blob: accb28a7838db974a93d9a616c2c1dcb5a467eb3 [file] [log] [blame]
/* Copyright (c) 2020, Google Inc.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
* SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
#include <openssl/bn.h>
#include <openssl/bytestring.h>
#include <openssl/ec.h>
#include <openssl/err.h>
#include <openssl/mem.h>
#include <openssl/nid.h>
#include <openssl/trust_token.h>
#include "../fipsmodule/bn/internal.h"
#include "../fipsmodule/ec/internal.h"
// Privacy Pass uses a custom elliptic curve construction described in
// https://eprint.iacr.org/2020/072.pdf (section 7, construction 4). Ths
// construction provides anonymous tokens with private metadata and validity
// verification.
// get_h returns a randomly selected point for the Privacy Pass protocol.
//
// x: 66591746412783875033873351891229753622964683369847172829242944646280287810
// 81195403447871073952234683395256591180452378091073292247502091640572714366
// 588045092
// y: 12347430519393087872533727997980072129796839266949808299436682045034861065
// 18810630511924722292325611253427311923464047364545304196431830383014967865
// 162306253
//
// This point was generated with the following Python code.
/*
import hashlib
SEED_H = 'PrivacyPass H'
A = -3
B = 0x051953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e156193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00
P = 2**521 - 1
def get_y(x):
y2 = (x**3 + A*x + B) % P
y = pow(y2, (P+1)/4, P)
if (y*y) % P != y2:
raise ValueError("point not on curve")
return y
def bit(h,i):
return (ord(h[i/8]) >> (i%8)) & 1
b = 521
def decode_point(so):
s = hashlib.sha256(so + '0').digest() + hashlib.sha256(so + '1').digest() + \
hashlib.sha256(so + '2').digest()
x = 0
for i in range(0,b):
x = x + (long(bit(s,i))<<i)
if x >= P:
raise ValueError("x out of range")
y = get_y(x)
if y & 1 != bit(s,b-1): y = P-y
return (x, y)
def gen_point(seed):
v = hashlib.sha256(seed).digest()
it = 1
while True:
try:
x,y = decode_point(v)
except Exception, e:
print e
it += 1
v = hashlib.sha256(v).digest()
continue
print "Found in %d iterations:" % it
print " x = %d" % x
print " y = %d" % y
print " Encoded (hex): (%x, %x)" % (x, y)
return (x, y)
if __name__ == "__main__":
gen_point(SEED_H)
*/
static EC_POINT *get_h(void) {
EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp521r1);
if (group == NULL) {
return NULL;
}
static const BN_ULONG kHGenX[] = {
TOBN(0x3d01749f, 0xc51e4724),
TOBN(0x31c28621, 0xf95c98b9),
TOBN(0x6dc5392a, 0xd4ce846e),
TOBN(0xda645354, 0x4ef9760d),
TOBN(0x5945d13e, 0x25337e4c),
TOBN(0xeb0f6bc0, 0x5c0ecefe),
TOBN(0xab291003, 0x6f4ef5bd),
TOBN(0xa9f79ebc, 0x126cefd1),
0x000001f0,
};
static const BIGNUM kX = STATIC_BIGNUM(kHGenX);
static const BN_ULONG kHGenY[] = {
TOBN(0xffa6a0ea, 0x966792cd),
TOBN(0x6e783d17, 0x08e3df3c),
TOBN(0xb5617012, 0x72ac6ab0),
TOBN(0xe0bcf350, 0x5c7e6641),
TOBN(0x53bc55ea, 0xad8f261d),
TOBN(0xbba93b9d, 0x70491eb4),
TOBN(0x5214756f, 0x36d9c7fa),
TOBN(0x1762517d, 0x325e29ac),
0x0000005c,
};
static const BIGNUM kY = STATIC_BIGNUM(kHGenY);
EC_POINT *h = EC_POINT_new(group);
if (h == NULL ||
!EC_POINT_set_affine_coordinates_GFp(group, h, &kX, &kY, NULL)) {
EC_POINT_free(h);
return NULL;
}
return h;
}
// generate_keypair generates a keypair for the Private Metadata construction.
