Rusty Russell
9 years ago
6 changed files with 798 additions and 183 deletions
@ -0,0 +1,3 @@ |
|||
test_onion |
|||
test_state_coverage |
|||
onion_key |
@ -0,0 +1,102 @@ |
|||
#define _GNU_SOURCE 1 |
|||
#include "secp256k1.h" |
|||
#include "secp256k1_ecdh.h" |
|||
#include "onion_key.h" |
|||
#include "version.h" |
|||
#include <time.h> |
|||
#include <ccan/str/hex/hex.h> |
|||
#include <ccan/opt/opt.h> |
|||
#include <assert.h> |
|||
#include <string.h> |
|||
#include <stdio.h> |
|||
#include <sys/types.h> |
|||
#include <unistd.h> |
|||
|
|||
/* Not really! */ |
|||
static void random_bytes(void *dst, size_t n) |
|||
{ |
|||
size_t i; |
|||
unsigned char *d = dst; |
|||
|
|||
for (i = 0; i < n; i++) |
|||
d[i] = random() % 256; |
|||
} |
|||
|
|||
static void random_key(secp256k1_context *ctx, |
|||
struct seckey *seckey, secp256k1_pubkey *pkey) |
|||
{ |
|||
do { |
|||
random_bytes(seckey->u.u8, sizeof(seckey->u)); |
|||
} while (!secp256k1_ec_pubkey_create(ctx, pkey, seckey->u.u8)); |
|||
} |
|||
|
|||
/* We don't want to spend a byte encoding sign, so make sure it's 0x2 */ |
|||
static void gen_keys(secp256k1_context *ctx, |
|||
struct seckey *seckey, struct compressed_pubkey *pubkey) |
|||
{ |
|||
secp256k1_pubkey pkey; |
|||
size_t len; |
|||
|
|||
random_key(ctx, seckey, &pkey); |
|||
|
|||
secp256k1_ec_pubkey_serialize(ctx, pubkey->u8, &len, &pkey, |
|||
SECP256K1_EC_COMPRESSED); |
|||
assert(len == sizeof(pubkey->u8)); |
|||
} |
|||
|
|||
void print_keypair(bool pub, bool priv) |
|||
{ |
|||
secp256k1_context *ctx; |
|||
struct seckey seckey; |
|||
struct compressed_pubkey pubkey; |
|||
char sechex[hex_str_size(sizeof(seckey))]; |
|||
char pubhex[hex_str_size(sizeof(pubkey))]; |
|||
|
|||
assert(pub || priv); |
|||
|
|||
ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN); |
|||
gen_keys(ctx, &seckey, &pubkey); |
|||
|
|||
hex_encode(&seckey, sizeof(seckey), sechex, sizeof(sechex)); |
|||
hex_encode(&pubkey, sizeof(pubkey), pubhex, sizeof(pubhex)); |
|||
|
|||
if (pub && priv) { |
|||
printf("%s:%s\n", sechex, pubhex); |
|||
} else { |
|||
printf("%s\n", (priv ? sechex : pubhex)); |
|||
} |
|||
} |
|||
|
|||
int main(int argc, char *argv[]) |
|||
{ |
|||
bool pub = true, priv = true; |
|||
|
|||
opt_register_noarg("--help|-h", opt_usage_and_exit, |
|||
"[<seeds>...]\n" |
|||
"Generate (deterministic if seed) secp256k1 keys", |
|||
"Print this message."); |
|||
opt_register_noarg("--pub", |
|||
opt_set_invbool, &priv, |
|||
"Generate only the public key"); |
|||
opt_register_noarg("--priv", |
|||
opt_set_invbool, &pub, |
|||
"Generate only the private key"); |
|||
opt_register_version(); |
|||
|
|||
opt_parse(&argc, argv, opt_log_stderr_exit); |
|||
if (!priv && !pub) |
|||
opt_usage_exit_fail("Can't use --pub and --priv"); |
|||
|
|||
if (argc == 1) { |
|||
srandom(time(NULL) + getpid()); |
|||
print_keypair(pub, priv); |
|||
} else { |
|||
int i; |
|||
for (i = 1; i < argc; i++) { |
|||
srandom(atoi(argv[i])); |
|||
print_keypair(pub, priv); |
|||
} |
|||
} |
|||
|
|||
return 0; |
|||
} |
