Botan 3.6.1
Crypto and TLS for C&
roughtime.cpp
Go to the documentation of this file.
1/*
2* Roughtime
3* (C) 2019 Nuno Goncalves <nunojpg@gmail.com>
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/roughtime.h>
9
10#include <botan/base64.h>
11#include <botan/hash.h>
12#include <botan/pubkey.h>
13#include <botan/rng.h>
14#include <botan/internal/socket_udp.h>
15
16#include <cmath>
17#include <map>
18#include <sstream>
19
20namespace Botan {
21
22namespace {
23
24// This exists to work around a LGTM false positive
25static_assert(Roughtime::request_min_size == 1024, "Expected minimum size");
26
27template <class T>
28struct is_array : std::false_type {};
29
30template <class T, std::size_t N>
31struct is_array<std::array<T, N>> : std::true_type {};
32
33template <typename T>
34T impl_from_little_endian(const uint8_t* t, const size_t i)
35 requires(sizeof(T) <= sizeof(int64_t))
36{
37 return T(static_cast<int64_t>(t[i]) << i * 8) + (i == 0 ? T(0) : impl_from_little_endian<T>(t, i - 1));
38}
39
40template <typename T>
41T from_little_endian(const uint8_t* t) {
42 return impl_from_little_endian<T>(t, sizeof(T) - 1);
43}
44
45template <typename T>
46T copy(const uint8_t* t)
47 requires(is_array<T>::value)
48{
49 return typecast_copy<T>(t); //arrays are endianess independent, so we do a memcpy
50}
51
52template <typename T>
53T copy(const uint8_t* t)
54 requires(!is_array<T>::value)
55{
56 //other types are arithmetic, so we account that roughtime serializes as little endian
57 return from_little_endian<T>(t);
58}
59
60template <typename T>
61std::map<std::string, std::vector<uint8_t>> unpack_roughtime_packet(T bytes) {
62 if(bytes.size() < 8) {
63 throw Roughtime::Roughtime_Error("Map length is under minimum of 8 bytes");
64 }
65 const auto buf = bytes.data();
66 const uint32_t num_tags = buf[0];
67 const uint32_t start_content = num_tags * 8;
68 if(start_content > bytes.size()) {
69 throw Roughtime::Roughtime_Error("Map length too small to contain all tags");
70 }
71 uint32_t start = start_content;
72 std::map<std::string, std::vector<uint8_t>> tags;
73 for(uint32_t i = 0; i < num_tags; ++i) {
74 const size_t end =
75 ((i + 1) == num_tags) ? bytes.size() : start_content + from_little_endian<uint32_t>(buf + 4 + i * 4);
76 if(end > bytes.size()) {
77 throw Roughtime::Roughtime_Error("Tag end index out of bounds");
78 }
79 if(end < start) {
80 throw Roughtime::Roughtime_Error("Tag offset must be more than previous tag offset");
81 }
82 const char* label_ptr = cast_uint8_ptr_to_char(buf) + (num_tags + i) * 4;
83 const char label[] = {label_ptr[0], label_ptr[1], label_ptr[2], label_ptr[3], 0};
84 auto ret = tags.emplace(label, std::vector<uint8_t>(buf + start, buf + end));
85 if(!ret.second) {
86 throw Roughtime::Roughtime_Error(std::string("Map has duplicated tag: ") + label);
87 }
88 start = static_cast<uint32_t>(end);
89 }
90 return tags;
91}
92
93template <typename T>
94T get(const std::map<std::string, std::vector<uint8_t>>& map, const std::string& label) {
95 const auto& tag = map.find(label);
96 if(tag == map.end()) {
97 throw Roughtime::Roughtime_Error("Tag " + label + " not found");
98 }
99 if(tag->second.size() != sizeof(T)) {
100 throw Roughtime::Roughtime_Error("Tag " + label + " has unexpected size");
101 }
102 return copy<T>(tag->second.data());
103}
104
105const std::vector<uint8_t>& get_v(const std::map<std::string, std::vector<uint8_t>>& map, const std::string& label) {
106 const auto& tag = map.find(label);
107 if(tag == map.end()) {
108 throw Roughtime::Roughtime_Error("Tag " + label + " not found");
109 }
110 return tag->second;
111}
112
113bool verify_signature(const std::array<uint8_t, 32>& pk,
114 const std::vector<uint8_t>& payload,
115 const std::array<uint8_t, 64>& signature) {
116 const char context[] = "RoughTime v1 response signature";