// |out_x| and |out_y| are set to the secret half of the keypair, while
// |*out_pub| is set to the public half of the keypair. It returns one on
// success and zero on failure.
static int generate_keypair(EC_SCALAR *out_x, EC_SCALAR *out_y,
EC_RAW_POINT *out_pub, const EC_GROUP *group) {
EC_POINT *h = get_h();
if (h == NULL) {
return 0;
}
static const uint8_t kDefaultAdditionalData[32] = {0};
EC_RAW_POINT tmp1, tmp2;
if (!ec_random_nonzero_scalar(group, out_x, kDefaultAdditionalData) ||
!ec_random_nonzero_scalar(group, out_y, kDefaultAdditionalData) ||
!ec_point_mul_scalar_base(group, &tmp1, out_x) ||
!ec_point_mul_scalar(group, &tmp2, &h->raw, out_y)) {
EC_POINT_free(h);
OPENSSL_PUT_ERROR(TRUST_TOKEN, ERR_R_MALLOC_FAILURE);
return 0;
}
group->meth->add(group, out_pub, &tmp1, &tmp2);
EC_POINT_free(h);
return 1;
}
static int point_to_cbb(CBB *out, const EC_GROUP *group,
const EC_RAW_POINT *point) {
size_t len =
ec_point_to_bytes(group, point, POINT_CONVERSION_UNCOMPRESSED, NULL, 0);
if (len == 0) {
return 0;
}
uint8_t *p;
return CBB_add_space(out, &p, len) &&
ec_point_to_bytes(group, point, POINT_CONVERSION_UNCOMPRESSED, p,
len) == len;
}
int TRUST_TOKEN_generate_key(uint8_t *out_priv_key, size_t *out_priv_key_len,
size_t max_priv_key_len, uint8_t *out_pub_key,
size_t *out_pub_key_len, size_t max_pub_key_len,
uint32_t id) {
int ok = 0;
CBB cbb;
CBB_zero(&cbb);
EC_GROUP *group = EC_GROUP_new_by_curve_name(NID_secp521r1);
if (group == NULL) {
return 0;
}
EC_RAW_POINT pub0, pub1, pubs;
EC_SCALAR x0, y0, x1, y1, xs, ys;
if (!generate_keypair(&x0, &y0, &pub0, group) ||
!generate_keypair(&x1, &y1, &pub1, group) ||
!generate_keypair(&xs, &ys, &pubs, group)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_KEYGEN_FAILURE);
goto err;
}
size_t scalar_len = BN_num_bytes(&group->order);
if (!CBB_init_fixed(&cbb, out_priv_key, max_priv_key_len) ||
!CBB_add_u32(&cbb, id)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_BUFFER_TOO_SMALL);
goto err;
}
const EC_SCALAR *scalars[] = {&x0, &y0, &x1, &y1, &xs, &ys};
for (size_t i = 0; i < OPENSSL_ARRAY_SIZE(scalars); i++) {
uint8_t *buf;
if (!CBB_add_space(&cbb, &buf, scalar_len)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_BUFFER_TOO_SMALL);
goto err;
}
ec_scalar_to_bytes(group, buf, &scalar_len, scalars[i]);
}
if (!CBB_finish(&cbb, NULL, out_priv_key_len)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_BUFFER_TOO_SMALL);
goto err;
}
CBB pub_cbb;
if (!CBB_init_fixed(&cbb, out_pub_key, max_pub_key_len) ||
!CBB_add_u32(&cbb, id) ||
!CBB_add_u16_length_prefixed(&cbb, &pub_cbb) ||
!point_to_cbb(&pub_cbb, group, &pub0) ||
!CBB_add_u16_length_prefixed(&cbb, &pub_cbb) ||
!point_to_cbb(&pub_cbb, group, &pub1) ||
!CBB_add_u16_length_prefixed(&cbb, &pub_cbb) ||
!point_to_cbb(&pub_cbb, group, &pubs) ||
!CBB_finish(&cbb, NULL, out_pub_key_len)) {
OPENSSL_PUT_ERROR(TRUST_TOKEN, TRUST_TOKEN_R_BUFFER_TOO_SMALL);
goto err;
}
ok = 1;
err:
CBB_cleanup(&cbb);
return ok;
}