diff options
| author | Denys Vlasenko <vda.linux@googlemail.com> | 2021-04-26 13:46:36 +0200 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2021-04-26 13:46:36 +0200 |
| commit | 6b69ab68b47d0933f8b4a1d7ed8460274a736a5f (patch) | |
| tree | fd8febe91940f0c2fa8761d5ae6e65bfd4f4ec1f | |
| parent | f18a1fd6f368ada05b33cf36483304a5e3c4945d (diff) | |
| download | busybox-w32-6b69ab68b47d0933f8b4a1d7ed8460274a736a5f.tar.gz busybox-w32-6b69ab68b47d0933f8b4a1d7ed8460274a736a5f.tar.bz2 busybox-w32-6b69ab68b47d0933f8b4a1d7ed8460274a736a5f.zip | |
tls: make x25519 key generation code more similar to P256
function old new delta
curve_x25519_compute_pubkey_and_premaster - 74 +74
tls_handshake 2146 2072 -74
------------------------------------------------------------------------------
(add/remove: 1/0 grow/shrink: 0/1 up/down: 74/-74) Total: 0 bytes
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
| -rw-r--r-- | networking/tls.c | 61 | ||||
| -rw-r--r-- | networking/tls.h | 5 | ||||
| -rw-r--r-- | networking/tls_fe.c | 23 | ||||
| -rw-r--r-- | networking/tls_fe.h | 6 |
4 files changed, 51 insertions, 44 deletions
diff --git a/networking/tls.c b/networking/tls.c index cacd2e9ff..5566d7911 100644 --- a/networking/tls.c +++ b/networking/tls.c | |||
| @@ -1534,7 +1534,7 @@ static void send_client_hello_and_alloc_hsd(tls_state_t *tls, const char *sni) | |||
| 1534 | 0x00,0x0a, //extension_type: "supported_groups" | 1534 | 0x00,0x0a, //extension_type: "supported_groups" |
| 1535 | 0x00,0x06, //ext len | 1535 | 0x00,0x06, //ext len |
| 1536 | 0x00,0x04, //list len | 1536 | 0x00,0x04, //list len |
| 1537 | 0x00,0x17, //curve_secp256r1 | 1537 | 0x00,0x17, //curve_secp256r1 (aka P256) |
| 1538 | //0x00,0x18, //curve_secp384r1 | 1538 | //0x00,0x18, //curve_secp384r1 |
| 1539 | //0x00,0x19, //curve_secp521r1 | 1539 | //0x00,0x19, //curve_secp521r1 |
| 1540 | 0x00,0x1d, //curve_x25519 (RFC 7748) | 1540 | 0x00,0x1d, //curve_x25519 (RFC 7748) |
| @@ -1890,7 +1890,7 @@ static void process_server_key(tls_state_t *tls, int len) | |||
| 1890 | tls->flags |= GOT_EC_CURVE_X25519; | 1890 | tls->flags |= GOT_EC_CURVE_X25519; |
| 1891 | memcpy(tls->hsd->ecc_pub_key32, keybuf, 32); | 1891 | memcpy(tls->hsd->ecc_pub_key32, keybuf, 32); |
| 1892 | break; | 1892 | break; |
| 1893 | case _0x03001741: //curve_secp256r1 | 1893 | case _0x03001741: //curve_secp256r1 (aka P256) |
| 1894 | /* P256 point can be transmitted odd- or even-compressed | 1894 | /* P256 point can be transmitted odd- or even-compressed |
| 1895 | * (first byte is 3 or 2) or uncompressed (4). | 1895 | * (first byte is 3 or 2) or uncompressed (4). |
| 1896 | */ | 1896 | */ |
| @@ -1967,46 +1967,35 @@ static void send_client_key_exchange(tls_state_t *tls) | |||
| 1967 | record->key[1] = len & 0xff; | 1967 | record->key[1] = len & 0xff; |
| 1968 | len += 2; | 1968 | len += 2; |
| 1969 | premaster_size = RSA_PREMASTER_SIZE; | 1969 | premaster_size = RSA_PREMASTER_SIZE; |
| 1970 | } else /* ECDHE */ | ||
| 1971 | if (tls->flags & GOT_EC_CURVE_X25519) { | ||
| 1972 | /* ECDHE, curve x25519 */ | ||
