Botan 3.0.0
Crypto and TLS for C&
roughtime.cpp
Go to the documentation of this file.
1/*
2* Roughtime
3* (C) 2019 Nuno Goncalves <nunojpg@gmail.com>
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/roughtime.h>
9
10#include <botan/base64.h>
11#include <botan/hash.h>
12#include <botan/internal/socket_udp.h>
13#include <botan/pubkey.h>
14#include <botan/rng.h>
15
16#include <cmath>
17#include <map>
18#include <sstream>
19
20namespace Botan {
21
22namespace {
23
24// This exists to work around a LGTM false positive
25static_assert(Roughtime::request_min_size == 1024, "Expected minimum size");
26
27template< bool B, class T = void >
28using enable_if_t = typename std::enable_if<B,T>::type;
29
30template<class T>
31struct is_array : std::false_type {};
32
33template<class T, std::size_t N>
34struct is_array<std::array<T,N>>:std::true_type{};
35
36template<typename T>
37T impl_from_little_endian(const uint8_t* t, const size_t i)
38 {
39 static_assert(sizeof(T) <= sizeof(int64_t));
40 return T(static_cast<int64_t>(t[i]) << i * 8) + (i == 0 ? T(0) : impl_from_little_endian<T>(t, i - 1));
41 }
42
43template<typename T>
44T from_little_endian(const uint8_t* t)
45 {
46 return impl_from_little_endian<T>(t, sizeof(T) - 1);
47 }
48
49template<typename T, enable_if_t<is_array<T>::value>* = nullptr>
50T copy(const uint8_t* t)
51 {
52 return typecast_copy<T>(t); //arrays are endianess indepedent, so we do a memcpy
53 }
54
55template<typename T, enable_if_t<!is_array<T>::value>* = nullptr>
56T copy(const uint8_t* t)
57 {
58 return from_little_endian<T>(t); //other types are arithmetic, so we account that roughtime serializes as little endian
59 }
60
61template<typename T>
62std::map<std::string, std::vector<uint8_t>> unpack_roughtime_packet(T bytes)
63 {
64 if(bytes.size() < 8)
65 { throw Roughtime::Roughtime_Error("Map length is under minimum of 8 bytes"); }
66 const auto buf = bytes.data();
67 const uint32_t num_tags = buf[0];
68 const uint32_t start_content = num_tags * 8;
69 if(start_content > bytes.size())
70 { throw Roughtime::Roughtime_Error("Map length too small to contain all tags"); }
71 uint32_t start = start_content;
72 std::map<std::string, std::vector<uint8_t>> tags;
73 for(uint32_t i=0; i<num_tags; ++i)
74 {
75 const size_t end = ((i+1) == num_tags) ? bytes.size() : start_content + from_little_endian<uint32_t>(buf + 4 + i*4);
76 if(end > bytes.size())
77 { throw Roughtime::Roughtime_Error("Tag end index out of bounds"); }
78 if(end < start)
79 { throw Roughtime::Roughtime_Error("Tag offset must be more than previous tag offset"); }
80 const char* label_ptr = cast_uint8_ptr_to_char(buf) + (num_tags+i)*4;
81 const char label[] = {label_ptr[0], label_ptr[1], label_ptr[2], label_ptr[3], 0};
82 auto ret = tags.emplace(label, std::vector<uint8_t>(buf+start, buf+end));
83 if(!ret.second)
84 { throw Roughtime::Roughtime_Error(std::string("Map has duplicated tag: ") + label); }
85 start = static_cast<uint32_t>(end);
86 }
87 return tags;
88 }
89
90template<typename T>
91T get(const std::map<std::string, std::vector<uint8_t>>& map, const std::string& label)
92 {
93 const auto& tag = map.find(label);
94 if(tag == map.end())
95 { throw Roughtime::Roughtime_Error("Tag " + label + " not found"); }
96 if(tag->second.size() != sizeof(T))
97 { throw Roughtime::Roughtime_Error("Tag " + label + " has unexpected size"); }
98 return copy<T>(tag->second.data());
99 }
100
101const std::vector<uint8_t>& get_v(const std::map<std::string, std::vector<uint8_t>>& map, const std::string& label)
102 {
103 const auto& tag = map.find(label);
104 if(tag == map.end())
105 { throw Roughtime::Roughtime_Error("Tag " + label + " not found"); }
106 return tag->second;
107 }
108
109bool verify_signature(const std::array<uint8_t, 32>& pk, const std::vector<uint8_t>& payload,
110 const std::array<uint8_t, 64>& signature)
111 {
