2020-02-14 02:56:05 +00:00
|
|
|
## Nim-Libp2p
|
2022-04-12 10:41:48 +00:00
|
|
|
## Copyright (c) 2020-2022 Status Research & Development GmbH
|
2020-02-14 02:56:05 +00:00
|
|
|
## Licensed under either of
|
|
|
|
## * Apache License, version 2.0, ([LICENSE-APACHE](LICENSE-APACHE))
|
|
|
|
## * MIT license ([LICENSE-MIT](LICENSE-MIT))
|
|
|
|
## at your option.
|
|
|
|
## This file may not be copied, modified, or distributed except according to
|
|
|
|
## those terms.
|
|
|
|
|
2020-02-14 03:19:37 +00:00
|
|
|
## This module integrates BearSSL Cyrve25519 mul and mulgen
|
2020-02-14 02:56:05 +00:00
|
|
|
##
|
|
|
|
## This module uses unmodified parts of code from
|
|
|
|
## BearSSL library <https://bearssl.org/>
|
|
|
|
## Copyright(C) 2018 Thomas Pornin <pornin@bolet.org>.
|
|
|
|
|
|
|
|
# RFC @ https://tools.ietf.org/html/rfc7748
|
|
|
|
|
2020-05-19 08:22:49 +00:00
|
|
|
{.push raises: [Defect].}
|
|
|
|
|
2022-06-16 08:08:52 +00:00
|
|
|
import bearssl/[ec, rand, hash]
|
2020-05-19 08:22:49 +00:00
|
|
|
import stew/results
|
2022-04-12 10:41:48 +00:00
|
|
|
from stew/assign2 import assign
|
2020-05-19 08:22:49 +00:00
|
|
|
export results
|
2020-02-14 02:56:05 +00:00
|
|
|
|
|
|
|
const
|
2020-02-14 06:43:05 +00:00
|
|
|
Curve25519KeySize* = 32
|
2020-02-14 11:09:14 +00:00
|
|
|
|
2020-02-14 02:56:05 +00:00
|
|
|
type
|
|
|
|
Curve25519* = object
|
|
|
|
Curve25519Key* = array[Curve25519KeySize, byte]
|
2022-05-24 13:10:57 +00:00
|
|
|
pcuchar = ptr char
|
2020-07-07 11:14:11 +00:00
|
|
|
Curve25519Error* = enum
|
|
|
|
Curver25519GenError
|
2020-02-14 02:56:05 +00:00
|
|
|
|
2021-12-16 10:05:20 +00:00
|
|
|
proc intoCurve25519Key*(s: openArray[byte]): Curve25519Key =
|
2020-02-14 11:09:14 +00:00
|
|
|
assert s.len == Curve25519KeySize
|
2022-04-12 10:41:48 +00:00
|
|
|
assign(result, s)
|
Noise (#90)
* Start ChaCha20Poly1305 integration (BearSSL)
* Add Curve25519 (BearSSL) required operations for noise
* Fix curve mulgen iterate/derive
* Fix misleading header
* Add chachapoly proper test
* Curve25519 integration tests (failing, something is wrong)
* Add few converters, finish c25519 integration tests
* Remove implicit converters
* removed internal globals
* Start noise implementation
* Fix public() using proper bear mulgen
* Noise protocol WIP
* Noise progress
* Add a quick nim version of HKDF
* Converted hkdf to iterator, useful for noise
* Noise protocol implementation progress
* Noise progress
* XX handshake almost there
* noise progress
* Noise, testing handshake with test vectors
* Noise handshake progress, still wrong somewhere!
* Noise handshake success!
