Use the SHA512 from ed25519/ instead of from OpenSSL for the PRF.

diff --git a/src/Makefile.am b/src/Makefile.am
index 2ca38c863c267989dc137406a9f3e08ca4362ee9..7e3523585cceb24d0d3ef78eebada45d081a9c7f 100644 (file)
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -80,7 +80,7 @@ libmeshlink_la_SOURCES = \
        net_socket.c \
        netutl.c netutl.h \
        node.c node.h \
-       prf.h \
+       prf.c prf.h \
        protocol.c protocol.h \
        protocol_auth.c \
        protocol_edge.c \
@@ -105,14 +105,12 @@ libmeshlink_la_SOURCES += \
        openssl/digest.c openssl/digest.h \
        ed25519/ecdh.c \
        ed25519/ecdsa.c \
-       ed25519/ecdsagen.c \
-       openssl/prf.c
+       ed25519/ecdsagen.c
 sptps_test_SOURCES += \
        openssl/crypto.c \
        openssl/digest.c openssl/digest.h \
        ed25519/ecdh.c \
-       ed25519/ecdsa.c \
-       openssl/prf.c
+       ed25519/ecdsa.c
 sptps_keypair_SOURCES += \
        openssl/crypto.c \
        ed25519/ecdsagen.c
@@ -121,8 +119,7 @@ sptps_speed_SOURCES += \
        openssl/digest.c openssl/digest.h \
        ed25519/ecdh.c \
        ed25519/ecdsa.c \
-       ed25519/ecdsagen.c \
-       openssl/prf.c
+       ed25519/ecdsagen.c
 
 sptps_speed_LDADD = -lrt
 

diff --git a/src/prf.c b/src/prf.c
new file mode 100644 (file)
index 0000000..354eb42
--- /dev/null
+++ b/src/prf.c
@@ -0,0 +1,105 @@
+/*
+    prf.c -- Pseudo-Random Function for key material generation
+    Copyright (C) 2014 Guus Sliepen <guus@meshlink.io>
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License along
+    with this program; if not, write to the Free Software Foundation, Inc.,
+    51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
+*/
+
+#include "system.h"
+
+#include "prf.h"
+#include "ed25519/sha512.h"
+
+static void memxor(char *buf, char c, size_t len) {
+       for(size_t i = 0; i < len; i++)
+               buf[i] ^= c;
+}
+
+static const size_t mdlen = 64;
+
+// TODO: separate key setup from hmac_sha512
+
+static bool hmac_sha512(const char *key, size_t keylen, const char *msg, size_t msglen, char *out) {
+       char tmp[2 * mdlen];
+       sha512_context md;
+
+       if(keylen <= mdlen) {
+               memcpy(tmp, key, keylen);
+               memset(tmp + keylen, 0, mdlen - keylen);
+       } else {
+               if(sha512(key, keylen, tmp) != 0)
+                       return false;
+       }
+
+       if(sha512_init(&md) != 0)
+               return false;
+
+       // ipad
+       memxor(tmp, 0x36, mdlen);
+       if(sha512_update(&md, tmp, mdlen) != 0)
+               return false;
+
+       // message
+       if(sha512_update(&md, msg, msglen) != 0)
+               return false;
+
+       if(sha512_final(&md, tmp + mdlen) != 0)
+               return false;
+
+       // opad
+       memxor(tmp, 0x36 ^ 0x5c, mdlen);
+       if(sha512(tmp, sizeof tmp, out) != 0)
+               return false;
+
+       return true;
+}
+
+/* Generate key material from a master secret and a seed, based on RFC 4346 section 5.
+   We use SHA512 instead of MD5 and SHA1.
+ */
+
+bool prf(const char *secret, size_t secretlen, char *seed, size_t seedlen, char *out, size_t outlen) {
+       /* Data is what the "inner" HMAC function processes.
+          It consists of the previous HMAC result plus the seed.
+        */
+
+       char data[mdlen + seedlen];
+       memset(data, 0, mdlen);
+       memcpy(data + mdlen, seed, seedlen);
+
+       char hash[mdlen];
+
+       while(outlen > 0) {
+               /* Inner HMAC */
+               if(!hmac_sha512(data, sizeof data, secret, secretlen, data))
+                       return false;
+
+               /* Outer HMAC */
+               if(outlen >= mdlen) {
+                       if(!hmac_sha512(data, sizeof data, secret, secretlen, out))
+                               return false;
+                       out += mdlen;
+                       outlen -= mdlen;
+               } else {
+                       if(!hmac_sha512(data, sizeof data, secret, secretlen, hash))
+                               return false;
+                       memcpy(out, hash, outlen);
+                       out += outlen;
+                       outlen = 0;
+               }
+       }
+
+       return true;
+}