@ -0,0 +1,24 @@ |
|||
#ifndef ONION_KEY_H |
|||
#define ONION_KEY_H |
|||
#include <ccan/endian/endian.h> |
|||
#include "bitcoin/privkey.h" |
|||
|
|||
struct seckey { |
|||
union { |
|||
struct privkey k; |
|||
unsigned char u8[32]; |
|||
beint64_t be64[4]; |
|||
} u; |
|||
}; |
|||
|
|||
/* First byte is 0x02 or 0x03 indicating even or odd y */ |
|||
struct compressed_pubkey { |
|||
unsigned char u8[33]; |
|||
}; |
|||
|
|||
/* Prepend 0x02 to get pubkey for libsecp256k1 */ |
|||
struct onion_pubkey { |
|||
unsigned char u8[32]; |
|||
}; |
|||
|
|||
#endif /* ONION_KEY_H */ |
@ -0,0 +1,345 @@ |
|||
#!/usr/bin/env python |
|||
|
|||
import argparse |
|||
import sys |
|||
import time |
|||
|
|||
from hashlib import sha256 |
|||
from binascii import hexlify, unhexlify |
|||
import hmac |
|||
import random |
|||
|
|||
from cryptography.hazmat.primitives.ciphers import Cipher, modes, algorithms |
|||
from cryptography.hazmat.primitives.ciphers.algorithms import AES |
|||
from cryptography.hazmat.primitives.ciphers.modes import CTR |
|||
from cryptography.hazmat.backends import default_backend |
|||
# http://cryptography.io |
|||
|
|||
from pyelliptic import ecc |
|||
|
|||
class MyEx(Exception): pass |
|||
|
|||
def hmac_sha256(k, m): |
|||
return hmac.new(k, m, sha256).digest() |
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
## pyelliptic doesn't support compressed pubkey representations |
|||
## so we have to add some code... |
|||
from pyelliptic.openssl import OpenSSL |
|||
import ctypes |
|||
|
|||
OpenSSL.EC_POINT_set_compressed_coordinates_GFp = \ |
|||
OpenSSL._lib.EC_POINT_set_compressed_coordinates_GFp |
|||
OpenSSL.EC_POINT_set_compressed_coordinates_GFp.restype = ctypes.c_int |
|||
OpenSSL.EC_POINT_set_compressed_coordinates_GFp.argtypes = [ |
|||
ctypes.c_void_p, ctypes.c_void_p, ctypes.c_void_p, ctypes.c_int, |
|||
ctypes.c_void_p] |
|||
|
|||
def ecc_ecdh_key(sec, pub): |
|||
assert isinstance(sec, ecc.ECC) |
|||
if isinstance(pub, ecc.ECC): |
|||
pub = pub.get_pubkey() |
|||
#return sec.get_ecdh_key(pub) |
|||
|
|||
pubkey_x, pubkey_y = ecc.ECC._decode_pubkey(pub, 'binary') |
|||
|
|||
other_key = other_pub_key_x = other_pub_key_y = other_pub_key = None |
|||
own_priv_key = res = res_x = res_y = None |
|||
try: |
|||
other_key = OpenSSL.EC_KEY_new_by_curve_name(sec.curve) |
|||
if other_key == 0: |
|||
raise Exception("[OpenSSL] EC_KEY_new_by_curve_name FAIL ... " + OpenSSL.get_error()) |
|||
|
|||
other_pub_key_x = OpenSSL.BN_bin2bn(pubkey_x, len(pubkey_x), 0) |
|||
other_pub_key_y = OpenSSL.BN_bin2bn(pubkey_y, len(pubkey_y), 0) |
|||
|
|||
other_group = OpenSSL.EC_KEY_get0_group(other_key) |
|||
other_pub_key = OpenSSL.EC_POINT_new(other_group) |
|||
if (other_pub_key == None): |
|||
raise Exception("[OpenSSl] EC_POINT_new FAIL ... " + OpenSSL.get_error()) |
|||
|
|||
if (OpenSSL.EC_POINT_set_affine_coordinates_GFp(other_group, |
|||
other_pub_key, |
|||
other_pub_key_x, |
|||
other_pub_key_y, |
|||
0)) == 0: |
|||
raise Exception( |
|||
"[OpenSSL] EC_POINT_set_affine_coordinates_GFp FAIL ..." + OpenSSL.get_error()) |
