update iwp

6 years ago · d6b5fc5224
parent 9deafe7ce8
commit d6b5fc5224
4 changed files with 96 additions and 24 deletions
--- a/doc/iwp_v0.txt
+++ b/doc/iwp_v0.txt
@ -41,29 +41,27 @@ handshake:

 0) intro

-32 bytes hmac, h
+64 bytes signature, s
 32 bytes nounce, n
-32 bytes random, r
 32 bytes encrypted alice's transport public encryption key e
 variadic bytes padding, w0

-Alice transmits ( h + n + r + e ) to Bob from the transport address matching
+Alice transmits ( h + n + e + w0 ) to Bob from the transport address matching
 his public transport encryption key (b.k).

 w0 = "[insert variable length random padding here]"
-r = RAND(32)
 n = RAND(32)
-e = SE(a.k + w0, HS(b.k + r), n[0:24])
-s = TKE(a.k, b.k, n)
-h = MDS(r + e, s)
+e = SE(a.k, HS(b.k + n), n[0:24])
+S = TKE(a.k, b.k, n)
+s = S(a.k.privkey, n + e + w0 )

-Bob recieves ( h + n + r + e ) 
+Bob recieves ( s + n + e + w0 ) 

 1) intro ack

 sent in reply to an intro, bob sends an intro ack encrypted to Alice using

-32 bytes hmac, h
+64 bytes signature, s
 32 bytes nounce, n
 32 bytes ciphertext, x
 variadic bytes padding, w1
@ -72,10 +70,10 @@ w1 = "[insert variable length random padding here]"
 token = RAND(32)
 k = TKE(a.k, b.k, n)
 x = SE(k, token, n[0:24])
-h = MDS(n + x + w1, k)
+s = S(b.k.privkey, n + x + w1)

-Bob transmits ( h + n + x + w1 ), r is ignored and discarded
-Alice recieves ( h + n + x + w1 ) and verifies that h == MDS(n + x, k) silently
+Bob transmits ( s + n + x + w1 ), r is ignored and discarded
+Alice recieves ( s + n + x + w1 ) and verifies the signature silently
 dropping if it does not match.

 2) token offer
--- a/include/llarp/crypto.h
+++ b/include/llarp/crypto.h
@ -13,6 +13,7 @@ extern "C" {
 #define NOUNCESIZE 24
 #define SHAREDKEYSIZE 32
 #define HASHSIZE 64
+#define SHORTHASHSIZE 32
 #define HMACSECSIZE 32
 #define SIGSIZE 64
 #define TUNNOUNCESIZE 32
@ -23,6 +24,7 @@ typedef uint8_t llarp_seckey_t[SECKEYSIZE];
 typedef uint8_t llarp_nounce_t[NOUNCESIZE];
 typedef uint8_t llarp_sharedkey_t[SHAREDKEYSIZE];
 typedef uint8_t llarp_hash_t[HASHSIZE];
+typedef uint8_t llarp_shorthash_t[SHORTHASHSIZE];
 typedef uint8_t llarp_hmac_t[HMACSIZE];
 typedef uint8_t llarp_hmacsec_t[HMACSECSIZE];
 typedef uint8_t llarp_sig_t[SIGSIZE];
@ -34,15 +36,22 @@ static INLINE uint8_t *llarp_seckey_topublic(llarp_seckey_t k) {

 typedef bool (*llarp_dh_func)(llarp_sharedkey_t *, llarp_pubkey_t,
                              llarp_tunnel_nounce_t, llarp_seckey_t);
+
+  
+typedef bool (*llarp_transport_dh_func)(llarp_sharedkey_t *, llarp_pubkey_t,
+                                          llarp_seckey_t, uint8_t *);
+  
 typedef bool (*llarp_sym_cipher_func)(llarp_buffer_t, llarp_sharedkey_t,
                                      llarp_nounce_t);

 typedef bool (*llarp_hash_func)(llarp_hash_t *, llarp_buffer_t);

+typedef bool (*llarp_shorthash_func)(llarp_shorthash_t *, llarp_buffer_t);
+
 typedef bool (*llarp_hmac_func)(llarp_hmac_t *, llarp_buffer_t,
                                llarp_hmacsec_t);

