common: Replace the extra25519 import with an internal package

I really didn't want to do this, but this should make `go get` work again, and maybe people will leave me alone.
4 years ago · 2d8f3c8bbf
parent c357dd56df
commit 2d8f3c8bbf
9 changed files with 3565 additions and 7 deletions
--- a/1
+++ b/1
@ -1,4 +1,5 @@
 Changes in version 0.0.12 - UNRELEASED:
+ - Replace the extra25519 import with an internal package.

 Changes in version 0.0.11 - 2019-06-21:
 - Update my e-mail address.
--- a/common/ntor/ntor.go
+++ b/common/ntor/ntor.go
@ -43,10 +43,11 @@ import (
 	"fmt"
 	"io"

-	"github.com/agl/ed25519/extra25519"
-	"gitlab.com/yawning/obfs4.git/common/csrand"
 	"golang.org/x/crypto/curve25519"
 	"golang.org/x/crypto/hkdf"
+
+	"gitlab.com/yawning/obfs4.git/common/csrand"
+	"gitlab.com/yawning/obfs4.git/internal/extra25519"
 )

 const (
@ -203,7 +204,7 @@ func (repr *Representative) Bytes() *[RepresentativeLength]byte {
 func (repr *Representative) ToPublic() *PublicKey {
 	pub := new(PublicKey)

-	extra25519.RepresentativeToPublicKey(pub.Bytes(), repr.Bytes())
+	extra25519.UnsafeBrokenRepresentativeToPublicKey(pub.Bytes(), repr.Bytes())
 	return pub
 }

@ -275,7 +276,7 @@ func NewKeypair(elligator bool) (*Keypair, error) {

 		if elligator {
 			// Apply the Elligator transform.  This fails ~50% of the time.
-			if !extra25519.ScalarBaseMult(keypair.public.Bytes(),
+			if !extra25519.UnsafeBrokenScalarBaseMult(keypair.public.Bytes(),
 				keypair.representative.Bytes(),
 				keypair.private.Bytes()) {
 				continue
--- a/go.mod
+++ b/go.mod
@ -2,9 +2,10 @@ module gitlab.com/yawning/obfs4.git

 require (
 	git.torproject.org/pluggable-transports/goptlib.git v1.0.0
-	github.com/agl/ed25519 v0.0.0-20170116200512-5312a6153412
 	github.com/dchest/siphash v1.2.1
 	gitlab.com/yawning/utls.git v0.0.11-1
 	golang.org/x/crypto v0.0.0-20190325154230-a5d413f7728c
 	golang.org/x/net v0.0.0-20190328230028-74de082e2cca
 )
+
+go 1.13
--- a/go.sum
+++ b/go.sum
@ -2,8 +2,6 @@ git.schwanenlied.me/yawning/bsaes.git v0.0.0-20190320102049-26d1add596b6 h1:zOrl
 git.schwanenlied.me/yawning/bsaes.git v0.0.0-20190320102049-26d1add596b6/go.mod h1:BWqTsj8PgcPriQJGl7el20J/7TuT1d/hSyFDXMEpoEo=
 git.torproject.org/pluggable-transports/goptlib.git v1.0.0 h1:ElTwFFPKf/tA6x5nuIk9g49JZzS4T5WN+eTQTjqd00A=
 git.torproject.org/pluggable-transports/goptlib.git v1.0.0/go.mod h1:YT4XMSkuEXbtqlydr9+OxqFAyspUv0Gr9qhM3B++o/Q=
-github.com/agl/ed25519 v0.0.0-20170116200512-5312a6153412 h1:w1UutsfOrms1J05zt7ISrnJIXKzwaspym5BTKGx93EI=
-github.com/agl/ed25519 v0.0.0-20170116200512-5312a6153412/go.mod h1:WPjqKcmVOxf0XSf3YxCJs6N6AOSrOx3obionmG7T0y0=
 github.com/dchest/siphash v1.2.1 h1:4cLinnzVJDKxTCl9B01807Yiy+W7ZzVHj/KIroQRvT4=
 github.com/dchest/siphash v1.2.1/go.mod h1:q+IRvb2gOSrUnYoPqHiyHXS0FOBBOdl6tONBlVnOnt4=
 github.com/dsnet/compress v0.0.1 h1:PlZu0n3Tuv04TzpfPbrnI0HW/YwodEXDS+oPKahKF0Q=
--- a/internal/README-extra25519.md
+++ b/internal/README-extra25519.md
@ -0,0 +1,21 @@
+This includes a copy of the edwards25519 and extra25519 packages authored
+by agl, that formerly lived at github.com/agl/ed25519 as of the commit
+5312a61534124124185d41f09206b9fef1d88403 with the following changes:
+
+ * Import paths fixed up.