|||
|
|||
own_priv_key = OpenSSL.BN_bin2bn(sec.privkey, len(sec.privkey), 0) |
|||
|
|||
res = OpenSSL.EC_POINT_new(other_group) |
|||
if (OpenSSL.EC_POINT_mul(other_group, res, 0, other_pub_key, own_priv_key, 0)) == 0: |
|||
raise Exception( |
|||
"[OpenSSL] EC_POINT_mul FAIL ..." + OpenSSL.get_error()) |
|||
|
|||
res_x = OpenSSL.BN_new() |
|||
res_y = OpenSSL.BN_new() |
|||
|
|||
if (OpenSSL.EC_POINT_get_affine_coordinates_GFp(other_group, res, |
|||
res_x, |
|||
res_y, 0 |
|||
)) == 0: |
|||
raise Exception( |
|||
"[OpenSSL] EC_POINT_get_affine_coordinates_GFp FAIL ... " + OpenSSL.get_error()) |
|||
|
|||
resx = OpenSSL.malloc(0, OpenSSL.BN_num_bytes(res_x)) |
|||
resy = OpenSSL.malloc(0, OpenSSL.BN_num_bytes(res_y)) |
|||
|
|||
OpenSSL.BN_bn2bin(res_x, resx) |
|||
resx = resx.raw |
|||
OpenSSL.BN_bn2bin(res_y, resy) |
|||
resy = resy.raw |
|||
|
|||
return resx, resy |
|||
|
|||
finally: |
|||
if other_key: OpenSSL.EC_KEY_free(other_key) |
|||
if other_pub_key_x: OpenSSL.BN_free(other_pub_key_x) |
|||
if other_pub_key_y: OpenSSL.BN_free(other_pub_key_y) |
|||
if other_pub_key: OpenSSL.EC_POINT_free(other_pub_key) |
|||
if own_priv_key: OpenSSL.BN_free(own_priv_key) |
|||
if res: OpenSSL.EC_POINT_free(res) |
|||
if res_x: OpenSSL.BN_free(res_x) |
|||
if res_y: OpenSSL.BN_free(res_y) |
|||
|
|||
def get_pos_y_for_x(pubkey_x, yneg=0): |
|||
key = pub_key = pub_key_x = pub_key_y = None |
|||
try: |
|||
key = OpenSSL.EC_KEY_new_by_curve_name(OpenSSL.get_curve('secp256k1')) |
|||
group = OpenSSL.EC_KEY_get0_group(key) |
|||
pub_key_x = OpenSSL.BN_bin2bn(pubkey_x, len(pubkey_x), 0) |
|||
pub_key = OpenSSL.EC_POINT_new(group) |
|||
|
|||
if OpenSSL.EC_POINT_set_compressed_coordinates_GFp(group, pub_key, |
|||
pub_key_x, yneg, 0) == 0: |
|||
raise Exception("[OpenSSL] EC_POINT_set_compressed_coordinates_GFp FAIL ... " + OpenSSL.get_error()) |
|||
|
|||
|
|||
pub_key_y = OpenSSL.BN_new() |
|||
if (OpenSSL.EC_POINT_get_affine_coordinates_GFp(group, pub_key, |
|||
pub_key_x, |
|||
pub_key_y, 0 |
|||
)) == 0: |
|||
raise Exception("[OpenSSL] EC_POINT_get_affine_coordinates_GFp FAIL ... " + OpenSSL.get_error()) |
|||
|
|||
pubkeyy = OpenSSL.malloc(0, OpenSSL.BN_num_bytes(pub_key_y)) |
|||
OpenSSL.BN_bn2bin(pub_key_y, pubkeyy) |
|||
pubkeyy = pubkeyy.raw |
|||
field_size = OpenSSL.EC_GROUP_get_degree(OpenSSL.EC_KEY_get0_group(key)) |
|||
secret_len = int((field_size + 7) / 8) |
|||
if len(pubkeyy) < secret_len: |
|||
pubkeyy = pubkeyy.rjust(secret_len, b'\0') |
|||
return pubkeyy |
|||
finally: |
|||
if key is not None: OpenSSL.EC_KEY_free(key) |
|||
if pub_key is not None: OpenSSL.EC_POINT_free(pub_key) |
|||
if pub_key_x is not None: OpenSSL.BN_free(pub_key_x) |
|||
if pub_key_y is not None: OpenSSL.BN_free(pub_key_y) |
|||
|
|||
def ec_decompress(pubkey, curve='secp256k1'): |
|||
if pubkey[0] == '\x02' or pubkey[0] == '\x03': |
|||
yneg = ord(pubkey[0]) & 1 |
|||
pubkey = "\x04" + pubkey[1:] + get_pos_y_for_x(pubkey[1:], yneg=yneg) |
|||
elif pubkey[0] == '\x04': |
|||
pass |
|||
else: |
|||