-typedef bool (*llarp_sign_func)(llarp_sig_t *, llarp_seckey_t, llarp_buffer_t);
+typedef bool (*llarp_sign_func)(uint8_t *, llarp_seckey_t, llarp_buffer_t);

 typedef bool (*llarp_verify_func)(llarp_pubkey_t, llarp_buffer_t, llarp_sig_t);

@ -50,7 +59,10 @@ struct llarp_crypto {
  llarp_sym_cipher_func xchacha20;
  llarp_dh_func dh_client;
  llarp_dh_func dh_server;
+  llarp_transport_dh_func transport_dh_client;
+  llarp_transport_dh_func transport_dh_server;
  llarp_hash_func hash;
+  llarp_shorthash_func shorthash;
  llarp_hmac_func hmac;
  llarp_sign_func sign;
  llarp_verify_func verify;
@ -61,6 +73,8 @@ struct llarp_crypto {

 void llarp_crypto_libsodium_init(struct llarp_crypto *c);

+bool llarp_crypto_initialized(struct llarp_crypto * c);
+  
 #ifdef __cplusplus
 }
 #endif
--- a/llarp/crypto_libsodium.cpp
+++ b/llarp/crypto_libsodium.cpp
@ -13,8 +13,8 @@ static bool xchacha20(llarp_buffer_t buff, llarp_sharedkey_t k,
 static bool dh(llarp_sharedkey_t *shared, uint8_t *client_pk,
               uint8_t *server_pk, uint8_t *remote_key, uint8_t *local_key) {
  uint8_t *out = *shared;
-  const size_t outsz = SHAREDKEYSIZE;
  crypto_generichash_state h;
+  const size_t outsz = SHAREDKEYSIZE;
  if (crypto_scalarmult(out, local_key, remote_key) == -1) return false;
  crypto_generichash_init(&h, NULL, 0U, outsz);
  crypto_generichash_update(&h, client_pk, sizeof(llarp_pubkey_t));
@ -26,9 +26,7 @@ static bool dh(llarp_sharedkey_t *shared, uint8_t *client_pk,

 static bool dh_client(llarp_sharedkey_t *shared, llarp_pubkey_t pk,
                      llarp_tunnel_nounce_t n, llarp_seckey_t sk) {
-  llarp_pubkey_t local_pk;
-  crypto_scalarmult_base(local_pk, sk);
-  if (dh(shared, local_pk, pk, pk, sk)) {
+  if (dh(shared, llarp_seckey_topublic(sk), pk, pk, sk)) {
    return crypto_generichash(*shared, SHAREDKEYSIZE, *shared, SHAREDKEYSIZE, n,
                              TUNNOUNCESIZE) != -1;
  }
@ -37,15 +35,32 @@ static bool dh_client(llarp_sharedkey_t *shared, llarp_pubkey_t pk,

 static bool dh_server(llarp_sharedkey_t *shared, llarp_pubkey_t pk,
                      llarp_tunnel_nounce_t n, llarp_seckey_t sk) {
-  llarp_pubkey_t local_pk;
-  crypto_scalarmult_base(local_pk, sk);
-  if (dh(shared, pk, local_pk, pk, sk)) {
+  if (dh(shared, pk, llarp_seckey_topublic(sk), pk, sk)) {
    return crypto_generichash(*shared, SHAREDKEYSIZE, *shared, SHAREDKEYSIZE, n,
                              TUNNOUNCESIZE) != -1;
  }
  return false;
 }

