#include "crypto_libsodium.hpp" #include #include #include #include #include #include #include #include #include #include #include #include #include #include extern "C" { extern int sodium_init(void); } namespace llarp { namespace sodium { static bool dh(llarp::SharedSecret& out, const PubKey& client_pk, const PubKey& server_pk, const uint8_t* themPub, const SecretKey& usSec) { llarp::SharedSecret shared; crypto_generichash_state h; if (crypto_scalarmult_curve25519(shared.data(), usSec.data(), themPub)) { return false; } crypto_generichash_blake2b_init(&h, nullptr, 0U, shared.size()); crypto_generichash_blake2b_update(&h, client_pk.data(), 32); crypto_generichash_blake2b_update(&h, server_pk.data(), 32); crypto_generichash_blake2b_update(&h, shared.data(), 32); crypto_generichash_blake2b_final(&h, out.data(), shared.size()); return true; } static bool dh_client_priv( llarp::SharedSecret& shared, const PubKey& pk, const SecretKey& sk, const TunnelNonce& n) { llarp::SharedSecret dh_result; if (dh(dh_result, sk.toPublic(), pk, pk.data(), sk)) { return crypto_generichash_blake2b(shared.data(), 32, n.data(), 32, dh_result.data(), 32) != -1; } llarp::LogWarn("crypto::dh_client - dh failed"); return false; } static bool dh_server_priv( llarp::SharedSecret& shared, const PubKey& pk, const SecretKey& sk, const TunnelNonce& n) { llarp::SharedSecret dh_result; if (dh(dh_result, pk, sk.toPublic(), pk.data(), sk)) { return crypto_generichash_blake2b(shared.data(), 32, n.data(), 32, dh_result.data(), 32) != -1; } llarp::LogWarn("crypto::dh_server - dh failed"); return false; } CryptoLibSodium::CryptoLibSodium() { if (sodium_init() == -1) { throw std::runtime_error("sodium_init() returned -1"); } char* avx2 = std::getenv("AVX2_FORCE_DISABLE"); if (avx2 && std::string(avx2) == "1") { ntru_init(1); } else { ntru_init(0); } int seed = 0; randombytes(reinterpret_cast(&seed), sizeof(seed)); srand(seed); } std::optional> CryptoLibSodium::maybe_decrypt_name( std::string_view ciphertext, SymmNonce nounce, std::string_view name) { const auto payloadsize = ciphertext.size() - crypto_aead_xchacha20poly1305_ietf_ABYTES; if (payloadsize != 32) return {}; SharedSecret derivedKey{}; ShortHash namehash{}; const llarp_buffer_t namebuf(reinterpret_cast(name.data()), name.size()); if (not shorthash(namehash, namebuf)) return {}; if (not hmac(derivedKey.data(), namebuf, namehash)) return {}; AlignedBuffer<32> result{}; if (crypto_aead_xchacha20poly1305_ietf_decrypt( result.data(), nullptr, nullptr, reinterpret_cast(ciphertext.data()), ciphertext.size(), nullptr, 0, nounce.data(), derivedKey.data()) == -1) { return {}; } return result; } bool CryptoLibSodium::xchacha20( const llarp_buffer_t& buff, const SharedSecret& k, const TunnelNonce& n) { return crypto_stream_xchacha20_xor(buff.base, buff.base, buff.sz, n.data(), k.data()) == 0; } bool CryptoLibSodium::xchacha20_alt( const llarp_buffer_t& out, const llarp_buffer_t& in, const SharedSecret& k, const byte_t* n) { if (in.sz > out.sz) return false; return crypto_stream_xchacha20_xor(out.base, in.base, in.sz, n, k.data()) == 0; } bool CryptoLibSodium::dh_client( llarp::SharedSecret& shared, const PubKey& pk, const SecretKey& sk, const TunnelNonce& n) { return dh_client_priv(shared, pk, sk, n); } /// path dh relay side bool CryptoLibSodium::dh_server( llarp::SharedSecret& shared, const PubKey& pk, const SecretKey& sk, const TunnelNonce& n) { return dh_server_priv(shared, pk, sk, n); } /// transport dh client side bool CryptoLibSodium::transport_dh_client( llarp::SharedSecret& shared, const PubKey& pk, const SecretKey& sk, const TunnelNonce& n) { return dh_client_priv(shared, pk, sk, n); } /// transport dh server side bool CryptoLibSodium::transport_dh_server( llarp::SharedSecret& shared, const PubKey& pk, const SecretKey& sk, const TunnelNonce& n) { return dh_server_priv(shared, pk, sk, n); } bool CryptoLibSodium::shorthash(ShortHash& result, const