raise Exception("Unrecognised pubkey format: %s" % (pubkey,)) |
|||
return pubkey |
|||
|
|||
class Onion(object): |
|||
HMAC_LEN = 32 |
|||
PKEY_LEN = 32 |
|||
MSG_LEN = 128 |
|||
ZEROES = b"\x00" * (HMAC_LEN + PKEY_LEN + MSG_LEN) |
|||
|
|||
@staticmethod |
|||
def tweak_sha(sha, d): |
|||
sha = sha.copy() |
|||
sha.update(d) |
|||
return sha.digest() |
|||
|
|||
@classmethod |
|||
def get_ecdh_secrets(cls, sec, pkey_x, pkey_y): |
|||
pkey = unhexlify('04') + pkey_x + pkey_y |
|||
tmp_key = ecc.ECC(curve='secp256k1', pubkey=pkey) |
|||
sec_x, sec_y = ecc_ecdh_key(sec, tmp_key) |
|||
|
|||
b = '\x02' if ord(sec_y[-1]) % 2 == 0 else '\x03' |
|||
sec = sha256(sha256(b + sec_x).digest()) |
|||
|
|||
enckey = cls.tweak_sha(sec, b'\x00')[:16] |
|||
hmac = cls.tweak_sha(sec, b'\x01') |
|||
ivs = cls.tweak_sha(sec, b'\x02') |
|||
iv, pad_iv = ivs[:16], ivs[16:] |
|||
|
|||
return enckey, hmac, iv, pad_iv |
|||
|
|||
def enc_pad(self, enckey, pad_iv): |
|||
aes = Cipher(AES(enckey), CTR(pad_iv), |
|||
default_backend()).encryptor() |
|||
return aes.update(self.ZEROES) |
|||
|
|||
class OnionDecrypt(Onion): |
|||
def __init__(self, onion, my_ecc): |
|||
self.my_ecc = my_ecc |
|||
|
|||
hmac_end = len(onion) |
|||
pkey_end = hmac_end - self.HMAC_LEN |
|||
self.msg_end = pkey_end - self.PKEY_LEN |
|||
self.fwd_end = self.msg_end - self.MSG_LEN |
|||
|
|||
self.onion = onion |
|||
self.pkey = onion[self.msg_end:pkey_end] |
|||
self.hmac = onion[pkey_end:hmac_end] |
|||
|
|||
self.get_secrets() |
|||
|
|||
def decrypt(self): |
|||
pad = self.enc_pad(self.enckey, self.pad_iv) |
|||
|
|||
aes = Cipher(AES(self.enckey), CTR(self.iv), |
|||
default_backend()).decryptor() |
|||
self.fwd = pad + aes.update(self.onion[:self.fwd_end]) |
|||
self.msg = aes.update(self.onion[self.fwd_end:self.msg_end]) |
|||
|
|||
def get_secrets(self): |
|||
pkey_x = self.pkey |
|||
pkey_y = get_pos_y_for_x(pkey_x) # always positive by design |
|||
enckey, hmac, iv, pad_iv = self.get_ecdh_secrets(self.my_ecc, pkey_x, pkey_y) |
|||
if not self.check_hmac(hmac): |
|||
raise Exception("HMAC did not verify") |
|||
self.enckey = enckey |
|||
self.iv = iv |
|||
self.pad_iv = pad_iv |
|||
|
|||
def check_hmac(self, hmac_key): |
|||
calc = hmac_sha256(hmac_key, self.onion[:-self.HMAC_LEN]) |
|||
return calc == self.hmac |
|||
|
|||
class OnionEncrypt(Onion): |
|||
def __init__(self, msgs, pubkeys): |
|||
assert len(msgs) == len(pubkeys) |
|||
assert 0 < len(msgs) <= 20 |
|||
assert all( len(m) <= self.MSG_LEN for m in msgs ) |
|||
|
|||
msgs = [m + "\0"*(self.MSG_LEN - len(m)) for m in msgs] |
|||
pubkeys = [ecc.ECC(pubkey=pk, curve='secp256k1') for pk in pubkeys] |
|||
n = len(msgs) |
|||
|
|||
tmpkeys = [] |
|||
tmppubkeys = [] |
|||
for i in range(n): |
|||
while True: |
|||
t = ecc.ECC(curve='secp256k1') |
|||
if ord(t.pubkey_y[-1]) % 2 == 0: |
|||
break |
|||
# or do the math to "flip" the secret key and pub key |
|||
tmpkeys.append(t) |
|||
tmppubkeys.append(t.pubkey_x) |
|||
|
|||
enckeys, hmacs, ivs, pad_ivs = zip(*[self.get_ecdh_secrets(tmpkey, pkey.pubkey_x, pkey.pubkey_y) |
