Golang curve25519.ScalarMult函数代码示例

// ECDH computes a Diffie-Hellman (DH) key exchange over the elliptic curve (EC)
// curve25519. If ownPublicKey is given it is used to check for the key
// reflection attack. Otherwise it is derived from privateKey.
func ECDH(privateKey, peersPublicKey, ownPublicKey *[32]byte) (*[32]byte, error) {
	var (
		sharedKey [32]byte
		pubKey    []byte
	)
	// check mandatory key length
	if privateKey == nil {
		return nil, log.Error("cipher: curve25519.ECDH(): privateKey == nil")
	}
	if peersPublicKey == nil {
		return nil, log.Error("cipher: curve25519.ECDH(): peersPublicKey == nil")
	}
	// check for key reflection attack
	if ownPublicKey != nil {
		pubKey = ownPublicKey[:]
	} else {
		var publicKey [32]byte
		curve25519.ScalarBaseMult(&publicKey, privateKey)
		pubKey = publicKey[:]
	}
	if bytes.Equal(pubKey, peersPublicKey[:]) {
		return nil, log.Errorf("cipher: curve25519.ECDH(): publicKey == peersPublicKey")
	}
	// perform Diffie-Hellman key exchange
	curve25519.ScalarMult(&sharedKey, privateKey, peersPublicKey)
	return &sharedKey, nil
}

// Verify an answer. secret is the own secret key, testKey is the public key to test ownership on
func Verify(answer *[AnswerSize]byte, secret *[PrivateKeySize]byte, testKey *[PublicKeySize]byte) bool {
	var sharedSecret [PublicKeySize]byte
	var timeb [8]byte
	var inChallenge [ChallengeSize]byte
	var hashIn [AnswerSize]byte
	var inHash [PrivateKeySize]byte
	t1, t2 := false, false

	copy(inChallenge[:], answer[:ChallengeSize]) // Copy full challenge
	copy(timeb[:], inChallenge[:8])              // First 8 byte of challenge are time
	copy(inHash[:], answer[ChallengeSize:])      // Copy hash
	tempPriv, _, outChallenge := genTempKey(timeb, secret)
	if *outChallenge == inChallenge {
		t1 = true
	}
	curve25519.ScalarMult(&sharedSecret, tempPriv, testKey)
	copy(hashIn[0:ChallengeSize], outChallenge[:])
	copy(hashIn[ChallengeSize:], sharedSecret[:])
	outHash := sha256.Sum256(hashIn[:])
	if inHash == outHash {
		t2 = true
	}
	if t1 && t2 {
		return true
	}
	return false
}

func (r *Ratchet) EncryptFirst(out, msg []byte, theirRatchetPublic *[32]byte) []byte {
	r.saved = make(map[[32]byte]map[uint32]savedKey)
	r.ratchet = true
	r.randBytes(r.ourRatchetPrivate[:])
	copy(r.theirRatchetPublic[:], theirRatchetPublic[:])
	copy(r.theirAuthPublic[:], theirRatchetPublic[:])

	var sharedKey [32]byte
	curve25519.ScalarMult(&sharedKey, &r.ourRatchetPrivate, &r.theirRatchetPublic)
	h := hmac.New(sha256.New, sharedKey[:])
	deriveKey(&r.rootKey, rootKeyLabel, h)
	deriveKey(&r.recvHeaderKey, headerKeyLabel, h)
	deriveKey(&r.nextSendHeaderKey, sendHeaderKeyLabel, h)
	deriveKey(&r.nextRecvHeaderKey, nextRecvHeaderKeyLabel, h)
	deriveKey(&r.recvChainKey, chainKeyLabel, h)

	var ourRatchetPublic [32]byte
	curve25519.ScalarBaseMult(&ourRatchetPublic, &r.ourRatchetPrivate)
	tag_idx := len(out)
	out = append(out, make([]byte, authSize)...)
	out = append(out, ourRatchetPublic[:]...)
	out = r.encrypt(out, msg)
	r.FillAuth(out[tag_idx:][:authSize], out[tag_idx+authSize:], theirRatchetPublic)
	return out
}

func (kx *KeyExchange) exchange1() error {
	reply, err := kx.meetingPlace.Exchange(kx.Log, kx.meeting1[:], kx.message1[:], kx.ShutdownChan)
	if err != nil {
		return err
	}

	var peerDHPublic, encryptedPeerDHPublic [32]byte
	if len(reply) < len(encryptedPeerDHPublic) {
		return errors.New("panda: meeting point reply too small")
	}