+
+ * The unused Ed25519->X25519 key conversion routines were removed.
+
+ * `UnsafeBroken` was prefixed to the routines that are known to be
+   severely flawed.
+
+The only reason this is being done (despite agl's wishes that the code
+base dies, which I wanted to respect) is so people stop bothering me
+about it.
+
+Do not ask me questions about this.
+Do not use it in other projects.
+Do not use it in anything new.
+Do not expect me to maintain this beyond ensuring it continues to build.
+
+All I want is to be left alone.
--- a/internal/edwards25519/const.go
+++ b/internal/edwards25519/const.go
--- a/internal/edwards25519/edwards25519.go
+++ b/internal/edwards25519/edwards25519.go
--- a/internal/extra25519/extra25519.go
+++ b/internal/extra25519/extra25519.go
@ -0,0 +1,291 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package extra25519
+
+import "gitlab.com/yawning/obfs4.git/internal/edwards25519"
+
+// sqrtMinusAPlus2 is sqrt(-(486662+2))
+var sqrtMinusAPlus2 = edwards25519.FieldElement{
+	-12222970, -8312128, -11511410, 9067497, -15300785, -241793, 25456130, 14121551, -12187136, 3972024,
+}
+
+// sqrtMinusHalf is sqrt(-1/2)
+var sqrtMinusHalf = edwards25519.FieldElement{
+	-17256545, 3971863, 28865457, -1750208, 27359696, -16640980, 12573105, 1002827, -163343, 11073975,
+}
+
+// halfQMinus1Bytes is (2^255-20)/2 expressed in little endian form.
+var halfQMinus1Bytes = [32]byte{
+	0xf6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f,
+}
+
+// feBytesLess returns one if a <= b and zero otherwise.
+func feBytesLE(a, b *[32]byte) int32 {
+	equalSoFar := int32(-1)
+	greater := int32(0)
+
+	for i := uint(31); i < 32; i-- {
+		x := int32(a[i])
+		y := int32(b[i])
+
+		greater = (^equalSoFar & greater) | (equalSoFar & ((x - y) >> 31))
+		equalSoFar = equalSoFar & (((x ^ y) - 1) >> 31)
+	}
+
+	return int32(^equalSoFar & 1 & greater)
+}
+
+// UnsafeBrokenScalarBaseMult computes a curve25519 public key from a private
+// key and also a uniform representative for that public key. Note that this
+// function will fail and return false for about half of private keys.
+// See http://elligator.cr.yp.to/elligator-20130828.pdf.
+func UnsafeBrokenScalarBaseMult(publicKey, representative, privateKey *[32]byte) bool {
+	var maskedPrivateKey [32]byte
+	copy(maskedPrivateKey[:], privateKey[:])
+
+	maskedPrivateKey[0] &= 248
+	maskedPrivateKey[31] &= 127
+	maskedPrivateKey[31] |= 64
+
+	var A edwards25519.ExtendedGroupElement
+	edwards25519.GeScalarMultBase(&A, &maskedPrivateKey)
+
+	var inv1 edwards25519.FieldElement
+	edwards25519.FeSub(&inv1, &A.Z, &A.Y)
+	edwards25519.FeMul(&inv1, &inv1, &A.X)
+	edwards25519.FeInvert(&inv1, &inv1)
+
+	var t0, u edwards25519.FieldElement
+	edwards25519.FeMul(&u, &inv1, &A.X)