117 Ed25519_PublicKey key(std::vector<uint8_t>(pk.data(), pk.data() + pk.size()));
118 PK_Verifier verifier(key, "Pure");
119 verifier.update(cast_char_ptr_to_uint8(context), sizeof(context)); //add context including \0
120 verifier.update(payload);
121 return verifier.check_signature(signature.data(), signature.size());
122}
123
124std::array<uint8_t, 64> hashLeaf(const std::array<uint8_t, 64>& leaf) {
125 std::array<uint8_t, 64> ret{};
126 auto hash = HashFunction::create_or_throw("SHA-512");
127 hash->update(0);
128 hash->update(leaf.data(), leaf.size());
129 hash->final(ret.data());
130 return ret;
131}
132
133void hashNode(std::array<uint8_t, 64>& hash, const std::array<uint8_t, 64>& node, bool reverse) {
134 auto h = HashFunction::create_or_throw("SHA-512");
135 h->update(1);
136 if(reverse) {
137 h->update(node.data(), node.size());
138 h->update(hash.data(), hash.size());
139 } else {
140 h->update(hash.data(), hash.size());
141 h->update(node.data(), node.size());
142 }
143 h->final(hash.data());
144}
145
146template <size_t N, typename T>
147std::array<uint8_t, N> vector_to_array(std::vector<uint8_t, T> vec) {
148 if(vec.size() != N) {
149 throw std::logic_error("Invalid vector size");
150 }
151 return typecast_copy<std::array<uint8_t, N>>(vec.data());
152}
153} // namespace
154
155namespace Roughtime {
156
157Nonce::Nonce(const std::vector<uint8_t>& nonce) {
158 if(nonce.size() != 64) {
159 throw Invalid_Argument("Roughtime nonce must be 64 bytes long");
160 }
161 m_nonce = typecast_copy<std::array<uint8_t, 64>>(nonce.data());
162}
163
164Nonce::Nonce(RandomNumberGenerator& rng) {
165 rng.randomize(m_nonce.data(), m_nonce.size());
166}
167
168std::array<uint8_t, request_min_size> encode_request(const Nonce& nonce) {
169 std::array<uint8_t, request_min_size> buf = {{2, 0, 0, 0, 64, 0, 0, 0, 'N', 'O', 'N', 'C', 'P', 'A', 'D', 0xff}};
170 std::memcpy(buf.data() + 16, nonce.get_nonce().data(), nonce.get_nonce().size());
171 std::memset(buf.data() + 16 + nonce.get_nonce().size(), 0, buf.size() - 16 - nonce.get_nonce().size());
172 return buf;
173}
174
175Response Response::from_bits(const std::vector<uint8_t>& response, const Nonce& nonce) {
176 const auto response_v = unpack_roughtime_packet(response);
177 const auto cert = unpack_roughtime_packet(get_v(response_v, "CERT"));
178 const auto cert_dele = get<std::array<uint8_t, 72>>(cert, "DELE");
179 const auto cert_sig = get<std::array<uint8_t, 64>>(cert, "SIG");
180 const auto cert_dele_v = unpack_roughtime_packet(cert_dele);
181 const auto srep = get_v(response_v, "SREP");
182 const auto srep_v = unpack_roughtime_packet(srep);
183
184 const auto cert_dele_pubk = get<std::array<uint8_t, 32>>(cert_dele_v, "PUBK");
185 const auto sig = get<std::array<uint8_t, 64>>(response_v, "SIG");
186 if(!verify_signature(cert_dele_pubk, srep, sig)) {
187 throw Roughtime_Error("Response signature invalid");
188 }
189
190 const auto indx = get<uint32_t>(response_v, "INDX");
191 const auto path = get_v(response_v, "PATH");
192 const auto srep_root = get<std::array<uint8_t, 64>>(srep_v, "ROOT");
193 const size_t size = path.size();
194 const size_t levels = size / 64;
195
196 if(size % 64) {
197 throw Roughtime_Error("Merkle tree path size must be multiple of 64 bytes");
198 }
199 if(indx >= (1U << levels)) {
200 throw Roughtime_Error("Merkle tree path is too short");
201 }
202
203 auto hash = hashLeaf(nonce.get_nonce());
204 auto index = indx;
205 size_t level = 0;
206 while(level < levels) {
207 hashNode(hash, typecast_copy<std::array<uint8_t, 64>>(path.data() + level * 64), index & 1);
208 ++level;
209 index >>= 1;
210 }
211
212 if(srep_root != hash) {
213 throw Roughtime_Error("Nonce verification failed");
214 }
215
216 const auto cert_dele_maxt = sys_microseconds64(get<microseconds64>(cert_dele_v, "MAXT"));
217 const auto cert_dele_mint = sys_microseconds64(get<microseconds64>(cert_dele_v, "MINT"));