	copy(encryptedPeerDHPublic[:], reply)
	rijndael.NewCipher(&kx.key).Decrypt(&peerDHPublic, &encryptedPeerDHPublic)

	curve25519.ScalarMult(&kx.sharedKey, &kx.dhPrivate, &peerDHPublic)

	paddedLen := kx.meetingPlace.Padding()
	padded := make([]byte, paddedLen-24 /* nonce */ -secretbox.Overhead)
	binary.LittleEndian.PutUint32(padded, uint32(len(kx.kxBytes)))
	copy(padded[4:], kx.kxBytes)
	if _, err := io.ReadFull(kx.rand, padded[4+len(kx.kxBytes):]); err != nil {
		return err
	}

	var nonce [24]byte
	if _, err := io.ReadFull(kx.rand, nonce[:]); err != nil {
		return err
	}

	kx.message2 = make([]byte, paddedLen)
	copy(kx.message2, nonce[:])
	secretbox.Seal(kx.message2[24:24], padded, &nonce, &kx.sharedKey)

	return nil
}

// GetMixData decrypts the private portion of a nymaddress.
func (ad *Address) GetMixData(keysLookup KeyFunc) (*AddressPrivate, error) {
	pubkey := new([KeySize]byte)
	copy(pubkey[:], ad.MixPubKey)
	privkey := keysLookup(pubkey)
	if privkey == nil {
		return nil, ErrNoKey
	}
	sharedSecret := new([KeySize]byte)
	addrKey := new([KeySize]byte)
	copy(addrKey[:], ad.AddressKey)
	curve25519.ScalarMult(sharedSecret, privkey, addrKey)
	cr, err := lioness.New(sharedSecret[:]) // saves some bytes and is safe against tagging
	if err != nil {
		return nil, err
	}
	privmarshal, err := cr.Decrypt(ad.PrivateData)
	if err != nil {
		return nil, err
	}
	ap := new(AddressPrivate)
	_, err = asn1.Unmarshal(privmarshal, ap)
	if err != nil {
		return nil, err
	}
	return ap, nil
}

func (c *Conn) handshakeClient(handshakeHash hash.Hash, ephemeralPrivate *[32]byte) error {
	var ephemeralIdentityShared [32]byte
	curve25519.ScalarMult(&ephemeralIdentityShared, ephemeralPrivate, &c.Peer)

	digest := handshakeHash.Sum(nil)
	h := hmac.New(sha256.New, ephemeralIdentityShared[:])
	h.Write(serverProofMagic)
	h.Write(digest)
	digest = h.Sum(digest[:0])

	digestReceived := make([]byte, len(digest)+secretbox.Overhead)
	n, err := c.read(digestReceived)
	if err != nil {
		return err
	}
	if n != len(digest) {
		return shortMessageError
	}
	digestReceived = digestReceived[:n]

	if subtle.ConstantTimeCompare(digest, digestReceived) != 1 {
		return errors.New("transport: server identity incorrect")
	}

	var identityShared [32]byte
	curve25519.ScalarMult(&identityShared, &c.identity, &c.Peer)

	handshakeHash.Write(digest)
	digest = handshakeHash.Sum(digest[:0])

	h = hmac.New(sha256.New, identityShared[:])
	h.Write(clientProofMagic)
	h.Write(digest)

	finalMessage := make([]byte, 32+sha256.Size)
	copy(finalMessage, c.identityPublic[:])
	h.Sum(finalMessage[32:32])

	if _, err := c.write(finalMessage); err != nil {
		return err
	}

	return nil
}

func (e *curve25519ECDH) GenerateSharedSecret(privKey crypto.PrivateKey, pubKey crypto.PublicKey) ([]byte, error) {
	var priv, pub, secret *[32]byte

	priv = privKey.(*[32]byte)
	pub = pubKey.(*[32]byte)
	secret = new([32]byte)

	curve25519.ScalarMult(secret, priv, pub)
	return secret[:], nil
}

// ComputeSharedKey computes and returns the shared key based on the local private key and the remote public key.
func (this *c255) ComputeSharedKey(remotePublicKey []byte) (error, []byte) {
	var remote [32]byte
	if len(remotePublicKey) != 32 {
		return errors.New("ECDH : invalid Curve25519 KeyExchange"), nil
	}
	sharedKey := new([32]byte)
	copy(remote[:], remotePublicKey)
	curve25519.ScalarMult(sharedKey, &this.privateKey, &remote)
	return nil, sharedKey[:]
}