+	edwards25519.FeAdd(&t0, &A.Y, &A.Z)
+	edwards25519.FeMul(&u, &u, &t0)
+
+	var v edwards25519.FieldElement
+	edwards25519.FeMul(&v, &t0, &inv1)
+	edwards25519.FeMul(&v, &v, &A.Z)
+	edwards25519.FeMul(&v, &v, &sqrtMinusAPlus2)
+
+	var b edwards25519.FieldElement
+	edwards25519.FeAdd(&b, &u, &edwards25519.A)
+
+	var c, b3, b7, b8 edwards25519.FieldElement
+	edwards25519.FeSquare(&b3, &b)   // 2
+	edwards25519.FeMul(&b3, &b3, &b) // 3
+	edwards25519.FeSquare(&c, &b3)   // 6
+	edwards25519.FeMul(&b7, &c, &b)  // 7
+	edwards25519.FeMul(&b8, &b7, &b) // 8
+	edwards25519.FeMul(&c, &b7, &u)
+	q58(&c, &c)
+
+	var chi edwards25519.FieldElement
+	edwards25519.FeSquare(&chi, &c)
+	edwards25519.FeSquare(&chi, &chi)
+
+	edwards25519.FeSquare(&t0, &u)
+	edwards25519.FeMul(&chi, &chi, &t0)
+
+	edwards25519.FeSquare(&t0, &b7) // 14
+	edwards25519.FeMul(&chi, &chi, &t0)
+	edwards25519.FeNeg(&chi, &chi)
+
+	var chiBytes [32]byte
+	edwards25519.FeToBytes(&chiBytes, &chi)
+	// chi[1] is either 0 or 0xff
+	if chiBytes[1] == 0xff {
+		return false
+	}
+
+	// Calculate r1 = sqrt(-u/(2*(u+A)))
+	var r1 edwards25519.FieldElement
+	edwards25519.FeMul(&r1, &c, &u)
+	edwards25519.FeMul(&r1, &r1, &b3)
+	edwards25519.FeMul(&r1, &r1, &sqrtMinusHalf)
+
+	var maybeSqrtM1 edwards25519.FieldElement
+	edwards25519.FeSquare(&t0, &r1)
+	edwards25519.FeMul(&t0, &t0, &b)
+	edwards25519.FeAdd(&t0, &t0, &t0)
+	edwards25519.FeAdd(&t0, &t0, &u)
+
+	edwards25519.FeOne(&maybeSqrtM1)
+	edwards25519.FeCMove(&maybeSqrtM1, &edwards25519.SqrtM1, edwards25519.FeIsNonZero(&t0))
+	edwards25519.FeMul(&r1, &r1, &maybeSqrtM1)
+
+	// Calculate r = sqrt(-(u+A)/(2u))
+	var r edwards25519.FieldElement
+	edwards25519.FeSquare(&t0, &c)   // 2
+	edwards25519.FeMul(&t0, &t0, &c) // 3
+	edwards25519.FeSquare(&t0, &t0)  // 6
+	edwards25519.FeMul(&r, &t0, &c)  // 7
+
+	edwards25519.FeSquare(&t0, &u)   // 2
+	edwards25519.FeMul(&t0, &t0, &u) // 3
+	edwards25519.FeMul(&r, &r, &t0)
+
+	edwards25519.FeSquare(&t0, &b8)   // 16
+	edwards25519.FeMul(&t0, &t0, &b8) // 24
+	edwards25519.FeMul(&t0, &t0, &b)  // 25
+	edwards25519.FeMul(&r, &r, &t0)
+	edwards25519.FeMul(&r, &r, &sqrtMinusHalf)
+
+	edwards25519.FeSquare(&t0, &r)
+	edwards25519.FeMul(&t0, &t0, &u)
+	edwards25519.FeAdd(&t0, &t0, &t0)
+	edwards25519.FeAdd(&t0, &t0, &b)
+	edwards25519.FeOne(&maybeSqrtM1)
+	edwards25519.FeCMove(&maybeSqrtM1, &edwards25519.SqrtM1, edwards25519.FeIsNonZero(&t0))
+	edwards25519.FeMul(&r, &r, &maybeSqrtM1)
+
+	var vBytes [32]byte
+	edwards25519.FeToBytes(&vBytes, &v)
+	vInSquareRootImage := feBytesLE(&vBytes, &halfQMinus1Bytes)
+	edwards25519.FeCMove(&r, &r1, vInSquareRootImage)
+
+	edwards25519.FeToBytes(publicKey, &u)
+	edwards25519.FeToBytes(representative, &r)
+	return true
+}
+
+// q58 calculates out = z^((p-5)/8).
