update docs and make it compile

6 years ago · a3a359de8e
parent e1788a5cc9
commit a3a359de8e
7 changed files with 112 additions and 25 deletions
--- a/doc/iwp_v0.txt
+++ b/doc/iwp_v0.txt
@ -41,7 +41,7 @@ handshake:

 0) intro

-64 bytes signature, s
+32 bytes hmac, h
 32 bytes nounce, n
 32 bytes encrypted alice's transport public encryption key e
 variadic bytes padding, w0
@ -53,7 +53,7 @@ w0 = "[insert variable length random padding here]"
 n = RAND(32)
 e = SE(a.k, HS(b.k + n), n[0:24])
 S = TKE(a.k, b.k, n)
-s = S(a.k.privkey, n + e + w0 )
+h = MDS(n + e + w0, S)

 Bob recieves ( s + n + e + w0 ) 

@ -61,16 +61,16 @@ Bob recieves ( s + n + e + w0 )

 sent in reply to an intro, bob sends an intro ack encrypted to Alice using

-64 bytes signature, s
+32 bytes hmac, h
 32 bytes nounce, n
 32 bytes ciphertext, x
 variadic bytes padding, w1

 w1 = "[insert variable length random padding here]"
 token = RAND(32)
-k = TKE(a.k, b.k, n)
+S = TKE(a.k, b.k, n)
 x = SE(k, token, n[0:24])
-s = S(b.k.privkey, n + x + w1)
+h = MDS(n + x + w1, S)

 Bob transmits ( s + n + x + w1 ), r is ignored and discarded
 Alice recieves ( s + n + x + w1 ) and verifies the signature silently
--- a/include/llarp/crypto.h
+++ b/include/llarp/crypto.h
@ -17,7 +17,7 @@ extern "C" {
 #define HMACSECSIZE 32
 #define SIGSIZE 64
 #define TUNNOUNCESIZE 32
-#define HMACSIZE 64
+#define HMACSIZE 32

 typedef uint8_t llarp_pubkey_t[PUBKEYSIZE];
 typedef uint8_t llarp_seckey_t[SECKEYSIZE];
@ -48,12 +48,12 @@ typedef bool (*llarp_hash_func)(llarp_hash_t *, llarp_buffer_t);

 typedef bool (*llarp_shorthash_func)(llarp_shorthash_t *, llarp_buffer_t);

-typedef bool (*llarp_hmac_func)(llarp_hmac_t *, llarp_buffer_t,
-                                llarp_hmacsec_t);
+typedef bool (*llarp_hmac_func)(uint8_t *, llarp_buffer_t,
+                                const uint8_t *);

 typedef bool (*llarp_sign_func)(uint8_t *, llarp_seckey_t, llarp_buffer_t);

-typedef bool (*llarp_verify_func)(llarp_pubkey_t, llarp_buffer_t, llarp_sig_t);
+typedef bool (*llarp_verify_func)(const uint8_t *, llarp_buffer_t, const uint8_t *);

 struct llarp_crypto {
  llarp_sym_cipher_func xchacha20;
--- a/include/llarp/crypto_async.h
+++ b/include/llarp/crypto_async.h
@ -79,8 +79,6 @@ struct iwp_async_intro
  uint8_t * remote_pubkey;
  /** local private key */
  uint8_t * secretkey;
-  /** resulting shared key */
-  uint8_t * sharedkey;
  /** callback */
  iwp_intro_hook hook;
 };
@ -95,6 +93,7 @@ typedef void (*iwp_introack_hook)(struct iwp_async_introack *);
  
 struct iwp_async_introack
 {
+  struct llarp_async_iwp * iwp;
  void * user;
  uint8_t * buf;
  size_t sz;
--- a/include/llarp/mem.h
+++ b/include/llarp/mem.h
@ -20,6 +20,9 @@ void llarp_mem_dmalloc(struct llarp_alloc * mem);
  
 void llarp_mem_slab(struct llarp_alloc * mem, uint32_t * buf, size_t sz);

+
+/** constant time memcmp */
+bool llarp_eq(const void * a, const void * b, size_t sz);
  
 #ifdef __cplusplus
 }
--- a/llarp/crypto_async.c
+++ b/llarp/crypto_async.c
@ -219,7 +219,8 @@ static void iwp_inform_genintro(void * user)
 static void iwp_do_genintro(void * user)
 {
  struct iwp_async_intro * intro = user;
-  llarp_shorthash_t sharedkey;
+  llarp_sharedkey_t sharedkey;
+  llarp_shorthash_t e_k;
  llarp_buffer_t buf;
  struct llarp_crypto * crypto = intro->iwp->crypto;
  uint8_t tmp[64];
@ -228,23 +229,22 @@ static void iwp_do_genintro(void * user)
    .work = &iwp_inform_genintro
  };
  // S = TKE(a.k, b.k, n)
-  crypto->transport_dh_client(intro->sharedkey, intro->remote_pubkey, intro->secretkey, intro->nonce);
+  crypto->transport_dh_client(sharedkey, intro->remote_pubkey, intro->secretkey, intro->nonce);
  