112 const char context[] = "RoughTime v1 response signature";
113 Ed25519_PublicKey key(std::vector<uint8_t>(pk.data(), pk.data()+pk.size()));
114 PK_Verifier verifier(key, "Pure");
115 verifier.update(cast_char_ptr_to_uint8(context), sizeof(context)); //add context including \0
116 verifier.update(payload);
117 return verifier.check_signature(signature.data(), signature.size());
118 }
119
120std::array<uint8_t, 64> hashLeaf(const std::array<uint8_t, 64>& leaf)
121 {
122 std::array<uint8_t, 64> ret{};
123 auto hash = HashFunction::create_or_throw("SHA-512");
124 hash->update(0);
125 hash->update(leaf.data(), leaf.size());
126 hash->final(ret.data());
127 return ret;
128 }
129
130void hashNode(std::array<uint8_t, 64>& hash, const std::array<uint8_t, 64>& node, bool reverse)
131 {
132 auto h = HashFunction::create_or_throw("SHA-512");
133 h->update(1);
134 if(reverse)
135 {
136 h->update(node.data(), node.size());
137 h->update(hash.data(), hash.size());
138 }
139 else
140 {
141 h->update(hash.data(), hash.size());
142 h->update(node.data(), node.size());
143 }
144 h->final(hash.data());
145 }
146
147template<size_t N, typename T>
148std::array<uint8_t, N> vector_to_array(std::vector<uint8_t,T> vec)
149 {
150 if(vec.size() != N)
151 { throw std::logic_error("Invalid vector size"); }
152 return typecast_copy<std::array<uint8_t, N>>(vec.data());
153 }
154}
155
156namespace Roughtime {
157
158Nonce::Nonce(const std::vector<uint8_t>& nonce)
159 {
160 if(nonce.size() != 64)
161 { throw Invalid_Argument("Roughtime nonce must be 64 bytes long"); }
162 m_nonce = typecast_copy<std::array<uint8_t, 64>>(nonce.data());
163 }
164
165Nonce::Nonce(RandomNumberGenerator& rng)
166 {
167 rng.randomize(m_nonce.data(), m_nonce.size());
168 }
169
170std::array<uint8_t, request_min_size> encode_request(const Nonce& nonce)
171 {
172 std::array<uint8_t, request_min_size> buf = {{2, 0, 0, 0, 64, 0, 0, 0, 'N', 'O', 'N', 'C', 'P', 'A', 'D', 0xff}};
173 std::memcpy(buf.data() + 16, nonce.get_nonce().data(), nonce.get_nonce().size());
174 std::memset(buf.data() + 16 + nonce.get_nonce().size(), 0, buf.size() - 16 - nonce.get_nonce().size());
175 return buf;
176 }
177
178Response Response::from_bits(const std::vector<uint8_t>& response,
179 const Nonce& nonce)
180 {
181 const auto response_v = unpack_roughtime_packet(response);
182 const auto cert = unpack_roughtime_packet(get_v(response_v, "CERT"));
183 const auto cert_dele = get<std::array<uint8_t, 72>>(cert, "DELE");
184 const auto cert_sig = get<std::array<uint8_t, 64>>(cert, "SIG");
185 const auto cert_dele_v = unpack_roughtime_packet(cert_dele);
186 const auto srep = get_v(response_v, "SREP");
187 const auto srep_v = unpack_roughtime_packet(srep);
188
189 const auto cert_dele_pubk = get<std::array<uint8_t, 32>>(cert_dele_v, "PUBK");
190 const auto sig = get<std::array<uint8_t, 64>>(response_v, "SIG");
191 if(!verify_signature(cert_dele_pubk, srep, sig))
192 { throw Roughtime_Error("Response signature invalid"); }
193
194 const auto indx = get<uint32_t>(response_v, "INDX");
195 const auto path = get_v(response_v, "PATH");
196 const auto srep_root = get<std::array<uint8_t, 64>>(srep_v, "ROOT");
197 const size_t size = path.size();
198 const size_t levels = size / 64;
199
200 if(size % 64)
201 { throw Roughtime_Error("Merkle tree path size must be multiple of 64 bytes"); }
202 if(indx >= (1U << levels))
203 { throw Roughtime_Error("Merkle tree path is too short"); }
204
205 auto hash = hashLeaf(nonce.get_nonce());
206 auto index = indx;
207 size_t level = 0;
208 while(level < levels)
209 {
210 hashNode(hash, typecast_copy<std::array<uint8_t, 64>>(path.data() + level*64), index&1);
211 ++level;
212 index>>=1;
213 }
214
215 if(srep_root != hash)
216 { throw Roughtime_Error("Nonce verification failed"); }
217
218 const auto cert_dele_maxt = sys_microseconds64(get<microseconds64>(cert_dele_v, "MAXT"));