* Full verified noise XX handshake completed
* Fix and rewrite test to be similar to switch one
* Start with connection upgrade
* Switch chachapoly to CT implementations
* Improve HKDF implementation
* Use a type insted of tuple for HandshakeResult
* Remove unnecessary Let
* More cosmetic fixes
* Properly check randomBytes result
* Fix chachapoly signature
* Noise full circle (altho dispatcher is nil cursed)
* Allow nil aads in chachapoly routines
* Noise implementation up to running full test
* Use bearssl HKDF as well
* Directly use bearssl rng for curve25519 keys
* Add a (disabled/no CI) noise interop test server
* WIP on fixing interop issues
* More fixes in noise implementation for interop
* bump chronos requirement (nimble)
* Add a chachapoly test for very small size payloads
* Noise, more tracing
* Add 2 properly working noise tests
* Fix payload packing, following the spec properly (and not go version but
rather rust)
* Sanity, replace discard with asyncCheck
* Small fixes and optimization
* Use stew endian2 rather then system endian module
* Update nimble deps (chronos)
* Minor cosmetic/code sanity fixes
* Noise, handle Nonce max
* Noise tests, make sure to close secured conns
* More polish, improve code readability too
* More polish and testing again which test fails
* Further polishing
* Restore noise tests
* Remove useless Future[void]
* Remove useless CipherState initializer
* add a proper read wait future in second noise test
* Remove noise generic secure implementation for now
* Few fixes to run eth2 sim
* Add more debug info in noise traces
* Merge size + payload write in sendEncryptedMessage
* Revert secure interface, add outgoing property directly in newNoise
* remove sendEncrypted and receiveEncrypted
* Use openarray in chachapoly and curve25519 helpers
2020-03-17 12:30:01 +00:00
|
|
|
|
|
|
|
proc getBytes*(key: Curve25519Key): seq[byte] = @key
|
2020-05-06 16:31:47 +00:00
|
|
|
|
Noise (#90)
* Start ChaCha20Poly1305 integration (BearSSL)
* Add Curve25519 (BearSSL) required operations for noise
* Fix curve mulgen iterate/derive
* Fix misleading header
* Add chachapoly proper test
* Curve25519 integration tests (failing, something is wrong)
* Add few converters, finish c25519 integration tests
* Remove implicit converters
* removed internal globals
* Start noise implementation
* Fix public() using proper bear mulgen
* Noise protocol WIP
* Noise progress
* Add a quick nim version of HKDF
* Converted hkdf to iterator, useful for noise
* Noise protocol implementation progress
* Noise progress
* XX handshake almost there
* noise progress
* Noise, testing handshake with test vectors
* Noise handshake progress, still wrong somewhere!
* Noise handshake success!
* Full verified noise XX handshake completed
* Fix and rewrite test to be similar to switch one
* Start with connection upgrade
* Switch chachapoly to CT implementations
* Improve HKDF implementation
* Use a type insted of tuple for HandshakeResult
* Remove unnecessary Let
* More cosmetic fixes
* Properly check randomBytes result
* Fix chachapoly signature
* Noise full circle (altho dispatcher is nil cursed)
* Allow nil aads in chachapoly routines
* Noise implementation up to running full test
* Use bearssl HKDF as well
* Directly use bearssl rng for curve25519 keys
* Add a (disabled/no CI) noise interop test server
* WIP on fixing interop issues
* More fixes in noise implementation for interop
* bump chronos requirement (nimble)
