tagging.c 5.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178
  1. /*
  2. * Slitheen - a decoy routing system for censorship resistance
  3. * Copyright (C) 2017 Cecylia Bocovich (cbocovic@uwaterloo.ca)
  4. *
  5. * This program is free software: you can redistribute it and/or modify
  6. * it under the terms of the GNU General Public License as published by
  7. * the Free Software Foundation, version 3.
  8. *
  9. * This program is distributed in the hope that it will be useful,
  10. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  11. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  12. * GNU General Public License for more details.
  13. *
  14. * You should have received a copy of the GNU General Public License
  15. * along with this program. If not, see <http://www.gnu.org/licenses/>.
  16. *
  17. * Additional permission under GNU GPL version 3 section 7
  18. *
  19. * If you modify this Program, or any covered work, by linking or combining
  20. * it with the OpenSSL library (or a modified version of that library),
  21. * containing parts covered by the terms of the OpenSSL Licence and the
  22. * SSLeay license, the licensors of this Program grant you additional
  23. * permission to convey the resulting work. Corresponding Source for a
  24. * non-source form of such a combination shall include the source code
  25. * for the parts of the OpenSSL library used as well as that of the covered
  26. * work.
  27. */
  28. #include <stdio.h>
  29. #include <string.h>
  30. #include <stdint.h>
  31. #include <openssl/rand.h>
  32. #include <openssl/sha.h>
  33. #include <openssl/ssl.h>
  34. #include <openssl/err.h>
  35. #include <openssl/ec.h>
  36. #include <openssl/bn.h>
  37. #include "ptwist.h"
  38. #include "tagging.h"
  39. //look for key list
  40. byte maingen[PTWIST_BYTES];
  41. byte twistgen[PTWIST_BYTES];
  42. byte mainpub[PTWIST_BYTES];
  43. byte twistpub[PTWIST_BYTES];
  44. static void gen_tag(byte *tag, byte stored_key[16],
  45. const byte *context, size_t context_len)
  46. {
  47. byte seckey[PTWIST_BYTES];
  48. byte sharedsec[PTWIST_BYTES+context_len];
  49. byte usetwist;
  50. byte taghashout[32];
  51. #if PTWIST_PUZZLE_STRENGTH > 0
  52. size_t puzzle_len = 16+PTWIST_RESP_BYTES;
  53. byte value_to_hash[puzzle_len];
  54. byte hashout[32];
  55. bn_t Rbn, Hbn;
  56. int i, len, sign;
  57. #endif
  58. memset(tag, 0xAA, PTWIST_TAG_BYTES);
  59. /* Use the main or the twist curve? */
  60. RAND_bytes(&usetwist, 1);
  61. usetwist &= 1;
  62. /* Create seckey*G and seckey*Y */
  63. RAND_bytes(seckey, PTWIST_BYTES);
  64. ptwist_pointmul(tag, usetwist ? twistgen : maingen, seckey);
  65. ptwist_pointmul(sharedsec, usetwist ? twistpub : mainpub, seckey);
  66. /* Create the tag hash keys */
  67. memmove(sharedsec+PTWIST_BYTES, context, context_len);
  68. SHA256(sharedsec, PTWIST_BYTES + context_len, taghashout);
  69. #if PTWIST_PUZZLE_STRENGTH > 0
  70. /* The puzzle is to find a response R such that SHA256(K || R)
  71. starts with PTWIST_PUZZLE_STRENGTH bits of 0s. K is the first
  72. 128 bits of the above hash tag keys. */