+func q58(out, z *edwards25519.FieldElement) {
+	var t1, t2, t3 edwards25519.FieldElement
+	var i int
+
+	edwards25519.FeSquare(&t1, z)     // 2^1
+	edwards25519.FeMul(&t1, &t1, z)   // 2^1 + 2^0
+	edwards25519.FeSquare(&t1, &t1)   // 2^2 + 2^1
+	edwards25519.FeSquare(&t2, &t1)   // 2^3 + 2^2
+	edwards25519.FeSquare(&t2, &t2)   // 2^4 + 2^3
+	edwards25519.FeMul(&t2, &t2, &t1) // 4,3,2,1
+	edwards25519.FeMul(&t1, &t2, z)   // 4..0
+	edwards25519.FeSquare(&t2, &t1)   // 5..1
+	for i = 1; i < 5; i++ {           // 9,8,7,6,5
+		edwards25519.FeSquare(&t2, &t2)
+	}
+	edwards25519.FeMul(&t1, &t2, &t1) // 9,8,7,6,5,4,3,2,1,0
+	edwards25519.FeSquare(&t2, &t1)   // 10..1
+	for i = 1; i < 10; i++ {          // 19..10
+		edwards25519.FeSquare(&t2, &t2)
+	}
+	edwards25519.FeMul(&t2, &t2, &t1) // 19..0
+	edwards25519.FeSquare(&t3, &t2)   // 20..1
+	for i = 1; i < 20; i++ {          // 39..20
+		edwards25519.FeSquare(&t3, &t3)
+	}
+	edwards25519.FeMul(&t2, &t3, &t2) // 39..0
+	edwards25519.FeSquare(&t2, &t2)   // 40..1
+	for i = 1; i < 10; i++ {          // 49..10
+		edwards25519.FeSquare(&t2, &t2)
+	}
+	edwards25519.FeMul(&t1, &t2, &t1) // 49..0
+	edwards25519.FeSquare(&t2, &t1)   // 50..1
+	for i = 1; i < 50; i++ {          // 99..50
+		edwards25519.FeSquare(&t2, &t2)
+	}
+	edwards25519.FeMul(&t2, &t2, &t1) // 99..0
+	edwards25519.FeSquare(&t3, &t2)   // 100..1
+	for i = 1; i < 100; i++ {         // 199..100
+		edwards25519.FeSquare(&t3, &t3)
+	}
+	edwards25519.FeMul(&t2, &t3, &t2) // 199..0
+	edwards25519.FeSquare(&t2, &t2)   // 200..1
+	for i = 1; i < 50; i++ {          // 249..50
+		edwards25519.FeSquare(&t2, &t2)
+	}
+	edwards25519.FeMul(&t1, &t2, &t1) // 249..0
+	edwards25519.FeSquare(&t1, &t1)   // 250..1
+	edwards25519.FeSquare(&t1, &t1)   // 251..2
+	edwards25519.FeMul(out, &t1, z)   // 251..2,0
+}
+
+// chi calculates out = z^((p-1)/2). The result is either 1, 0, or -1 depending
+// on whether z is a non-zero square, zero, or a non-square.
+func chi(out, z *edwards25519.FieldElement) {
+	var t0, t1, t2, t3 edwards25519.FieldElement
+	var i int
+
+	edwards25519.FeSquare(&t0, z)     // 2^1
+	edwards25519.FeMul(&t1, &t0, z)   // 2^1 + 2^0
+	edwards25519.FeSquare(&t0, &t1)   // 2^2 + 2^1
+	edwards25519.FeSquare(&t2, &t0)   // 2^3 + 2^2
+	edwards25519.FeSquare(&t2, &t2)   // 4,3
+	edwards25519.FeMul(&t2, &t2, &t0) // 4,3,2,1
+	edwards25519.FeMul(&t1, &t2, z)   // 4..0
+	edwards25519.FeSquare(&t2, &t1)   // 5..1
+	for i = 1; i < 5; i++ {           // 9,8,7,6,5
+		edwards25519.FeSquare(&t2, &t2)
+	}
+	edwards25519.FeMul(&t1, &t2, &t1) // 9,8,7,6,5,4,3,2,1,0
+	edwards25519.FeSquare(&t2, &t1)   // 10..1
+	for i = 1; i < 10; i++ {          // 19..10
+		edwards25519.FeSquare(&t2, &t2)
+	}
+	edwards25519.FeMul(&t2, &t2, &t1) // 19..0
+	edwards25519.FeSquare(&t3, &t2)   // 20..1
+	for i = 1; i < 20; i++ {          // 39..20
+		edwards25519.FeSquare(&t3, &t3)
+	}
+	edwards25519.FeMul(&t2, &t3, &t2) // 39..0
+	edwards25519.FeSquare(&t2, &t2)   // 40..1
+	for i = 1; i < 10; i++ {          // 49..10
+		edwards25519.FeSquare(&t2, &t2)
+	}
+	edwards25519.FeMul(&t1, &t2, &t1) // 49..0
+	edwards25519.FeSquare(&t2, &t1)   // 50..1
+	for i = 1; i < 50; i++ {          // 99..50
+		edwards25519.FeSquare(&t2, &t2)
+	}
+	edwards25519.FeMul(&t2, &t2, &t1) // 99..0
+	edwards25519.FeSquare(&t3, &t2)   // 100..1
+	for i = 1; i < 100; i++ {         // 199..100
+		edwards25519.FeSquare(&t3, &t3)
+	}
+	edwards25519.FeMul(&t2, &t3, &t2) // 199..0
+	edwards25519.FeSquare(&t2, &t2)   // 200..1
+	for i = 1; i < 50; i++ {          // 249..50
+		edwards25519.FeSquare(&t2, &t2)
+	}
+	edwards25519.FeMul(&t1, &t2, &t1) // 249..0
+	edwards25519.FeSquare(&t1, &t1)   // 250..1
+	for i = 1; i < 4; i++ {           // 253..4
+		edwards25519.FeSquare(&t1, &t1)
+	}
+	edwards25519.FeMul(out, &t1, &t0) // 253..4,2,1
+}
+
+// UnsafeBrokenRepresentativeToPublicKey converts a uniform representative
+// value for a curve25519 public key, as produced by UnsafeBrokenScalarBaseMult,
+// to a curve25519 public key.