219 const auto cert_dele_mint = sys_microseconds64(get<microseconds64>(cert_dele_v, "MINT"));
220 const auto srep_midp = sys_microseconds64(get<microseconds64>(srep_v, "MIDP"));
221 const auto srep_radi = get<microseconds32>(srep_v, "RADI");
222 if(srep_midp < cert_dele_mint)
223 { throw Roughtime_Error("Midpoint earlier than delegation start"); }
224 if(srep_midp > cert_dele_maxt)
225 { throw Roughtime_Error("Midpoint later than delegation end"); }
226 return {cert_dele, cert_sig, srep_midp, srep_radi};
227 }
228
229bool Response::validate(const Ed25519_PublicKey& pk) const
230 {
231 const char context[] = "RoughTime v1 delegation signature--";
232 PK_Verifier verifier(pk, "Pure");
233 verifier.update(cast_char_ptr_to_uint8(context), sizeof(context)); //add context including \0
234 verifier.update(m_cert_dele.data(), m_cert_dele.size());
235 return verifier.check_signature(m_cert_sig.data(), m_cert_sig.size());
236 }
237
238Nonce nonce_from_blind(const std::vector<uint8_t>& previous_response,
239 const Nonce& blind)
240 {
241 std::array<uint8_t, 64> ret{};
242 const auto blind_arr = blind.get_nonce();
243 auto hash = HashFunction::create_or_throw("SHA-512");
244 hash->update(previous_response);
245 hash->update(hash->final());
246 hash->update(blind_arr.data(), blind_arr.size());
247 hash->final(ret.data());
248
249 return ret;
250 }
251
252Chain::Chain(std::string_view str)
253 {
254 std::istringstream ss{std::string(str)}; // FIXME C++23 avoid copy
255 const std::string ERROR_MESSAGE = "Line does not have 4 space separated fields";
256 for(std::string s; std::getline(ss, s);)
257 {
258 size_t start = 0, end = 0;
259 end = s.find(' ', start);
260 if(end == std::string::npos)
261 {
262 throw Decoding_Error(ERROR_MESSAGE);
263 }
264 const auto publicKeyType = s.substr(start, end-start);
265 if(publicKeyType != "ed25519")
266 { throw Not_Implemented("Only ed25519 publicKeyType is implemented"); }
267
268 start = end + 1;
269 end = s.find(' ', start);
270 if(end == std::string::npos)
271 {
272 throw Decoding_Error(ERROR_MESSAGE);
273 }
274 const auto serverPublicKey = Ed25519_PublicKey(base64_decode(s.substr(start, end-start)));
275
276 start = end + 1;
277 end = s.find(' ', start);
278 if(end == std::string::npos)
279 {
280 throw Decoding_Error(ERROR_MESSAGE);
281 }
282 if((end - start) != 88)
283 {
284 throw Decoding_Error("Nonce has invalid length");
285 }
286 const auto vec = base64_decode(s.substr(start, end-start));
287 const auto nonceOrBlind = Nonce(vector_to_array<64>(base64_decode(s.substr(start, end-start))));
288
289 start = end + 1;
290 end = s.find(' ', start);
291 if(end != std::string::npos)
292 {
293 throw Decoding_Error(ERROR_MESSAGE);
294 }
295 const auto response = unlock(base64_decode(s.substr(start)));
296
297 m_links.push_back({response, serverPublicKey, nonceOrBlind});
298 }
299 }
300std::vector<Response> Chain::responses() const
301 {
302 std::vector<Response> responses;
303 for(unsigned i = 0; i < m_links.size(); ++i)
304 {
305 const auto& l = m_links[i];
306 const auto nonce = i ? nonce_from_blind(m_links[i-1].response(), l.nonce_or_blind()) : l.nonce_or_blind();
307 const auto response = Response::from_bits(l.response(), nonce);
308 if(!response.validate(l.public_key()))
309 { throw Roughtime_Error("Invalid signature or public key"); }
310 responses.push_back(response);
311 }
312 return responses;
313 }
314Nonce Chain::next_nonce(const Nonce& blind) const
315 {
316 return m_links.empty()
317 ? blind
318 : nonce_from_blind(m_links.back().response(), blind);
319 }
320void Chain::append(const Link& new_link, size_t max_chain_size)
321 {
322 if(max_chain_size <= 0)
323 { throw Invalid_Argument("Max chain size must be positive"); }
324
325 while(m_links.size() >= max_chain_size)
326 {
327 if(m_links.size() == 1)
328 {
329 auto new_link_updated = new_link;
