019-02-02 23:12:42 +00:00			`std::array< byte_t, 4096 > tmp;`
			`llarp_buffer_t buf(tmp);`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`std::error_code ec;`
Backup SNApp keys when migrating to new ed25519 crypto 2019-12-06 18:21:14 +00:00
			`bool exists = fs::exists(fname, ec);`
			`if(ec)`
			`{`
Include error code in log output in Identity::EnsureKeys() 2019-12-12 15:46:30 +00:00			`LogError("Could not query file status for ", fname, ": ", ec.message());`
Backup SNApp keys when migrating to new ed25519 crypto 2019-12-06 18:21:14 +00:00			`return false;`
			`}`

			`if(exists and needBackup)`
			`{`
			`KeyManager::backupFileByMoving(fname);`
			`exists = false;`
			`}`

Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`// check for file`
Backup SNApp keys when migrating to new ed25519 crypto 2019-12-06 18:21:14 +00:00			`if(!exists)`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`{`
			`// regen and encode`
Port code to use CryptoManager over passing Crypto pointers 2019-05-28 19:45:08 +00:00			`RegenerateKeys();`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`if(!BEncode(&buf))`
			`return false;`
			`// rewind`
			`buf.sz = buf.cur - buf.base;`
			`buf.cur = buf.base;`
			`// write`
continue using llarp::openfilestream 2019-06-24 16:39:03 +00:00			`auto optional_f =`
			`util::OpenFileStream< std::ofstream >(fname, std::ios::binary);`
			`if(!optional_f)`
			`return false;`
			`auto& f = optional_f.value();`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`if(!f.is_open())`
			`return false;`
			`f.write((char*)buf.cur, buf.sz);`
			`}`
More explicit error when keyfile is not a valid file 2019-05-18 17:34:07 +00:00
			`if(!fs::is_regular_file(fname))`
			`{`
			`LogError("keyfile ", fname, " is not a regular file");`
			`return false;`
			`}`

Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`// read file`
			`std::ifstream inf(fname, std::ios::binary);`
			`inf.seekg(0, std::ios::end);`
			`size_t sz = inf.tellg();`
			`inf.seekg(0, std::ios::beg);`

			`if(sz > sizeof(tmp))`
			`return false;`
			`// decode`
			`inf.read((char*)buf.base, sz);`
Remove all use of IBEncodeMessage 2019-05-24 02:01:36 +00:00			`if(!bencode_decode_dict(*this, &buf))`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`return false;`

			`ServiceInfo::OptNonce van;`
			`if(!vanity.IsZero())`
			`van = vanity;`
			`// update pubkeys`
don't derive x25519 key from ed25519 key 2020-02-03 22:20:56 +00:00			`pub.Update(seckey_topublic(signkey), seckey_topublic(enckey), van);`
initial dht key blinding 2020-01-27 21:30:41 +00:00			`auto crypto = CryptoManager::instance();`
Derived key fixes The reason things weren't working here is because libsodium does something completely unintuitive and called the seed the "secret key" when it isn't, it's the seed. This adds a new PrivateKey class (alongside the existing SecretKey and PubKey) that holds just a private key value but no seed -- which we need to do because there is no way we can get a seed after calculating a derived keypair. With these changes, we now generate exactly the same keys and subkeys as Tor (and a new test case uses values generated in Tor to verify this). This is incomplete -- the subkey signing code is still not implemented; it has to be adapted to create a signature from a PrivateKey rather than a SecretKey which will probably requiring working around/reimplementing some of what libsodium does for creating a signature since it expects "secret keys" i.e. the seed. 2020-01-30 16:34:05 +00:00			`return crypto->derive_subkey_private(derivedSignKey, signkey, 1);`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`}`

initial dht key blinding 2020-01-27 21:30:41 +00:00			`absl::optional< EncryptedIntroSet >`
			`Identity::EncryptAndSignIntroSet(const IntroSet& other_i,`
			`llarp_time_t now) const`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`{`
initial dht key blinding 2020-01-27 21:30:41 +00:00			`EncryptedIntroSet encrypted;`

			`if(other_i.I.size() == 0)`
			`return {};`
			`IntroSet i(other_i);`
			`encrypted.nounce.Randomize();`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`// set timestamp`
			`// TODO: round to nearest 1000 ms`
initial dht key blinding 2020-01-27 21:30:41 +00:00			`i.T = now;`
			`encrypted.signedAt = now;`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`// set service info`
			`i.A = pub;`
			`// set public encryption key`
			`i.K = pq_keypair_to_public(pq);`
Create CopyableBuffer type 2019-02-02 23:12:42 +00:00			`std::array< byte_t, MAX_INTROSET_SIZE > tmp;`
			`llarp_buffer_t buf(tmp);`
initial dht key blinding 2020-01-27 21:30:41 +00:00			`if(not i.BEncode(&buf))`
			`return {};`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`// rewind and resize buffer`
			`buf.sz = buf.cur - buf.base;`
			`buf.cur = buf.base;`
initial dht key blinding 2020-01-27 21:30:41 +00:00			`const SharedSecret k(i.A.Addr());`
			`CryptoManager::instance()->xchacha20(buf, k, encrypted.nounce);`
does not work 2020-01-28 21:55:36 +00:00			`encrypted.introsetPayload.resize(buf.sz);`
initial dht key blinding 2020-01-27 21:30:41 +00:00			`std::copy_n(buf.base, buf.sz, encrypted.introsetPayload.data());`
			`if(not encrypted.Sign(derivedSignKey))`
			`return {};`
			`return encrypted;`
Reorganise tests to mirror source layout 2019-01-11 00:12:43 +00:00			`}`
			`} // namespace service`
			`} // namespace llarp`