llarp_buffer_t& buff) { return crypto_generichash_blake2b( result.data(), ShortHash::SIZE, buff.base, buff.sz, nullptr, 0) != -1; } bool CryptoLibSodium::hmac(byte_t* result, const llarp_buffer_t& buff, const SharedSecret& secret) { return crypto_generichash_blake2b( result, HMACSIZE, buff.base, buff.sz, secret.data(), HMACSECSIZE) != -1; } static bool hash(uint8_t* result, const llarp_buffer_t& buff) { return crypto_generichash_blake2b(result, HASHSIZE, buff.base, buff.sz, nullptr, 0) != -1; } bool CryptoLibSodium::sign(Signature& sig, const SecretKey& secret, const llarp_buffer_t& buf) { return crypto_sign_detached(sig.data(), nullptr, buf.base, buf.sz, secret.data()) != -1; } bool CryptoLibSodium::sign(Signature& sig, const PrivateKey& privkey, const llarp_buffer_t& buf) { PubKey pubkey; privkey.toPublic(pubkey); crypto_hash_sha512_state hs; unsigned char nonce[64]; unsigned char hram[64]; unsigned char mulres[32]; // r = H(s || M) where here s is pseudorandom bytes typically generated as // part of hashing the seed (i.e. [a,s] = H(k)), but for derived // PrivateKeys will come from a hash of the root key's s concatenated with // the derivation hash. crypto_hash_sha512_init(&hs); crypto_hash_sha512_update(&hs, privkey.signingHash(), 32); crypto_hash_sha512_update(&hs, buf.base, buf.sz); crypto_hash_sha512_final(&hs, nonce); crypto_core_ed25519_scalar_reduce(nonce, nonce); // copy pubkey into sig to make (for now) sig = (R || A) memmove(sig.data() + 32, pubkey.data(), 32); // R = r * B crypto_scalarmult_ed25519_base_noclamp(sig.data(), nonce); // hram = H(R || A || M) crypto_hash_sha512_init(&hs); crypto_hash_sha512_update(&hs, sig.data(), 64); crypto_hash_sha512_update(&hs, buf.base, buf.sz); crypto_hash_sha512_final(&hs, hram); // S = r + H(R || A || M) * s, so sig = (R || S) crypto_core_ed25519_scalar_reduce(hram, hram); crypto_core_ed25519_scalar_mul(mulres, hram, privkey.data()); crypto_core_ed25519_scalar_add(sig.data() + 32, mulres, nonce); sodium_memzero(nonce, sizeof nonce); return true; } bool CryptoLibSodium::verify(const PubKey& pub, const llarp_buffer_t& buf, const Signature& sig) { return crypto_sign_verify_detached(sig.data(), buf.base, buf.sz, pub.data()) != -1; } /// clamp a 32 byte ec point static void clamp_ed25519(byte_t* out) { out[0] &= 248; out[31] &= 127; out[31] |= 64; } template static K clamp(const K& p) { K out = p; clamp_ed25519(out); return out; } template static bool is_clamped(const K& key) { K other(key); clamp_ed25519(other.data()); return other == key; } constexpr static char derived_key_hash_str[161] = "just imagine what would happen if we all decided to understand. you " "can't in the and by be or then before so just face it this text hurts " "to read? lokinet yolo!"; template static bool make_scalar(AlignedBuffer<32>& out, const K& k, uint64_t i) { // b = BLIND-STRING || k || i std::array buf; std::copy(derived_key_hash_str, derived_key_hash_str + 160, buf.begin()); std::copy(k.begin(), k.end(), buf.begin() + 160); htole64buf(buf.data() + 160 + K::SIZE, i); // n = H(b) // h = make_point(n) ShortHash n; return -1 != crypto_generichash_blake2b( n.data(), ShortHash::SIZE, buf.data(), buf.size(), nullptr, 0) && -1 != crypto_core_ed25519_from_uniform(out.data(), n.data()); } static AlignedBuffer<32> zero; bool CryptoLibSodium::derive_subkey( PubKey& out_pubkey, const PubKey& root_pubkey, uint64_t key_n, const AlignedBuffer<32>* hash) { // scalar h = H( BLIND-STRING || root_pubkey || key_n ) AlignedBuffer<32> h; if (hash) h = *hash; else if (not make_scalar(h, root_pubkey, key_n)) { LogError("cannot make scalar"); return false; } return 0 == crypto_scalarmult_ed25519(out_pubkey.data(), h.data(), root_pubkey.data()); } bool CryptoLibSodium::derive_subkey_private( PrivateKey& out_key, const SecretKey& root_key, uint64_t key_n, const AlignedBuffer<32>* hash) { // Derives a private subkey