  buf.base = (char*)tmp;
  buf.sz = sizeof(tmp);
  // e_k = HS(b.k + n)
  memcpy(tmp, intro->remote_pubkey, 32);
  memcpy(tmp + 32, intro->nonce, 32);
-  crypto->shorthash(&sharedkey, buf);
+  crypto->shorthash(&e_k, buf);
  // e = SE(a.k, e_k, n[0:24])
-  memcpy(intro->buf + 64, llarp_seckey_topublic(intro->secretkey), 32);
-  buf.base = (char*) intro->buf + 64;
+  memcpy(intro->buf + 32, llarp_seckey_topublic(intro->secretkey), 32);
+  buf.base = (char*) intro->buf + 32;
  buf.sz = 32;
-  crypto->xchacha20(buf, sharedkey, intro->nonce);
-  // s = S(a.k.privkey, n + e + w0)
-  buf.sz = intro->sz - 64;
-  crypto->sign(intro->buf, intro->secretkey, buf);
-
+  crypto->xchacha20(buf, e_k, intro->nonce);
+  // h = MDS( n + e + w0, S)
+  buf.sz = intro->sz - 32;
+  crypto->hmac(intro->buf, buf, sharedkey);
  // inform result
  llarp_logic_queue_job(intro->iwp->logic, job);
 }
@ -259,3 +259,76 @@ void iwp_call_async_gen_intro(struct llarp_async_iwp * iwp, struct iwp_async_int
  };
  llarp_threadpool_queue_job(iwp->worker, job);
 }
+
+static void iwp_inform_verify_introack(void * user)
+{
+  struct iwp_async_introack * introack = user;
+  introack->hook(introack);
+}
+
+
+static void iwp_do_verify_introack(void * user)
+{
+  struct iwp_async_introack * introack = user;
+  struct llarp_crypto * crypto = introack->iwp->crypto;
+  struct llarp_logic * logic = introack->iwp->logic;
+
+  struct llarp_thread_job job = {
+    .user = user,
+    .work = &iwp_inform_verify_introack
+  };
+
+  llarp_hmac_t digest;
+  llarp_sharedkey_t sharedkey;
+  
+  uint8_t * hmac = introack->buf;
+  uint8_t * body = introack->buf + 32;
+  uint8_t * pubkey = introack->remote_pubkey;
+  uint8_t * secretkey = introack->secretkey;
+  uint8_t * nonce = introack->buf + 32;
+  uint8_t * token = introack->buf + 64;
+  size_t bodysz = introack->sz - 32;
+  llarp_buffer_t buf;
+  buf.base = (char*) body;
+  buf.sz = bodysz;
+
+  // S = TKE(a.k, b.k, n)
+  crypto->transport_dh_client(sharedkey, pubkey, secretkey, nonce);
+  
+  // h = MDS(n + x + w1, S)
+  crypto->hmac(digest, buf, sharedkey);
+  
+  if(!llarp_eq(digest, hmac, 32))
+  {
+    // fail to verify hmac
+    introack->buf = 0;
+    llarp_logic_queue_job(logic, job);
+    return;
+  }
+  buf.base = (char *) token;
+  buf.sz = 32;
+  // token = SD(S, x, n[0:24])
+  crypto->xchacha20(buf, sharedkey, nonce);
+  // copy token
+  memcpy(introack->token, token, 32);
+}
+
+
+void iwp_call_async_verify_introack(struct llarp_async_iwp * iwp, struct iwp_async_introack * introack)
+{
+  introack->iwp = iwp;
+  struct llarp_thread_job job = {
+    .user = introack,
+    .work = &iwp_do_verify_introack
+  };
+  llarp_threadpool_queue_job(iwp->worker, job);
+}
+
+void iwp_call_async_gen_session_start(struct llarp_async_iwp * iwp, struct iwp_async_session_start * session)
+{
+  
+}
+
+void iwp_call_async_frame_decrypt(struct llarp_async_iwp * iwp, struct iwp_async_frame * frame)
+{
+}
--- a/llarp/crypto_libsodium.cpp
+++ b/llarp/crypto_libsodium.cpp
@ -70,10 +70,10 @@ static bool shorthash(llarp_shorthash_t *result, llarp_buffer_t buff) {
  return crypto_generichash(*result, SHORTHASHSIZE, base, buff.sz, nullptr, 0) != -1;
 }

-static bool hmac(llarp_hash_t *result, llarp_buffer_t buff,
-                 llarp_seckey_t secret) {
+static bool hmac(uint8_t *result, llarp_buffer_t buff,
+                 const uint8_t * secret) {
  const uint8_t *base = (const uint8_t *)buff.base;
-  return crypto_generichash(*result, sizeof(llarp_hash_t), base, buff.sz,
+  return crypto_generichash(result, sizeof(llarp_hash_t), base, buff.sz,
                            secret, HMACSECSIZE) != -1;
 }

@ -83,7 +83,7 @@ static bool sign(uint8_t *result, llarp_seckey_t secret,
  return crypto_sign_detached(result, nullptr, base, buff.sz, secret) != -1;
 }

-static bool verify(llarp_pubkey_t pub, llarp_buffer_t buff, llarp_sig_t sig) {
+static bool verify(const uint8_t * pub, llarp_buffer_t buff, const uint8_t * sig) {
  const uint8_t *base = (const uint8_t *)buff.base;
  return crypto_sign_verify_detached(sig, base, buff.sz, pub) != -1;
 }
--- a/llarp/mem.cpp
+++ b/llarp/mem.cpp
@ -20,4 +20,16 @@ extern "C" {
    // not implemented
    abort();
  }
+
+  bool llarp_eq(const void * a, const void * b, size_t sz)
+  {
+    bool result = true;
+    const uint8_t * a_ptr = (const uint8_t *) a;
+    const uint8_t * b_ptr = (const uint8_t *) b;
+    while(sz--)
+    {
+      result &= a_ptr[sz] == b_ptr[sz];
+    }
+    return result;
+  }
 }