+
+static bool transport_dh_client(llarp_sharedkey_t *shared, llarp_pubkey_t pk,
+                                llarp_seckey_t sk, uint8_t * n) {
+  if (dh(shared, llarp_seckey_topublic(sk), pk, pk, sk)) {
+    return crypto_generichash(*shared, SHAREDKEYSIZE, *shared, SHAREDKEYSIZE, n,
+                              NOUNCESIZE) != -1;
+  }
+  return false;
+}
+
+static bool transport_dh_server(llarp_sharedkey_t *shared, llarp_pubkey_t pk,
+                                llarp_seckey_t sk, uint8_t * n) {
+  if (dh(shared, pk, llarp_seckey_topublic(sk), pk, sk)) {
+    return crypto_generichash(*shared, SHAREDKEYSIZE, *shared, SHAREDKEYSIZE, n,
+                              NOUNCESIZE) != -1;
+  }
+  return false;
+}
+
 static bool hash(llarp_hash_t *result, llarp_buffer_t buff) {
  const uint8_t *base = (const uint8_t *)buff.base;
  return crypto_generichash(*result, HASHSIZE, base, buff.sz, nullptr, 0) != -1;
@ -58,10 +73,10 @@ static bool hmac(llarp_hash_t *result, llarp_buffer_t buff,
                            secret, HMACSECSIZE) != -1;
 }

-static bool sign(llarp_sig_t *result, llarp_seckey_t secret,
+static bool sign(uint8_t *result, llarp_seckey_t secret,
                 llarp_buffer_t buff) {
  const uint8_t *base = (const uint8_t *)buff.base;
-  return crypto_sign_detached(*result, nullptr, base, buff.sz, secret) != -1;
+  return crypto_sign_detached(result, nullptr, base, buff.sz, secret) != -1;
 }

 static bool verify(llarp_pubkey_t pub, llarp_buffer_t buff, llarp_sig_t sig) {
@ -91,6 +106,8 @@ void llarp_crypto_libsodium_init(struct llarp_crypto *c) {
  c->xchacha20 = llarp::sodium::xchacha20;
  c->dh_client = llarp::sodium::dh_client;
  c->dh_server = llarp::sodium::dh_server;
+  c->transport_dh_client = llarp::sodium::transport_dh_client;
+  c->transport_dh_server = llarp::sodium::transport_dh_server;
  c->hash = llarp::sodium::hash;
  c->hmac = llarp::sodium::hmac;
  c->sign = llarp::sodium::sign;
--- a/llarp/iwp_link.cpp
+++ b/llarp/iwp_link.cpp
@ -1,6 +1,7 @@
 #include <llarp/iwp.h>
 #include <llarp/net.h>

+#include <cassert>
 #include <fstream>
 #include <map>

@ -10,9 +11,51 @@

 namespace iwp
 {
-
+  
 struct session
 {
+  llarp_crypto * crypto;
+  llarp_seckey_t eph_seckey;
+  llarp_sharedkey_t sessionkey;
+  
+  session(llarp_crypto * c) :
+    crypto(c)
+  {
+    c->keygen(&eph_seckey);
+  }
+  
+  /** generate session intro for outbound session */
+  void generate_intro(llarp_pubkey_t remote, uint8_t * buf, size_t sz)
+  {
+    assert(sz > 64);
+    uint8_t tmp[64];
+    llarp_nounce_t nounce;
+    llarp_buffer_t buffer;
+    llarp_shorthash_t e_key;
+    uint8_t * sig = buf;
+    buf += 64;
+    uint8_t * n = buf;
+    // n = RAND(32)
+    crypto->randbytes(n, 32);
+    // nounce = n[0:24]
+    memcpy(nounce, n, 24);
+    // e_k = HS(b.k + n)
+    memcpy(tmp, remote, 32);
+    memcpy(tmp +32, n, 32);
+    buffer.base = (char*)tmp;
+    buffer.cur = (char*)tmp;
+    buffer.sz = sizeof(tmp);
+    crypto->shorthash(&e_key, buffer);
+    // e = SE(a.k, e_k, nounce)
+    crypto->xchacha20(buffer, e_key, nounce);
+    // S = TKE(a.k, a.b, n)
+    crypto->transport_dh_client(&sessionkey, remote, eph_seckey, n);
+    buffer.base = (char*)n;
+    buffer.cur = (char*)n;
+    buffer.sz = sz - 64;
+    // s = S(a.k.privkey, n + e + w0)
+    crypto->sign(sig, eph_seckey, buffer);
+  }
 };

 struct server
@ -28,7 +71,7 @@ struct server
  std::map<llarp::Addr, llarp_link_session> sessions;

  llarp_seckey_t seckey;
-  
+
  void inbound_session(llarp::Addr & src)
  {