+func UnsafeBrokenRepresentativeToPublicKey(publicKey, representative *[32]byte) {
+	var rr2, v, e edwards25519.FieldElement
+	edwards25519.FeFromBytes(&rr2, representative)
+
+	edwards25519.FeSquare2(&rr2, &rr2)
+	rr2[0]++
+	edwards25519.FeInvert(&rr2, &rr2)
+	edwards25519.FeMul(&v, &edwards25519.A, &rr2)
+	edwards25519.FeNeg(&v, &v)
+
+	var v2, v3 edwards25519.FieldElement
+	edwards25519.FeSquare(&v2, &v)
+	edwards25519.FeMul(&v3, &v, &v2)
+	edwards25519.FeAdd(&e, &v3, &v)
+	edwards25519.FeMul(&v2, &v2, &edwards25519.A)
+	edwards25519.FeAdd(&e, &v2, &e)
+	chi(&e, &e)
+	var eBytes [32]byte
+	edwards25519.FeToBytes(&eBytes, &e)
+	// eBytes[1] is either 0 (for e = 1) or 0xff (for e = -1)
+	eIsMinus1 := int32(eBytes[1]) & 1
+	var negV edwards25519.FieldElement
+	edwards25519.FeNeg(&negV, &v)
+	edwards25519.FeCMove(&v, &negV, eIsMinus1)
+
+	edwards25519.FeZero(&v2)
+	edwards25519.FeCMove(&v2, &edwards25519.A, eIsMinus1)
+	edwards25519.FeSub(&v, &v, &v2)
+
+	edwards25519.FeToBytes(publicKey, &v)
+}
--- a/internal/extra25519/extra25519_test.go
+++ b/internal/extra25519/extra25519_test.go
@ -0,0 +1,61 @@
+// Copyright 2013 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package extra25519
+
+import (
+	"bytes"
+	"crypto/rand"
+	"testing"
+
+	"golang.org/x/crypto/curve25519"
+)
+
+func TestElligator(t *testing.T) {
+	var publicKey, publicKey2, publicKey3, representative, privateKey [32]byte
+
+	for i := 0; i < 1000; i++ {
+		rand.Reader.Read(privateKey[:])
+
+		if !UnsafeBrokenScalarBaseMult(&publicKey, &representative, &privateKey) {
+			continue
+		}
+		UnsafeBrokenRepresentativeToPublicKey(&publicKey2, &representative)
+		if !bytes.Equal(publicKey[:], publicKey2[:]) {
+			t.Fatal("The resulting public key doesn't match the initial one.")
+		}
+
+		curve25519.ScalarBaseMult(&publicKey3, &privateKey)
+		if !bytes.Equal(publicKey[:], publicKey3[:]) {
+			t.Fatal("The public key doesn't match the value that curve25519 produced.")
+		}
+	}
+}
+
+func BenchmarkKeyGeneration(b *testing.B) {
+	var publicKey, representative, privateKey [32]byte
+
+	// Find the private key that results in a point that's in the image of the map.
+	for {
+		rand.Reader.Read(privateKey[:])
+		if UnsafeBrokenScalarBaseMult(&publicKey, &representative, &privateKey) {
+			break
+		}
+	}
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		UnsafeBrokenScalarBaseMult(&publicKey, &representative, &privateKey)
+	}
+}
+
+func BenchmarkMap(b *testing.B) {
+	var publicKey, representative [32]byte
+	rand.Reader.Read(representative[:])
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		UnsafeBrokenRepresentativeToPublicKey(&publicKey, &representative)
+	}
+}