330 new_link_updated.nonce_or_blind() =
331 nonce_from_blind(m_links[0].response(), new_link.nonce_or_blind()); //we need to convert blind to nonce
332 m_links.clear();
333 m_links.push_back(new_link_updated);
334 return;
335 }
336 if(m_links.size() >= 2)
337 {
338 m_links[1].nonce_or_blind() =
339 nonce_from_blind(m_links[0].response(), m_links[1].nonce_or_blind()); //we need to convert blind to nonce
340 }
341 m_links.erase(m_links.begin());
342 }
343 m_links.push_back(new_link);
344 }
345
346std::string Chain::to_string() const
347 {
348 std::string s;
349 s.reserve((7+1 + 88+1 + 44+1 + 480)*m_links.size());
350 for(const auto& link : m_links)
351 {
352 s += "ed25519";
353 s += ' ';
354 s += base64_encode(link.public_key().get_public_key());
355 s += ' ';
356 s += base64_encode(link.nonce_or_blind().get_nonce().data(), link.nonce_or_blind().get_nonce().size());
357 s += ' ';
358 s += base64_encode(link.response());
359 s += '\n';
360 }
361 return s;
362 }
363
364std::vector<uint8_t> online_request(std::string_view uri,
365 const Nonce& nonce,
366 std::chrono::milliseconds timeout)
367 {
368 const std::chrono::system_clock::time_point start_time = std::chrono::system_clock::now();
369 auto socket = OS::open_socket_udp(uri, timeout);
370 if(!socket)
371 { throw Not_Implemented("No socket support enabled in build"); }
372
373 const auto encoded = encode_request(nonce);
374 socket->write(encoded.data(), encoded.size());
375
376 if(std::chrono::system_clock::now() - start_time > timeout)
377 { throw System_Error("Timeout during socket write"); }
378
379 std::vector<uint8_t> buffer;
380 buffer.resize(360+64*10+1); //response basic size is 360 bytes + 64 bytes for each level of merkle tree
381 //add one additional byte to be able to differentiate if datagram got truncated
382 const auto n = socket->read(buffer.data(), buffer.size());
383
384 if(!n || std::chrono::system_clock::now() - start_time > timeout)
385 { throw System_Error("Timeout waiting for response"); }
386
387 if(n == buffer.size())
388 { throw System_Error("Buffer too small"); }
389
390 buffer.resize(n);
391 return buffer;
392 }
393
394std::vector<Server_Information> servers_from_str(std::string_view str)
395 {
396 std::vector<Server_Information> servers;
397 std::istringstream ss{std::string(str)}; // FIXME C++23 avoid copy
398
399 const std::string ERROR_MESSAGE = "Line does not have at least 5 space separated fields";
400 for(std::string s; std::getline(ss, s);)
401 {
402 size_t start = 0, end = 0;
403 end = s.find(' ', start);
404 if(end == std::string::npos)
405 {
406 throw Decoding_Error(ERROR_MESSAGE);
407 }
408 const auto name = s.substr(start, end-start);
409
410 start = end + 1;
411 end = s.find(' ', start);
412 if(end == std::string::npos)
413 {
414 throw Decoding_Error(ERROR_MESSAGE);
415 }
416 const auto publicKeyType = s.substr(start, end-start);
417 if(publicKeyType != "ed25519")
418 { throw Not_Implemented("Only ed25519 publicKeyType is implemented"); }
419
420 start = end + 1;
421 end = s.find(' ', start);
422
423 if(end == std::string::npos)
424 {
425 throw Decoding_Error(ERROR_MESSAGE);
426 }
427 const auto publicKeyBase64 = s.substr(start, end-start);
428 const auto publicKey = Ed25519_PublicKey(base64_decode(publicKeyBase64));
429
430 start = end + 1;
431 end = s.find(' ', start);
432 if(end == std::string::npos)
433 {
434 throw Decoding_Error(ERROR_MESSAGE);
435 }
436 const auto protocol = s.substr(start, end-start);
437 if(protocol != "udp")
438 { throw Not_Implemented("Only UDP protocol is implemented"); }
439
440 const auto addresses = [&]()
441 {
442 std::vector<std::string> addr;
443 for(;;)
444 {
445 start = end + 1;
446 end = s.find(' ', start);
447 const auto address = s.substr(start, (end == std::string::npos) ? std::string::npos : end-start);
448 if(address.empty())
449 { return addr; }