func (c *Conn) handshakeServer(handshakeHash hash.Hash, theirEphemeralPublic *[32]byte) error {
	var ephemeralIdentityShared [32]byte
	curve25519.ScalarMult(&ephemeralIdentityShared, &c.identity, theirEphemeralPublic)

	digest := handshakeHash.Sum(nil)
	h := hmac.New(sha256.New, ephemeralIdentityShared[:])
	h.Write(serverProofMagic)
	h.Write(digest)
	digest = h.Sum(digest[:0])

	if _, err := c.write(digest); err != nil {
		return err
	}

	handshakeHash.Write(digest)
	digest = handshakeHash.Sum(digest[:0])

	finalMessage := make([]byte, 32+sha256.Size+secretbox.Overhead)
	n, err := c.read(finalMessage)
	if err != nil {
		return err
	}
	if n != 32+sha256.Size {
		return shortMessageError
	}
	finalMessage = finalMessage[:n]

	copy(c.Peer[:], finalMessage[:32])
	var identityShared [32]byte
	curve25519.ScalarMult(&identityShared, &c.identity, &c.Peer)

	h = hmac.New(sha256.New, identityShared[:])
	h.Write(clientProofMagic)
	h.Write(digest)
	digest = h.Sum(digest[:0])

	if subtle.ConstantTimeCompare(digest, finalMessage[32:]) != 1 {
		return errors.New("transport: bad proof from client")
	}

	return nil
}

// ClientHandshake does the client side of a ntor handshake and returnes
// status, KEY_SEED, and AUTH.  If status is not true or AUTH does not match
// the value recieved from the server, the handshake MUST be aborted.
func ClientHandshake(clientKeypair *Keypair, serverPublic *PublicKey, idPublic *PublicKey, id *NodeID) (ok bool, keySeed *KeySeed, auth *Auth) {
	var notOk int
	var secretInput bytes.Buffer

	// Client side uses EXP(Y,x) | EXP(B,x)
	var exp [SharedSecretLength]byte
	curve25519.ScalarMult(&exp, clientKeypair.private.Bytes(),
		serverPublic.Bytes())
	notOk |= constantTimeIsZero(exp[:])
	secretInput.Write(exp[:])

	curve25519.ScalarMult(&exp, clientKeypair.private.Bytes(),
		idPublic.Bytes())
	notOk |= constantTimeIsZero(exp[:])
	secretInput.Write(exp[:])

	keySeed, auth = ntorCommon(secretInput, id, idPublic,
		clientKeypair.public, serverPublic)
	return notOk == 0, keySeed, auth
}

func FillAuthWith(ourAuthPrivate *[32]byte) func([]byte, []byte, *[32]byte) {
	return func(tag, data []byte, theirAuthPublic *[32]byte) {
		var sharedAuthKey [32]byte
		curve25519.ScalarMult(&sharedAuthKey, ourAuthPrivate, theirAuthPublic)

		var ourAuthPublic [32]byte
		curve25519.ScalarBaseMult(&ourAuthPublic, ourAuthPrivate)

		h := hmac.New(sha256.New, sharedAuthKey[:])
		h.Write(data)
		copy(tag, h.Sum(nil))
	}
}

// Answer an authentication challenge. Secret is the private key belonging to the public key to be tested
func Answer(challenge *[ChallengeSize]byte, secret *[PrivateKeySize]byte) *[AnswerSize]byte {
	// return challenge|hash(challenge,DH(Secret,challenge.Pub))
	var sharedSecret [PublicKeySize]byte
	var tempPub [PublicKeySize]byte
	var hashIn, answer [AnswerSize]byte
	copy(hashIn[0:ChallengeSize], challenge[:])
	copy(tempPub[:], challenge[8:])
	curve25519.ScalarMult(&sharedSecret, secret, &tempPub)
	copy(hashIn[ChallengeSize:], sharedSecret[:])
	mHash := sha256.Sum256(hashIn[:])
	copy(answer[:ChallengeSize], challenge[:])
	copy(answer[ChallengeSize:], mHash[:])
	return &answer
}