from a root key. // // The basic idea is: // // h = H( BLIND-STRING || A || key_n ) // a - private key // A = aB - public key // s - signing hash // a' = ah - derived private key // A' = a'B = (ah)B - derived public key // s' = H(h || s) - derived signing hash // // libsodium throws some wrenches in the mechanics which are a nuisance, // the biggest of which is that sodium's secret key is *not* `a`; rather // it is the seed. If you want to get the private key (i.e. "a"), you // need to SHA-512 hash it and then clamp that. // // This also makes signature verification harder: we can't just use // sodium's sign function because it wants to be given the seed rather // than the private key, and moreover we can't actually *get* the seed to // make libsodium happy because we only have `ah` above; thus we // reimplemented most of sodium's detached signing function but without // the hash step. // // Lastly, for the signing hash s', we need some value that is both // different from the root s but also unknowable from the public key // (since otherwise `r` in the signing function would be known), so we // generate it from a hash of `h` and the root key's (psuedorandom) // signing hash, `s`. // const auto root_pubkey = root_key.toPublic(); AlignedBuffer<32> h; if (hash) h = *hash; else if (not make_scalar(h, root_pubkey, key_n)) { LogError("cannot make scalar"); return false; } h[0] &= 248; h[31] &= 63; h[31] |= 64; PrivateKey a; if (!root_key.toPrivate(a)) return false; // a' = ha crypto_core_ed25519_scalar_mul(out_key.data(), h.data(), a.data()); // s' = H(h || s) std::array buf; std::copy(h.begin(), h.end(), buf.begin()); std::copy(a.signingHash(), a.signingHash() + 32, buf.begin() + 32); return -1 != crypto_generichash_blake2b( out_key.signingHash(), 32, buf.data(), buf.size(), nullptr, 0); return true; } bool CryptoLibSodium::seed_to_secretkey(llarp::SecretKey& secret, const llarp::IdentitySecret& seed) { return crypto_sign_ed25519_seed_keypair(secret.data() + 32, secret.data(), seed.data()) != -1; } void CryptoLibSodium::randomize(const llarp_buffer_t& buff) { randombytes((unsigned char*)buff.base, buff.sz); } void CryptoLibSodium::randbytes(byte_t* ptr, size_t sz) { randombytes((unsigned char*)ptr, sz); } void CryptoLibSodium::identity_keygen(llarp::SecretKey& keys) { PubKey pk; int result = crypto_sign_keypair(pk.data(), keys.data()); assert(result != -1); const PubKey sk_pk = keys.toPublic(); assert(pk == sk_pk); (void)result; (void)sk_pk; // encryption_keygen(keys); } bool CryptoLibSodium::check_identity_privkey(const llarp::SecretKey& keys) { AlignedBuffer seed; llarp::PubKey pk; llarp::SecretKey sk; if (crypto_sign_ed25519_sk_to_seed(seed.data(), keys.data()) == -1) return false; if (crypto_sign_seed_keypair(pk.data(), sk.data(), seed.data()) == -1) return false; return keys.toPublic() == pk && sk == keys; } void CryptoLibSodium::encryption_keygen(llarp::SecretKey& keys) { auto d = keys.data(); randbytes(d, 32); crypto_scalarmult_curve25519_base(d + 32, d); } bool CryptoLibSodium::pqe_encrypt( PQCipherBlock& ciphertext, SharedSecret& sharedkey, const PQPubKey& pubkey) { return crypto_kem_enc(ciphertext.data(), sharedkey.data(), pubkey.data()) != -1; } bool CryptoLibSodium::pqe_decrypt( const PQCipherBlock& ciphertext, SharedSecret& sharedkey, const byte_t* secretkey) { return crypto_kem_dec(sharedkey.data(), ciphertext.data(), secretkey) != -1; } void CryptoLibSodium::pqe_keygen(PQKeyPair& keypair) { auto d = keypair.data(); crypto_kem_keypair(d + PQ_SECRETKEYSIZE, d); } } // namespace sodium const byte_t* seckey_topublic(const SecretKey& sec) { return sec.data() + 32; } const byte_t* pq_keypair_to_public(const PQKeyPair& k) { return k.data() + PQ_SECRETKEYSIZE; } const byte_t* pq_keypair_to_secret(const PQKeyPair& k) { return k.data(); } uint64_t randint() { uint64_t i; randombytes((byte_t*)&i, sizeof(i)); return i; } } // namespace llarp