From: Loup Vaillant Date: Wed, 13 Mar 2019 23:10:26 +0000 (+0100) Subject: Improved the key exchange API X-Git-Url: https://git.codecow.com/?a=commitdiff_plain;h=5bf2ba5f93d955240fdb5c1089e02d74f9b61555;p=Monocypher.git Improved the key exchange API crypto_kex_ctx is now differentiated into a client specific context, and a server specific context. The distinction is entirely artificial (it's the same thing under the hood), but it prevents some misuses at compile time, making the API easier to use. The name of the arguments have also been changed: "local" and "remote" have been replaced by "client" and "server" whenever appropriate. The previous names made implementation easier, but their meaning was context dependent, and thus confusing. The new names have stable meanings, and thus easier to document and use. TODO: update the manual to reflect those changes. --- diff --git a/src/monocypher.c b/src/monocypher.c index 24c13e2..4ca7243 100644 --- a/src/monocypher.c +++ b/src/monocypher.c @@ -2255,36 +2255,43 @@ static void kex_seed(crypto_kex_ctx *ctx, u8 random_seed[32]) /// XK1 /// /////////// static const u8 xk1_ck0[32] = "Monokex XK1"; -void crypto_kex_xk1_init_client(crypto_kex_ctx *ctx, - u8 random_seed[32], - const u8 local_sk [32], - const u8 local_pk [32], - const u8 remote_pk [32]) -{ - kex_init (ctx, local_sk, local_pk); +void crypto_kex_xk1_init_client(crypto_kex_client_ctx *client_ctx, + u8 random_seed[32], + const u8 client_sk [32], + const u8 client_pk [32], + const u8 server_pk [32]) +{ + crypto_kex_ctx *ctx = &(client_ctx->ctx); + kex_init (ctx, client_sk, client_pk); kex_seed (ctx, random_seed); - kex_receive(ctx, ctx->remote_pk, remote_pk); + kex_receive(ctx, ctx->remote_pk, server_pk); copy32(ctx->chaining_key, xk1_ck0); } -void crypto_kex_xk1_init_server(crypto_kex_ctx *ctx, - u8 random_seed[32], - const u8 local_sk [32], - const u8 local_pk [32]) +void crypto_kex_xk1_init_server(crypto_kex_server_ctx *server_ctx, + u8 random_seed[32], + const u8 server_sk [32], + const u8 server_pk [32]) { - kex_init (ctx, local_sk, local_pk); + crypto_kex_ctx *ctx = &(server_ctx->ctx); + kex_init (ctx, server_sk, server_pk); kex_seed (ctx, random_seed); kex_receive(ctx, ctx->local_pk, ctx->local_pk); copy32(ctx->chaining_key, xk1_ck0); } -void crypto_kex_xk1_1(crypto_kex_ctx *ctx, u8 msg1[32]) +void crypto_kex_xk1_1(crypto_kex_client_ctx *client_ctx, + u8 msg1[32]) { + crypto_kex_ctx *ctx = &(client_ctx->ctx); kex_send (ctx, msg1 , ctx->local_pke ); // -> IE } -void crypto_kex_xk1_2(crypto_kex_ctx *ctx, u8 msg2[48], const u8 msg1[32]) +void crypto_kex_xk1_2(crypto_kex_server_ctx *server_ctx, + u8 msg2[48], + const u8 msg1[32]) { + crypto_kex_ctx *ctx = &(server_ctx->ctx); kex_receive (ctx, ctx->remote_pke, msg1 ); // -> IE kex_send (ctx, msg2 , ctx->local_pke ); // <- RE kex_update_key(ctx, ctx->local_ske , ctx->remote_pke); // ee @@ -2292,11 +2299,12 @@ void crypto_kex_xk1_2(crypto_kex_ctx *ctx, u8 msg2[48], const u8 msg1[32]) kex_auth (ctx, msg2 + 32); // auth } -int crypto_kex_xk1_3(crypto_kex_ctx *ctx, - u8 session_key[32], - u8 msg3[48], - const u8 msg2[48]) +int crypto_kex_xk1_3(crypto_kex_client_ctx *client_ctx, + u8 session_key[32], + u8 msg3 [48], + const u8 msg2 [48]) { + crypto_kex_ctx *ctx = &(client_ctx->ctx); kex_receive (ctx, ctx->remote_pke, msg2 ); // <- RE kex_update_key(ctx, ctx->local_ske , ctx->remote_pke); // ee kex_update_key(ctx, ctx->local_ske , ctx->remote_pk ); // es @@ -2309,15 +2317,16 @@ int crypto_kex_xk1_3(crypto_kex_ctx *ctx, return 0; } -int crypto_kex_xk1_4(crypto_kex_ctx *ctx, - u8 session_key[32], - u8 remote_pk[32], - const u8 msg3[48]) +int crypto_kex_xk1_4(crypto_kex_server_ctx *server_ctx, + u8 session_key[32], + u8 client_pk [32], + const u8 msg3 [48]) { + crypto_kex_ctx *ctx = &(server_ctx->ctx); kex_receive (ctx, ctx->remote_pk , msg3 ); // -> IS kex_update_key(ctx, ctx->local_ske , ctx->remote_pk ); // se if (kex_verify(ctx, msg3 + 32)) { return -1; } // verify - copy32(remote_pk , ctx->remote_pk); + copy32(client_pk , ctx->remote_pk); copy32(session_key, ctx->derived_keys + 32); WIPE_CTX(ctx); return 0; @@ -2327,29 +2336,34 @@ int crypto_kex_xk1_4(crypto_kex_ctx *ctx, /// X /// ///////// static const u8 x_ck0[32] = "Monokex X"; -void crypto_kex_x_init_client(crypto_kex_ctx *ctx, - u8 random_seed[32], - const u8 local_sk [32], - const u8 local_pk [32], - const u8 remote_pk [32]) -{ - kex_init (ctx, local_sk, local_pk); +void crypto_kex_x_init_client(crypto_kex_client_ctx *client_ctx, + u8 random_seed[32], + const u8 client_sk [32], + const u8 client_pk [32], + const u8 server_pk [32]) +{ + crypto_kex_ctx *ctx = &(client_ctx->ctx); + kex_init (ctx, client_sk, client_pk); kex_seed (ctx, random_seed); - kex_receive(ctx, ctx->remote_pk, remote_pk); + kex_receive(ctx, ctx->remote_pk, server_pk); copy32(ctx->chaining_key, x_ck0); } -void crypto_kex_x_init_server(crypto_kex_ctx *ctx, - const u8 local_sk[32], - const u8 local_pk[32]) +void crypto_kex_x_init_server(crypto_kex_server_ctx *server_ctx, + const u8 server_sk [32], + const u8 server_pk [32]) { - kex_init (ctx, local_sk, local_pk); + crypto_kex_ctx *ctx = &(server_ctx->ctx); + kex_init (ctx, server_sk, server_pk); kex_receive(ctx, ctx->local_pk, ctx->local_pk); copy32(ctx->chaining_key, x_ck0); } -void crypto_kex_x_1(crypto_kex_ctx *ctx, u8 session_key[32], u8 msg1[80]) +void crypto_kex_x_1(crypto_kex_client_ctx *client_ctx, + u8 session_key[32], + u8 msg1 [80]) { + crypto_kex_ctx *ctx = &(client_ctx->ctx); kex_send (ctx, msg1 , ctx->local_pke ); // -> IE kex_update_key(ctx, ctx->local_ske , ctx->remote_pk ); // es kex_send (ctx, msg1 + 32 , ctx->local_pk ); // -> IS @@ -2359,17 +2373,18 @@ void crypto_kex_x_1(crypto_kex_ctx *ctx, u8 session_key[32], u8 msg1[80]) WIPE_CTX(ctx); } -int crypto_kex_x_2(crypto_kex_ctx *ctx, - u8 session_key[32], - u8 remote_pk [32], - const u8 msg1 [80]) +int crypto_kex_x_2(crypto_kex_server_ctx *server_ctx, + u8 session_key[32], + u8 client_pk [32], + const u8 msg1 [80]) { + crypto_kex_ctx *ctx = &(server_ctx->ctx); kex_receive (ctx, ctx->remote_pke, msg1 ); // -> IE kex_update_key(ctx, ctx->local_sk , ctx->remote_pke); // es kex_receive (ctx, ctx->remote_pk , msg1 + 32 ); // -> IS kex_update_key(ctx, ctx->local_sk , ctx->remote_pk ); // ss if (kex_verify(ctx, msg1 + 64)) { return -1; } // verify - copy32(remote_pk , ctx->remote_pk); + copy32(client_pk , ctx->remote_pk); copy32(session_key, ctx->derived_keys + 32); WIPE_CTX(ctx); return 0; diff --git a/src/monocypher.h b/src/monocypher.h index 1c6716a..2c8267e 100644 --- a/src/monocypher.h +++ b/src/monocypher.h @@ -77,6 +77,8 @@ typedef struct { uint8_t remote_pke [32]; size_t transcript_size; } crypto_kex_ctx; +typedef struct { crypto_kex_ctx ctx; } crypto_kex_client_ctx; +typedef struct { crypto_kex_ctx ctx; } crypto_kex_server_ctx; //////////////////////////// /// High level interface /// @@ -235,47 +237,47 @@ int crypto_check_final (crypto_check_ctx *ctx); // Secure channel (interactive) // ---------------------------- -void crypto_kex_xk1_init_client(crypto_kex_ctx *ctx, - uint8_t random_seed[32], - const uint8_t local_sk [32], - const uint8_t local_pk [32], - const uint8_t remote_pk [32]); -void crypto_kex_xk1_init_server(crypto_kex_ctx *ctx, - uint8_t random_seed[32], - const uint8_t local_sk [32], - const uint8_t local_pk [32]); - -void crypto_kex_xk1_1(crypto_kex_ctx *ctx, - uint8_t msg1[32]); -void crypto_kex_xk1_2(crypto_kex_ctx *ctx, - uint8_t msg2[48], - const uint8_t msg1[32]); -int crypto_kex_xk1_3(crypto_kex_ctx *ctx, - uint8_t session_key[32], - uint8_t msg3 [48], - const uint8_t msg2 [48]); -int crypto_kex_xk1_4(crypto_kex_ctx *ctx, - uint8_t session_key[32], - uint8_t remote_pk [32], - const uint8_t msg3 [48]); +void crypto_kex_xk1_init_client(crypto_kex_client_ctx *client_ctx, + uint8_t random_seed[32], + const uint8_t client_sk [32], + const uint8_t client_pk [32], + const uint8_t server_pk [32]); +void crypto_kex_xk1_init_server(crypto_kex_server_ctx *server_ctx, + uint8_t random_seed[32], + const uint8_t server_sk [32], + const uint8_t server_pk [32]); +void crypto_kex_xk1_1(crypto_kex_client_ctx *client_ctx, + uint8_t msg1[32]); +void crypto_kex_xk1_2(crypto_kex_server_ctx *server_ctx, + uint8_t msg2[48], + const uint8_t msg1[32]); +int crypto_kex_xk1_3(crypto_kex_client_ctx *client_ctx, + uint8_t session_key[32], + uint8_t msg3 [48], + const uint8_t msg2 [48]); +int crypto_kex_xk1_4(crypto_kex_server_ctx *server_ctx, + uint8_t session_key[32], + uint8_t client_pk [32], + const uint8_t msg3 [48]); // Secure channel (one way) // ------------------------ -void crypto_kex_x_init_client(crypto_kex_ctx *ctx, - uint8_t random_seed[32], - const uint8_t local_sk [32], - const uint8_t local_pk [32], - const uint8_t remote_pk [32]); -void crypto_kex_x_init_server(crypto_kex_ctx *ctx, - const uint8_t local_sk [32], - const uint8_t local_pk [32]); -void crypto_kex_x_1(crypto_kex_ctx *ctx, - uint8_t session_key[32], - uint8_t msg1 [80]); -int crypto_kex_x_2(crypto_kex_ctx *ctx, - uint8_t session_key[32], - uint8_t remote_pk [32], - const uint8_t msg1 [80]); +void crypto_kex_x_init_client(crypto_kex_client_ctx *client_ctx, + uint8_t random_seed[32], + const uint8_t client_sk [32], + const uint8_t client_pk [32], + const uint8_t server_pk [32]); +void crypto_kex_x_init_server(crypto_kex_server_ctx *server_ctx, + const uint8_t server_sk [32], + const uint8_t server_pk [32]); +void crypto_kex_x_1(crypto_kex_client_ctx *client_ctx, + uint8_t session_key[32], + uint8_t msg1 [80]); +int crypto_kex_x_2(crypto_kex_server_ctx *server_ctx, + uint8_t session_key[32], + uint8_t client_pk [32], + const uint8_t msg1 [80]); + //////////////////////////// diff --git a/tests/speed.c b/tests/speed.c index 7f804d2..4235eb3 100644 --- a/tests/speed.c +++ b/tests/speed.c @@ -142,10 +142,10 @@ static void get_interactive_session(u8 msg1[32], u8 msg2[48], u8 msg3[48], c_seed[i] = client_seed[i]; s_seed[i] = server_seed[i]; } - crypto_kex_ctx client_ctx; + crypto_kex_client_ctx client_ctx; crypto_kex_xk1_init_client(&client_ctx, c_seed, client_sk, client_pk, server_pk); - crypto_kex_ctx server_ctx; + crypto_kex_server_ctx server_ctx; crypto_kex_xk1_init_server(&server_ctx, s_seed, server_sk, server_pk); crypto_kex_xk1_1(&client_ctx, msg1); @@ -191,7 +191,7 @@ static u64 interactive_client(void) client_seed, server_seed); TIMING_START { u8 session_key[32]; - crypto_kex_ctx client_ctx; + crypto_kex_client_ctx client_ctx; u8 seed[32]; FOR (i, 0, 32) { seed[i] = client_seed[i]; @@ -223,7 +223,7 @@ static u64 interactive_server(void) TIMING_START { u8 session_key[32]; u8 remote_pk [32]; // same as client_pk - crypto_kex_ctx server_ctx; + crypto_kex_server_ctx server_ctx; u8 seed[32]; FOR (i, 0, 32) { seed[i] = server_seed[i]; @@ -252,10 +252,10 @@ static void get_one_way_session(u8 msg[80], u8 client_pk[32], u8 server_pk[32], c_seed[i] = client_seed[i]; } - crypto_kex_ctx client_ctx; + crypto_kex_client_ctx client_ctx; crypto_kex_x_init_client(&client_ctx, c_seed, client_sk, client_pk, server_pk); - crypto_kex_ctx server_ctx; + crypto_kex_server_ctx server_ctx; crypto_kex_x_init_server(&server_ctx, server_sk, server_pk); u8 client_session_key[32]; @@ -294,7 +294,7 @@ static u64 one_way_client(void) FOR (i, 0, 32) { seed[i] = client_seed[i]; } - crypto_kex_ctx client_ctx; + crypto_kex_client_ctx client_ctx; crypto_kex_x_init_client(&client_ctx, seed, client_sk, client_pk, server_pk); crypto_kex_x_1(&client_ctx, session_key, msg); @@ -315,7 +315,7 @@ static u64 one_way_server(void) TIMING_START { u8 session_key[32]; u8 remote_pk [32]; // same as client_pk - crypto_kex_ctx server_ctx; + crypto_kex_server_ctx server_ctx; crypto_kex_x_init_server(&server_ctx, server_sk, server_pk); if (crypto_kex_x_2(&server_ctx, session_key, remote_pk, msg)) { fprintf(stderr, "Cannot receive\n"); diff --git a/tests/test.c b/tests/test.c index 67ed7c5..f1e289c 100644 --- a/tests/test.c +++ b/tests/test.c @@ -240,8 +240,8 @@ static void monokex_xk1(const vector in[], vector *out) const vector *msg1 = in + 6; const vector *msg2 = in + 7; const vector *msg3 = in + 8; - crypto_kex_ctx client; - crypto_kex_ctx server; + crypto_kex_client_ctx client; + crypto_kex_server_ctx server; u8 client_seed[32]; memcpy(client_seed, ie->buf, ie->size); u8 server_seed[32]; memcpy(server_seed, re->buf, re->size); crypto_kex_xk1_init_client(&client, client_seed, is->buf, IS->buf, RS->buf); @@ -281,8 +281,8 @@ static void monokex_x(const vector in[], vector *out) const vector *IS = in + 3; const vector *RS = in + 4; const vector *msg1 = in + 5; - crypto_kex_ctx client; - crypto_kex_ctx server; + crypto_kex_client_ctx client; + crypto_kex_server_ctx server; u8 seed[32]; memcpy(seed, ie->buf, ie->size); crypto_kex_x_init_client(&client, seed, is->buf, IS->buf, RS->buf); crypto_kex_x_init_server(&server, rs->buf, RS->buf); @@ -934,8 +934,8 @@ static int p_monokex_xk1() u8 IS[32]; crypto_x25519_public_key(IS, is); u8 RS[32]; crypto_x25519_public_key(RS, rs); - crypto_kex_ctx client1, client2; - crypto_kex_ctx server1, server2; + crypto_kex_client_ctx client1, client2; + crypto_kex_server_ctx server1, server2; u8 client_seed1[32]; memcpy(client_seed1, ie, 32); u8 client_seed2[32]; memcpy(client_seed2, ie, 32); u8 server_seed1[32]; memcpy(server_seed1, re, 32); @@ -957,8 +957,8 @@ static int p_monokex_xk1() crypto_kex_xk1_1(&client2, msg12); crypto_kex_xk1_2(&server1, msg21, msg11); crypto_kex_xk1_2(&server2, msg22, msg12); - crypto_kex_ctx client_save = client1; - crypto_kex_ctx server_save = server1; + crypto_kex_client_ctx client_save = client1; + crypto_kex_server_ctx server_save = server1; // make sure everything is accepted as it should be status |= crypto_kex_xk1_3(&client1, client_key1, msg31, msg21); status |= crypto_kex_xk1_3(&client2, client_key2, msg32, msg22); @@ -989,8 +989,8 @@ static int p_monokex_x() u8 IS[32]; crypto_x25519_public_key(IS, is); u8 RS[32]; crypto_x25519_public_key(RS, rs); - crypto_kex_ctx client1, client2; - crypto_kex_ctx server1, server2; + crypto_kex_client_ctx client1, client2; + crypto_kex_server_ctx server1, server2; u8 seed1[32]; memcpy(seed1, ie, 32); u8 seed2[32]; memcpy(seed2, ie, 32); crypto_kex_x_init_client(&client1, seed1, is, IS, RS); @@ -1003,7 +1003,7 @@ static int p_monokex_x() u8 remote_pk1 [32]; u8 remote_pk2 [32]; crypto_kex_x_1(&client1, client_key1, msg11); crypto_kex_x_1(&client2, client_key2, msg12); - crypto_kex_ctx server_save = server1; + crypto_kex_server_ctx server_save = server1; // make sure everything is accepted as it should be status |= crypto_kex_x_2(&server1, server_key1, remote_pk1, msg11); status |= crypto_kex_x_2(&server2, server_key2, remote_pk2, msg12);