218 const auto srep_midp = sys_microseconds64(get<microseconds64>(srep_v, "MIDP"));
219 const auto srep_radi = get<microseconds32>(srep_v, "RADI");
220 if(srep_midp < cert_dele_mint) {
221 throw Roughtime_Error("Midpoint earlier than delegation start");
222 }
223 if(srep_midp > cert_dele_maxt) {
224 throw Roughtime_Error("Midpoint later than delegation end");
225 }
226 return {cert_dele, cert_sig, srep_midp, srep_radi};
227}
228
229bool Response::validate(const Ed25519_PublicKey& pk) const {
230 const char context[] = "RoughTime v1 delegation signature--";
231 PK_Verifier verifier(pk, "Pure");
232 verifier.update(cast_char_ptr_to_uint8(context), sizeof(context)); //add context including \0
233 verifier.update(m_cert_dele.data(), m_cert_dele.size());
234 return verifier.check_signature(m_cert_sig.data(), m_cert_sig.size());
235}
236
237Nonce nonce_from_blind(const std::vector<uint8_t>& previous_response, const Nonce& blind) {
238 std::array<uint8_t, 64> ret{};
239 const auto blind_arr = blind.get_nonce();
240 auto hash = HashFunction::create_or_throw("SHA-512");
241 hash->update(previous_response);
242 hash->update(hash->final());
243 hash->update(blind_arr.data(), blind_arr.size());
244 hash->final(ret.data());
245
246 return ret;
247}
248
249Chain::Chain(std::string_view str) {
250 std::istringstream ss{std::string(str)}; // FIXME C++23 avoid copy
251 const std::string ERROR_MESSAGE = "Line does not have 4 space separated fields";
252 for(std::string s; std::getline(ss, s);) {
253 size_t start = 0, end = 0;
254 end = s.find(' ', start);
255 if(end == std::string::npos) {
256 throw Decoding_Error(ERROR_MESSAGE);
257 }
258 const auto publicKeyType = s.substr(start, end - start);
259 if(publicKeyType != "ed25519") {
260 throw Not_Implemented("Only ed25519 publicKeyType is implemented");
261 }
262
263 start = end + 1;
264 end = s.find(' ', start);
265 if(end == std::string::npos) {
266 throw Decoding_Error(ERROR_MESSAGE);
267 }
268 const auto serverPublicKey = Ed25519_PublicKey(base64_decode(s.substr(start, end - start)));
269
270 start = end + 1;
271 end = s.find(' ', start);
272 if(end == std::string::npos) {
273 throw Decoding_Error(ERROR_MESSAGE);
274 }
275 if((end - start) != 88) {
276 throw Decoding_Error("Nonce has invalid length");
277 }
278 const auto vec = base64_decode(s.substr(start, end - start));
279 const auto nonceOrBlind = Nonce(vector_to_array<64>(base64_decode(s.substr(start, end - start))));
280
281 start = end + 1;
282 end = s.find(' ', start);
283 if(end != std::string::npos) {
284 throw Decoding_Error(ERROR_MESSAGE);
285 }
286 const auto response = unlock(base64_decode(s.substr(start)));
287
288 m_links.push_back({response, serverPublicKey, nonceOrBlind});
289 }
290}
291
292std::vector<Response> Chain::responses() const {
293 std::vector<Response> responses;
294 for(unsigned i = 0; i < m_links.size(); ++i) {
295 const auto& l = m_links[i];
296 const auto nonce = i ? nonce_from_blind(m_links[i - 1].response(), l.nonce_or_blind()) : l.nonce_or_blind();
297 const auto response = Response::from_bits(l.response(), nonce);
298 if(!response.validate(l.public_key())) {
299 throw Roughtime_Error("Invalid signature or public key");
300 }
301 responses.push_back(response);
302 }
303 return responses;
304}
305
306Nonce Chain::next_nonce(const Nonce& blind) const {
307 return m_links.empty() ? blind : nonce_from_blind(m_links.back().response(), blind);
308}
309
310void Chain::append(const Link& new_link, size_t max_chain_size) {
311 if(max_chain_size <= 0) {
312 throw Invalid_Argument("Max chain size must be positive");
313 }
314
315 while(m_links.size() >= max_chain_size) {
316 if(m_links.size() == 1) {
317 auto new_link_updated = new_link;
318 new_link_updated.nonce_or_blind() =
319 nonce_from_blind(m_links[0].response(), new_link.nonce_or_blind()); //we need to convert blind to nonce