|||
for tmpkey, pkey in zip(tmpkeys, pubkeys)]) |
|||
|
|||
# padding takes the form: |
|||
# E_(n-1)(0000s) |
|||
# D_(n-1)( |
|||
# E(n-2)(0000s) |
|||
# D(n-2)( |
|||
# ... |
|||
# ) |
|||
# ) |
|||
|
|||
padding = "" |
|||
for i in range(n-1): |
|||
pad = self.enc_pad(enckeys[i], pad_ivs[i]) |
|||
aes = Cipher(AES(enckeys[i]), CTR(ivs[i]), |
|||
default_backend()).decryptor() |
|||
padding = pad + aes.update(padding) |
|||
|
|||
if n < 20: |
|||
padding += str(bytearray(random.getrandbits(8) |
|||
for _ in range(len(self.ZEROES) * (20-n)))) |
|||
|
|||
# to encrypt the message we need to bump the counter past all |
|||
# the padding, then just encrypt the final message |
|||
aes = Cipher(AES(enckeys[-1]), CTR(ivs[-1]), |
|||
default_backend()).encryptor() |
|||
aes.update(padding) # don't care about cyphertext |
|||
msgenc = aes.update(msgs[-1]) |
|||
|
|||
msgenc = padding + msgenc + tmppubkeys[-1] |
|||
del padding |
|||
msgenc += hmac_sha256(hmacs[-1], msgenc) |
|||
|
|||
# *PHEW* |
|||
# now iterate |
|||
|
|||
for i in reversed(range(n-1)): |
|||
# drop the padding this node will add |
|||
msgenc = msgenc[len(self.ZEROES):] |
|||
# adding the msg |
|||
msgenc += msgs[i] |
|||
# encrypt it |
|||
aes = Cipher(AES(enckeys[i]), CTR(ivs[i]), |
|||
default_backend()).encryptor() |
|||
msgenc = aes.update(msgenc) |
|||
# add the tmp key |
|||
msgenc += tmppubkeys[i] |
|||
# add the hmac |
|||
msgenc += hmac_sha256(hmacs[i], msgenc) |
|||
self.onion = msgenc |
|||
|
|||
def generate(args): |
|||
server_keys = [] |
|||
msgs = [] |
|||
for k in args.pubkeys: |
|||
k = unhexlify(k) |
|||
msgs.append("Message for %s..." % (hexlify(k[1:21]),)) |
|||
k = ec_decompress(k) |
|||
server_keys.append(k) |
|||
o = OnionEncrypt(msgs, server_keys) |
|||
sys.stdout.write(o.onion) |
|||
return |
|||
|
|||
def decode(args): |
|||
msg = sys.stdin.read() |
|||
key = ecc.ECC(privkey=unhexlify(args.seckey), |
|||
pubkey=ec_decompress(unhexlify(args.pubkey)), |
|||
curve='secp256k1') |
|||
o = OnionDecrypt(msg, key) |
|||
o.decrypt() |
|||
#sys.stderr.write("Message: \"%s\"\n" % (o.msg,)) |
|||
want_msg = "Message for %s..." % (args.pubkey[2:42]) |
|||
if o.msg != want_msg + "\0"*(Onion.MSG_LEN - len(want_msg)): |
|||
raise Exception("Unexpected message: \"%s\" (wanted: %s)" % (o.msg, want_msg)) |
|||
|
|||
sys.stdout.write(o.fwd) |
|||
|
|||
def main(argv): |
|||
parser = argparse.ArgumentParser(description="Process some integers.") |
|||
sp = parser.add_subparsers() |
|||
p = sp.add_parser("generate") |
|||
p.add_argument("pubkeys", nargs='+', help="public keys of recipients") |
|||
p.set_defaults(func=generate) |
|||
|
|||
p = sp.add_parser("decode") |
|||
p.add_argument("seckey", help="secret key for router") |
|||
p.add_argument("pubkey", help="public key for router") |
|||
p.set_defaults(func=decode) |
|||
|
|||
args = parser.parse_args(argv) |
|||
|
|||
return args.func(args) |
|||
|
|||
|
|||
|
|||
|
|||
if __name__ == "__main__": |
|||
main(sys.argv[1:]) |
|||
sys.exit(0) |
|||
|
Loading…
Reference in new issue