| 1973 | static const uint8_t basepoint9[CURVE25519_KEYSIZE] ALIGN8 = {9}; | ||
| 1974 | uint8_t privkey[CURVE25519_KEYSIZE]; //[32] | ||
| 1975 | |||
| 1976 | if (!(tls->flags & GOT_EC_KEY)) | ||
| 1977 | bb_simple_error_msg_and_die("server did not provide EC key"); | ||
| 1978 | |||
| 1979 | /* Generate random private key, see RFC 7748 */ | ||
| 1980 | tls_get_random(privkey, sizeof(privkey)); | ||
| 1981 | privkey[0] &= 0xf8; | ||
| 1982 | privkey[CURVE25519_KEYSIZE-1] = ((privkey[CURVE25519_KEYSIZE-1] & 0x7f) | 0x40); | ||
| 1983 | |||
| 1984 | /* Compute public key */ | ||
| 1985 | curve25519(record->key + 1, privkey, basepoint9); | ||
| 1986 | |||
| 1987 | /* Compute premaster using peer's public key */ | ||
| 1988 | dbg("computing x25519_premaster\n"); | ||
| 1989 | curve25519(premaster, privkey, tls->hsd->ecc_pub_key32); | ||
| 1990 | |||
| 1991 | len = CURVE25519_KEYSIZE; | ||
| 1992 | record->key[0] = len; | ||
| 1993 | len++; | ||
| 1994 | premaster_size = CURVE25519_KEYSIZE; | ||
| 1995 | } else { | 1970 | } else { |
| 1996 | /* ECDHE, curve P256 */ | 1971 | /* ECDHE */ |
| 1997 | if (!(tls->flags & GOT_EC_KEY)) | 1972 | if (!(tls->flags & GOT_EC_KEY)) |
| 1998 | bb_simple_error_msg_and_die("server did not provide EC key"); | 1973 | bb_simple_error_msg_and_die("server did not provide EC key"); |
| 1999 | 1974 | ||
| 2000 | dbg("computing P256_premaster\n"); | 1975 | if (tls->flags & GOT_EC_CURVE_X25519) { |
| 2001 | curve_P256_compute_pubkey_and_premaster( | 1976 | /* ECDHE, curve x25519 */ |
| 2002 | record->key + 2, premaster, | 1977 | dbg("computing x25519_premaster\n"); |
| 2003 | /*point:*/ tls->hsd->ecc_pub_key32 | 1978 | curve_x25519_compute_pubkey_and_premaster( |
| 2004 | ); | 1979 | record->key + 1, premaster, |
| 2005 | premaster_size = P256_KEYSIZE; | 1980 | /*point:*/ tls->hsd->ecc_pub_key32 |
| 2006 | len = 1 + P256_KEYSIZE * 2; | 1981 | ); |
| 1982 | len = CURVE25519_KEYSIZE; | ||
| 1983 | //record->key[0] = len; | ||
| 1984 | //len++; | ||
| 1985 | //premaster_size = CURVE25519_KEYSIZE; | ||
| 1986 | } else { | ||
| 1987 | /* ECDHE, curve P256 */ | ||
| 1988 | dbg("computing P256_premaster\n"); | ||
| 1989 | curve_P256_compute_pubkey_and_premaster( | ||
| 1990 | record->key + 2, premaster, | ||
| 1991 | /*point:*/ tls->hsd->ecc_pub_key32 | ||
| 1992 | ); | ||
| 1993 | record->key[1] = 4; /* "uncompressed point" */ | ||
| 1994 | len = 1 + P256_KEYSIZE * 2; | ||
| 1995 | } | ||
| 2007 | record->key[0] = len; | 1996 | record->key[0] = len; |
| 2008 | record->key[1] = 4; | ||
| 2009 | len++; | 1997 | len++; |
| 1998 | premaster_size = P256_KEYSIZE; // = CURVE25519_KEYSIZE = 32 | ||
| 2010 | } | 1999 | } |
| 2011 | 2000 | ||
| 2012 | record->type = HANDSHAKE_CLIENT_KEY_EXCHANGE; | 2001 | record->type = HANDSHAKE_CLIENT_KEY_EXCHANGE; |
diff --git a/networking/tls.h b/networking/tls.h index e1afb7ea8..154e9b2fb 100644 --- a/networking/tls.h +++ b/networking/tls.h | |||
| @@ -105,12 +105,15 @@ void xorbuf_aligned_AES_BLOCK_SIZE(void* buf, const void* mask) FAST_FUNC; | |||