  73. /* Construct our response to the puzzle. Start looking for R in a
  74. * random place. */
  75. memmove(value_to_hash, taghashout, 16);
  76. RAND_bytes(value_to_hash+16, PTWIST_RESP_BYTES);
  77. value_to_hash[16+PTWIST_RESP_BYTES-1] &= PTWIST_RESP_MASK;
  78. while(1) {
  79. unsigned int firstbits;
  80. md_map_sh256(hashout, value_to_hash, puzzle_len);
  81. #if PTWIST_PUZZLE_STRENGTH < 32
  82. /* This assumes that you're on an architecture that doesn't care
  83. * about alignment, and is little endian. */
  84. firstbits = *(unsigned int*)hashout;
  85. if ((firstbits & PTWIST_PUZZLE_MASK) == 0) {
  86. break;
  87. }
  88. /* Increment R and try again. */
  89. for(i=0;i<PTWIST_RESP_BYTES;++i) {
  90. if (++value_to_hash[16+i]) break;
  91. }
  92. value_to_hash[16+PTWIST_RESP_BYTES-1] &= PTWIST_RESP_MASK;
  93. #else
  94. #error "Code assumes PTWIST_PUZZLE_STRENGTH < 32"
  95. #endif
  96. }
  97. /* When we get here, we have solved the puzzle. R is in
  98. * value_to_hash[16..16+PTWIST_RESP_BYTES-1], the hash output
  99. * hashout starts with PTWIST_PUZZLE_STRENGTH bits of 0s, and we'll
  100. * want to copy out H (the next PTWIST_HASH_SHOWBITS bits of the
  101. * hash output). The final tag is [seckey*G]_x || R || H . */
  102. bn_new(Rbn);
  103. bn_new(Hbn);
  104. bn_read_bin(Rbn, value_to_hash+16, PTWIST_RESP_BYTES, BN_POS);
  105. hashout[PTWIST_HASH_TOTBYTES-1] &= PTWIST_HASH_MASK;
  106. bn_read_bin(Hbn, hashout, PTWIST_HASH_TOTBYTES, BN_POS);
  107. bn_lsh(Hbn, Hbn, PTWIST_RESP_BITS-PTWIST_PUZZLE_STRENGTH);
  108. bn_add(Hbn, Hbn, Rbn);
  109. len = PTWIST_TAG_BYTES-PTWIST_BYTES;
  110. bn_write_bin(tag+PTWIST_BYTES, &len, &sign, Hbn);
  111. bn_free(Rbn);
  112. bn_free(Hbn);
  113. #elif PTWIST_HASH_SHOWBITS <= 128
  114. /* We're not using a client puzzle, so the tag is [seckey*G]_x || H
  115. * where H is the first PTWIST_HASH_SHOWBITS bits of the above hash
  116. * output. The key generated is the last 128 bits of that output.
  117. * If there's no client puzzle, PTWIST_HASH_SHOWBITS must be a multiple
  118. * of 8. */
  119. memmove(tag+PTWIST_BYTES, taghashout, PTWIST_HASH_SHOWBITS/8);
  120. #else
  121. #error "No client puzzle used, but PWTIST_HASH_SHOWBITS > 128"
  122. #endif
  123. memmove(stored_key, taghashout+16, 16);
  124. }
  125. int generate_slitheen_id(byte *slitheen_id, byte stored_key[16])
  126. {
  127. FILE *fp;
  128. int res;
  129. byte *tag;
  130. /* Create the generators */
  131. memset(maingen, 0, PTWIST_BYTES);
  132. maingen[0] = 2;
  133. memset(twistgen, 0, PTWIST_BYTES);
  134. /* Read the public keys */
  135. fp = fopen("pubkey", "rb");
  136. if (fp == NULL) {
  137. perror("fopen");
  138. exit(1);
  139. }
  140. res = fread(mainpub, PTWIST_BYTES, 1, fp);
  141. if (res < 1) {
  142. perror("fread");
  143. exit(1);
  144. }
  145. res = fread(twistpub, PTWIST_BYTES, 1, fp);
  146. if (res < 1) {
  147. perror("fread");
  148. exit(1);
  149. }
  150. fclose(fp);
  151. tag = slitheen_id;
  152. gen_tag(tag, stored_key, (const byte *)"context", 7);
  153. return 0;
  154. }