// Encrypt acts like append() but appends an encrypted version of msg to out.
func (r *Ratchet) Encrypt(out, msg []byte) []byte {
	if r.ratchet {
		r.randBytes(r.sendRatchetPrivate[:])
		copy(r.sendHeaderKey[:], r.nextSendHeaderKey[:])

		var sharedKey, keyMaterial [32]byte
		curve25519.ScalarMult(&sharedKey, &r.sendRatchetPrivate, &r.recvRatchetPublic)
		sha := sha256.New()
		sha.Write(rootKeyUpdateLabel)
		sha.Write(r.rootKey[:])
		sha.Write(sharedKey[:])

		if r.v2 {
			sha.Sum(keyMaterial[:0])
			h := hmac.New(sha256.New, keyMaterial[:])
			deriveKey(&r.rootKey, rootKeyLabel, h)
			deriveKey(&r.nextSendHeaderKey, sendHeaderKeyLabel, h)
			deriveKey(&r.sendChainKey, chainKeyLabel, h)
		} else {
			sha.Sum(r.rootKey[:0])
			h := hmac.New(sha256.New, r.rootKey[:])
			deriveKey(&r.nextSendHeaderKey, sendHeaderKeyLabel, h)
			deriveKey(&r.sendChainKey, chainKeyLabel, h)
		}
		r.prevSendCount, r.sendCount = r.sendCount, 0
		r.ratchet = false
	}

	h := hmac.New(sha256.New, r.sendChainKey[:])
	var messageKey [32]byte
	deriveKey(&messageKey, messageKeyLabel, h)
	deriveKey(&r.sendChainKey, chainKeyStepLabel, h)

	var sendRatchetPublic [32]byte
	curve25519.ScalarBaseMult(&sendRatchetPublic, &r.sendRatchetPrivate)
	var header [headerSize]byte
	var headerNonce, messageNonce [24]byte
	r.randBytes(headerNonce[:])
	r.randBytes(messageNonce[:])

	binary.LittleEndian.PutUint32(header[0:4], r.sendCount)
	binary.LittleEndian.PutUint32(header[4:8], r.prevSendCount)
	copy(header[8:], sendRatchetPublic[:])
	copy(header[nonceInHeaderOffset:], messageNonce[:])
	out = append(out, headerNonce[:]...)
	out = secretbox.Seal(out, header[:], &headerNonce, &r.sendHeaderKey)
	r.sendCount++
	return secretbox.Seal(out, msg, &messageNonce, &messageKey)
}

func computeSharedSecretWithPasswordHash(privateKey *[32]byte, herPublicKey *[32]byte, passwordHash *[32]byte) [32]byte {

	// TODO: check this, is this right way to check for empty [32]byte?

	var computedKey [32]byte
	curve25519.ScalarMult(&computedKey, privateKey, herPublicKey)

	buff := make([]byte, 64)
	copy(buff[:32], computedKey[:])
	copy(buff[32:64], passwordHash[:])

	secret := sha256.Sum256(buff)

	return secret
}

func (kex *curve25519sha256) Client(c packetConn, rand io.Reader, magics *handshakeMagics) (*kexResult, error) {
	var kp curve25519KeyPair
	if err := kp.generate(rand); err != nil {
		return nil, err
	}
	if err := c.writePacket(Marshal(&kexECDHInitMsg{kp.pub[:]})); err != nil {
		return nil, err
	}

	packet, err := c.readPacket()
	if err != nil {
		return nil, err
	}

	var reply kexECDHReplyMsg
	if err = Unmarshal(packet, &reply); err != nil {
		return nil, err
	}
	if len(reply.EphemeralPubKey) != 32 {
		return nil, errors.New("ssh: peer's curve25519 public value has wrong length")
	}

	var servPub, secret [32]byte
	copy(servPub[:], reply.EphemeralPubKey)
	curve25519.ScalarMult(&secret, &kp.priv, &servPub)
	if subtle.ConstantTimeCompare(secret[:], curve25519Zeros[:]) == 1 {
		return nil, errors.New("ssh: peer's curve25519 public value has wrong order")
	}

	h := crypto.SHA256.New()
	magics.write(h)
	writeString(h, reply.HostKey)
	writeString(h, kp.pub[:])
	writeString(h, reply.EphemeralPubKey)

	kInt := new(big.Int).SetBytes(secret[:])
	K := make([]byte, intLength(kInt))
	marshalInt(K, kInt)
	h.Write(K)

	return &kexResult{
		H:         h.Sum(nil),
		K:         K,
		HostKey:   reply.HostKey,
		Signature: reply.Signature,
		Hash:      crypto.SHA256,
	}, nil
}