320 m_links.clear();
321 m_links.push_back(new_link_updated);
322 return;
323 }
324 if(m_links.size() >= 2) {
325 m_links[1].nonce_or_blind() =
326 nonce_from_blind(m_links[0].response(), m_links[1].nonce_or_blind()); //we need to convert blind to nonce
327 }
328 m_links.erase(m_links.begin());
329 }
330 m_links.push_back(new_link);
331}
332
333std::string Chain::to_string() const {
334 std::string s;
335 s.reserve((7 + 1 + 88 + 1 + 44 + 1 + 480) * m_links.size());
336 for(const auto& link : m_links) {
337 s += "ed25519";
338 s += ' ';
339 s += base64_encode(link.public_key().get_public_key());
340 s += ' ';
341 s += base64_encode(link.nonce_or_blind().get_nonce().data(), link.nonce_or_blind().get_nonce().size());
342 s += ' ';
343 s += base64_encode(link.response());
344 s += '\n';
345 }
346 return s;
347}
348
349std::vector<uint8_t> online_request(std::string_view uri, const Nonce& nonce, std::chrono::milliseconds timeout) {
350 const std::chrono::system_clock::time_point start_time = std::chrono::system_clock::now();
351 auto socket = OS::open_socket_udp(uri, timeout);
352 if(!socket) {
353 throw Not_Implemented("No socket support enabled in build");
354 }
355
356 const auto encoded = encode_request(nonce);
357 socket->write(encoded.data(), encoded.size());
358
359 if(std::chrono::system_clock::now() - start_time > timeout) {
360 throw System_Error("Timeout during socket write");
361 }
362
363 std::vector<uint8_t> buffer;
364 buffer.resize(360 + 64 * 10 + 1); //response basic size is 360 bytes + 64 bytes for each level of merkle tree
365 //add one additional byte to be able to differentiate if datagram got truncated
366 const auto n = socket->read(buffer.data(), buffer.size());
367
368 if(!n || std::chrono::system_clock::now() - start_time > timeout) {
369 throw System_Error("Timeout waiting for response");
370 }
371
372 if(n == buffer.size()) {
373 throw System_Error("Buffer too small");
374 }
375
376 buffer.resize(n);
377 return buffer;
378}
379
380std::vector<Server_Information> servers_from_str(std::string_view str) {
381 std::vector<Server_Information> servers;
382 std::istringstream ss{std::string(str)}; // FIXME C++23 avoid copy
383
384 const std::string ERROR_MESSAGE = "Line does not have at least 5 space separated fields";
385 for(std::string s; std::getline(ss, s);) {
386 size_t start = 0, end = 0;
387 end = s.find(' ', start);
388 if(end == std::string::npos) {
389 throw Decoding_Error(ERROR_MESSAGE);
390 }
391 const auto name = s.substr(start, end - start);
392
393 start = end + 1;
394 end = s.find(' ', start);
395 if(end == std::string::npos) {
396 throw Decoding_Error(ERROR_MESSAGE);
397 }
398 const auto publicKeyType = s.substr(start, end - start);
399 if(publicKeyType != "ed25519") {
400 throw Not_Implemented("Only ed25519 publicKeyType is implemented");
401 }
402
403 start = end + 1;
404 end = s.find(' ', start);
405
406 if(end == std::string::npos) {
407 throw Decoding_Error(ERROR_MESSAGE);
408 }
409 const auto publicKeyBase64 = s.substr(start, end - start);
410 const auto publicKey = Ed25519_PublicKey(base64_decode(publicKeyBase64));
411
412 start = end + 1;
413 end = s.find(' ', start);
414 if(end == std::string::npos) {
415 throw Decoding_Error(ERROR_MESSAGE);
416 }
417 const auto protocol = s.substr(start, end - start);
418 if(protocol != "udp") {
419 throw Not_Implemented("Only UDP protocol is implemented");
420 }
421
422 const auto addresses = [&]() {
423 std::vector<std::string> addr;
424 for(;;) {
425 start = end + 1;
426 end = s.find(' ', start);
427 const auto address = s.substr(start, (end == std::string::npos) ? std::string::npos : end - start);
428 if(address.empty()) {
429 return addr;
430 }
431 addr.push_back(address);
432 if(end == std::string::npos) {
433 return addr;
434 }
435 }
436 }();