* Add a chachapoly test for very small size payloads
* Noise, more tracing
* Add 2 properly working noise tests
* Fix payload packing, following the spec properly (and not go version but
rather rust)
* Sanity, replace discard with asyncCheck
* Small fixes and optimization
* Use stew endian2 rather then system endian module
* Update nimble deps (chronos)
* Minor cosmetic/code sanity fixes
* Noise, handle Nonce max
* Noise tests, make sure to close secured conns
* More polish, improve code readability too
* More polish and testing again which test fails
* Further polishing
* Restore noise tests
* Remove useless Future[void]
* Remove useless CipherState initializer
* add a proper read wait future in second noise test
* Remove noise generic secure implementation for now
* Few fixes to run eth2 sim
* Add more debug info in noise traces
* Merge size + payload write in sendEncryptedMessage
* Revert secure interface, add outgoing property directly in newNoise
* remove sendEncrypted and receiveEncrypted
* Use openarray in chachapoly and curve25519 helpers
2020-03-17 12:30:01 +00:00
|
|
|
proc byteswap(buf: var Curve25519Key) {.inline.} =
|
2020-02-14 11:09:14 +00:00
|
|
|
for i in 0..<16:
|
|
|
|
let
|
|
|
|
x = buf[i]
|
|
|
|
buf[i] = buf[31 - i]
|
|
|
|
buf[31 - i] = x
|
2020-05-06 16:31:47 +00:00
|
|
|
|
2020-08-04 09:19:26 +00:00
|
|
|
proc mul*(_: type[Curve25519], point: var Curve25519Key, multiplier: Curve25519Key) =
|
2022-06-16 08:08:52 +00:00
|
|
|
let defaultBrEc = ecGetDefault()
|
2020-05-06 16:31:47 +00:00
|
|
|
|
2020-08-04 09:19:26 +00:00
|
|
|
# multiplier needs to be big-endian
|
2020-02-14 11:09:14 +00:00
|
|
|
var
|
2020-08-04 09:19:26 +00:00
|
|
|
multiplierBs = multiplier
|
|
|
|
multiplierBs.byteswap()
|
2020-02-14 02:56:05 +00:00
|
|
|
let
|
|
|
|
res = defaultBrEc.mul(
|
2022-06-16 08:08:52 +00:00
|
|
|
addr point[0],
|
2020-02-14 02:56:05 +00:00
|
|
|
Curve25519KeySize,
|
2022-06-16 08:08:52 +00:00
|
|
|
addr multiplierBs[0],
|
2020-02-14 02:56:05 +00:00
|
|
|
Curve25519KeySize,
|
2020-02-14 11:09:14 +00:00
|
|
|
EC_curve25519)
|
2020-02-14 02:56:05 +00:00
|
|
|
assert res == 1
|
|
|
|
|
2020-08-04 09:19:26 +00:00
|
|
|
proc mulgen(_: type[Curve25519], dst: var Curve25519Key, point: Curve25519Key) =
|
2022-06-16 08:08:52 +00:00
|
|
|
let defaultBrEc = ecGetDefault()
|
2020-02-17 05:31:14 +00:00
|
|
|
|
|
|
|
var
|
|
|
|
rpoint = point
|
|
|
|
rpoint.byteswap()
|
2020-05-06 16:31:47 +00:00
|
|
|
|
2020-08-04 05:07:53 +00:00
|
|
|
let
|
|
|
|
size = defaultBrEc.mulgen(
|
2022-06-16 08:08:52 +00:00
|
|
|
addr dst[0],
|
|
|
|
addr rpoint[0],
|
2020-08-04 05:07:53 +00:00
|
|
|
Curve25519KeySize,
|
|
|
|
EC_curve25519)
|
|
|
|
|
|
|
|
assert size == Curve25519KeySize
|
|
|
|
|
2020-08-04 09:19:26 +00:00
|
|
|
proc public*(private: Curve25519Key): Curve25519Key =
|
|
|
|
Curve25519.mulgen(result, private)
|
2020-02-14 11:09:14 +00:00
|
|
|
|
2022-06-16 08:08:52 +00:00
|
|
|
proc random*(_: type[Curve25519Key], rng: var HmacDrbgContext): Curve25519Key =
|
2020-05-19 08:22:49 +00:00
|
|
|
var res: Curve25519Key
|
2022-06-16 08:08:52 +00:00
|
|
|
let defaultBrEc = ecGetDefault()
|
|
|
|
let len = ecKeygen(
|
2020-07-09 08:53:19 +00:00
|
|
|
addr rng.vtable, defaultBrEc, nil, addr res[0], EC_curve25519)
|
|
|
|
# Per bearssl documentation, the keygen only fails if the curve is
|
|
|
|
# unrecognised -
|
|
|
|
doAssert len == Curve25519KeySize, "Could not generate curve"
|
|
|
|
|
|
|
|
res
|