| 105 | #include "tls_aes.h" | 105 | #include "tls_aes.h" |
| 106 | #include "tls_aesgcm.h" | 106 | #include "tls_aesgcm.h" |
| 107 | #include "tls_rsa.h" | 107 | #include "tls_rsa.h" |
| 108 | #include "tls_fe.h" | ||
| 109 | 108 | ||
| 110 | #define EC_CURVE_KEYSIZE 32 | 109 | #define EC_CURVE_KEYSIZE 32 |
| 111 | #define P256_KEYSIZE 32 | 110 | #define P256_KEYSIZE 32 |
| 112 | #define CURVE25519_KEYSIZE 32 | 111 | #define CURVE25519_KEYSIZE 32 |
| 113 | 112 | ||
| 113 | void curve_x25519_compute_pubkey_and_premaster( | ||
| 114 | uint8_t *pubkey, uint8_t *premaster, | ||
| 115 | const uint8_t *peerkey32) FAST_FUNC; | ||
| 116 | |||
| 114 | void curve_P256_compute_pubkey_and_premaster( | 117 | void curve_P256_compute_pubkey_and_premaster( |
| 115 | uint8_t *pubkey, uint8_t *premaster, | 118 | uint8_t *pubkey, uint8_t *premaster, |
| 116 | const uint8_t *peerkey32) FAST_FUNC; | 119 | const uint8_t *peerkey32) FAST_FUNC; |
diff --git a/networking/tls_fe.c b/networking/tls_fe.c index f810e112a..3b3578c0d 100644 --- a/networking/tls_fe.c +++ b/networking/tls_fe.c | |||
| @@ -544,7 +544,7 @@ static void xc_double(byte *x3, byte *z3, | |||
| 544 | fe_mul_c(z3, x1sq, 4); | 544 | fe_mul_c(z3, x1sq, 4); |
| 545 | } | 545 | } |
| 546 | 546 | ||
| 547 | void FAST_FUNC curve25519(byte *result, const byte *e, const byte *q) | 547 | static void curve25519(byte *result, const byte *e, const byte *q) |
| 548 | { | 548 | { |
| 549 | int i; | 549 | int i; |
| 550 | 550 | ||
| @@ -599,3 +599,24 @@ void FAST_FUNC curve25519(byte *result, const byte *e, const byte *q) | |||
| 599 | fe_mul__distinct(result, zm1, xm); | 599 | fe_mul__distinct(result, zm1, xm); |
| 600 | fe_normalize(result); | 600 | fe_normalize(result); |
| 601 | } | 601 | } |
| 602 | |||
| 603 | /* interface to bbox's TLS code: */ | ||
| 604 | |||
| 605 | void FAST_FUNC curve_x25519_compute_pubkey_and_premaster( | ||
| 606 | uint8_t *pubkey, uint8_t *premaster, | ||
| 607 | const uint8_t *peerkey32) | ||
| 608 | { | ||
| 609 | static const uint8_t basepoint9[CURVE25519_KEYSIZE] ALIGN8 = {9}; | ||
| 610 | uint8_t privkey[CURVE25519_KEYSIZE]; //[32] | ||
| 611 | |||
| 612 | /* Generate random private key, see RFC 7748 */ | ||
| 613 | tls_get_random(privkey, sizeof(privkey)); | ||
| 614 | privkey[0] &= 0xf8; | ||
| 615 | privkey[CURVE25519_KEYSIZE-1] = ((privkey[CURVE25519_KEYSIZE-1] & 0x7f) | 0x40); | ||
| 616 | |||
| 617 | /* Compute public key */ | ||
| 618 | curve25519(pubkey, privkey, basepoint9); | ||
| 619 | |||
| 620 | /* Compute premaster using peer's public key */ | ||
| 621 | curve25519(premaster, privkey, peerkey32); | ||
| 622 | } | ||
diff --git a/networking/tls_fe.h b/networking/tls_fe.h deleted file mode 100644 index 2859c9d2d..000000000 --- a/networking/tls_fe.h +++ /dev/null | |||
| @@ -1,6 +0,0 @@ | |||
| 1 | /* | ||
| 2 | * Copyright (C) 2018 Denys Vlasenko | ||
| 3 | * | ||
| 4 | * Licensed under GPLv2, see file LICENSE in this source tree. | ||
| 5 | */ | ||
| 6 | void curve25519(uint8_t *result, const uint8_t *e, const uint8_t *q) FAST_FUNC; | ||