450 addr.push_back(address);
451 if(end == std::string::npos)
452 { return addr; }
453 }
454 }
455 ();
456 if(addresses.empty())
457 {
458 throw Decoding_Error(ERROR_MESSAGE);
459 }
460
461 servers.push_back({name, publicKey, addresses});
462 }
463 return servers;
464 }
465
466}
467
468}
Botan::Decoding_Error
Definition: exceptn.h:197
Botan::Ed25519_PublicKey
Definition: ed25519.h:19
Botan::HashFunction::create_or_throw
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition: hash.cpp:320
Botan::Invalid_Argument
Definition: exceptn.h:133
Botan::Not_Implemented
Definition: exceptn.h:353
Botan::PK_Verifier
Definition: pubkey.h:296
Botan::PK_Verifier::update
void update(uint8_t in)
Definition: pubkey.h:360
Botan::PK_Verifier::check_signature
bool check_signature(const uint8_t sig[], size_t length)
Definition: pubkey.cpp:434
Botan::RandomNumberGenerator::randomize
void randomize(std::span< uint8_t > output)
Definition: rng.h:53
Botan::Roughtime::Chain::append
void append(const Link &new_link, size_t max_chain_size)
Definition: roughtime.cpp:320
Botan::Roughtime::Chain::to_string
std::string to_string() const
Definition: roughtime.cpp:346
Botan::Roughtime::Chain::next_nonce
Nonce next_nonce(const Nonce &blind) const
Definition: roughtime.cpp:314
Botan::Roughtime::Chain::responses
std::vector< Response > responses() const
Definition: roughtime.cpp:300
Botan::Roughtime::Nonce::get_nonce
const std::array< uint8_t, 64 > & get_nonce() const
Definition: roughtime.h:43
Botan::Roughtime::Response::sys_microseconds64
std::chrono::time_point< std::chrono::system_clock, microseconds64 > sys_microseconds64
Definition: roughtime.h:63
Botan::Roughtime::Response::from_bits
static Response from_bits(const std::vector< uint8_t > &response, const Nonce &nonce)
Definition: roughtime.cpp:178
Botan::Roughtime::Response::validate
bool validate(const Ed25519_PublicKey &pk) const
Definition: roughtime.cpp:229
Botan::Roughtime::Roughtime_Error
Definition: roughtime.h:26
Botan::System_Error
Definition: exceptn.h:321
name
std::string name
Definition: commoncrypto_hash.cpp:24
T
FE_25519 T
Definition: ge.cpp:36
Botan::OS::open_socket_udp
std::unique_ptr< SocketUDP > BOTAN_TEST_API open_socket_udp(std::string_view hostname, std::string_view service, std::chrono::microseconds timeout)
Definition: socket_udp.cpp:328
Botan::Roughtime::servers_from_str
std::vector< Server_Information > servers_from_str(std::string_view str)
Definition: roughtime.cpp:394
Botan::Roughtime::online_request
std::vector< uint8_t > online_request(std::string_view uri, const Nonce &nonce, std::chrono::milliseconds timeout)
Definition: roughtime.cpp:364
Botan::Roughtime::nonce_from_blind
Nonce nonce_from_blind(const std::vector< uint8_t > &previous_response, const Nonce &blind)
Definition: roughtime.cpp:238
Botan::Roughtime::encode_request
std::array< uint8_t, request_min_size > encode_request(const Nonce &nonce)
Definition: roughtime.cpp:170
Botan::Roughtime::request_min_size
const unsigned request_min_size
Definition: roughtime.h:23
Botan
Definition: alg_id.cpp:12
Botan::base64_encode
size_t base64_encode(char out[], const uint8_t in[], size_t input_length, size_t &input_consumed, bool final_inputs)
Definition: base64.cpp:178
Botan::base64_decode
size_t base64_decode(uint8_t out[], const char in[], size_t input_length, size_t &input_consumed, bool final_inputs, bool ignore_ws)
Definition: base64.cpp:193
Botan::unlock
std::vector< T > unlock(const secure_vector< T > &in)
Definition: secmem.h:77
Botan::cast_uint8_ptr_to_char
const char * cast_uint8_ptr_to_char(const uint8_t *b)
Definition: mem_ops.h:188
Botan::typecast_copy
constexpr void typecast_copy(T &out, const uint8_t in[])
Definition: mem_ops.h:155
Botan::cast_char_ptr_to_uint8
const uint8_t * cast_char_ptr_to_uint8(const char *s)
Definition: mem_ops.h:183
std
Definition: bigint.h:1092
Generated by doxygen 1.9.6