437 if(addresses.empty()) {
438 throw Decoding_Error(ERROR_MESSAGE);
439 }
440
441 servers.push_back({name, publicKey, addresses});
442 }
443 return servers;
444}
445
446} // namespace Roughtime
447
448} // namespace Botan
Botan::Decoding_Error
Definition exceptn.h:191
Botan::Ed25519_PublicKey
Definition ed25519.h:18
Botan::HashFunction::create_or_throw
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition hash.cpp:298
Botan::Invalid_Argument
Definition exceptn.h:131
Botan::Not_Implemented
Definition exceptn.h:334
Botan::PK_Verifier
Definition pubkey.h:272
Botan::PK_Verifier::update
void update(uint8_t in)
Definition pubkey.h:334
Botan::PK_Verifier::check_signature
bool check_signature(const uint8_t sig[], size_t length)
Definition pubkey.cpp:416
Botan::RandomNumberGenerator::randomize
void randomize(std::span< uint8_t > output)
Definition rng.h:53
Botan::Roughtime::Chain::append
void append(const Link &new_link, size_t max_chain_size)
Definition roughtime.cpp:310
Botan::Roughtime::Chain::to_string
std::string to_string() const
Definition roughtime.cpp:333
Botan::Roughtime::Chain::next_nonce
Nonce next_nonce(const Nonce &blind) const
Definition roughtime.cpp:306
Botan::Roughtime::Chain::responses
std::vector< Response > responses() const
Definition roughtime.cpp:292
Botan::Roughtime::Nonce::get_nonce
const std::array< uint8_t, 64 > & get_nonce() const
Definition roughtime.h:42
Botan::Roughtime::Response::sys_microseconds64
std::chrono::time_point< std::chrono::system_clock, microseconds64 > sys_microseconds64
Definition roughtime.h:61
Botan::Roughtime::Response::from_bits
static Response from_bits(const std::vector< uint8_t > &response, const Nonce &nonce)
Definition roughtime.cpp:175
Botan::Roughtime::Response::validate
bool validate(const Ed25519_PublicKey &pk) const
Definition roughtime.cpp:229
Botan::Roughtime::Roughtime_Error
Definition roughtime.h:25
Botan::System_Error
Definition exceptn.h:304
name
std::string name
Definition commoncrypto_hash.cpp:24
T
FE_25519 T
Definition ge.cpp:34
Botan::OS::open_socket_udp
std::unique_ptr< SocketUDP > BOTAN_TEST_API open_socket_udp(std::string_view hostname, std::string_view service, std::chrono::microseconds timeout)
Definition socket_udp.cpp:318
Botan::Roughtime::servers_from_str
std::vector< Server_Information > servers_from_str(std::string_view str)
Definition roughtime.cpp:380
Botan::Roughtime::online_request
std::vector< uint8_t > online_request(std::string_view uri, const Nonce &nonce, std::chrono::milliseconds timeout)
Definition roughtime.cpp:349
Botan::Roughtime::nonce_from_blind
Nonce nonce_from_blind(const std::vector< uint8_t > &previous_response, const Nonce &blind)
Definition roughtime.cpp:237
Botan::Roughtime::encode_request
std::array< uint8_t, request_min_size > encode_request(const Nonce &nonce)
Definition roughtime.cpp:168
Botan::Roughtime::request_min_size
const unsigned request_min_size
Definition roughtime.h:23
Botan::verify_signature
bool verify_signature(std::span< const uint8_t, ED448_LEN > pk, bool phflag, std::span< const uint8_t > context, std::span< const uint8_t > sig, std::span< const uint8_t > msg)
Verify a signature(RFC 8032 5.2.7)
Definition ed448_internal.cpp:283
Botan::typecast_copy
constexpr void typecast_copy(ToR &&out, FromR &&in)
Definition mem_ops.h:178
Botan::base64_encode
size_t base64_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition base64.cpp:160
Botan::base64_decode
size_t base64_decode(uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
Definition base64.cpp:168
Botan::unlock
std::vector< T > unlock(const secure_vector< T > &in)
Definition secmem.h:75
Botan::cast_uint8_ptr_to_char
const char * cast_uint8_ptr_to_char(const uint8_t *b)
Definition mem_ops.h:277
Botan::cast_char_ptr_to_uint8
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition mem_ops.h:273
Generated by doxygen 1.12.0