diff --git a/Sources/BSSpeke/bsspeke.c b/Sources/BSSpeke/bsspeke.c index d9acc0bf90acd6837de866959fe2d81dfd81c927..06d895f41399960f1a26cac396fee3671c17ffbf 100644 --- a/Sources/BSSpeke/bsspeke.c +++ b/Sources/BSSpeke/bsspeke.c @@ -23,17 +23,21 @@ #include <string.h> #include "minimonocypher.h" -#include "bsspeke.h" +#include "include/bsspeke.h" -typedef enum { - DEBUG, - INFO, - WARN, - ERROR, - FATAL -} debug_level_t; -debug_level_t curr_level = DEBUG; +enum debug_level { + LOG_DEBUG, + LOG_INFO, + LOG_WARN, + LOG_ERROR, + LOG_FATAL +}; +typedef enum debug_level debug_level_t; + +//typedef int debug_level_t; + +debug_level_t curr_level = LOG_DEBUG; void debug(debug_level_t level, const char *msg @@ -123,7 +127,7 @@ bsspeke_client_generate_blind uint8_t blind[32], bsspeke_client_ctx *client ) { - debug(DEBUG, "Hashing client's password"); + debug(LOG_DEBUG, "Hashing client's password"); // 1. Hash the client's password, client_id, server_id to a point on the curve uint8_t scalar_hash[32]; uint8_t curve_point[32]; @@ -144,7 +148,7 @@ bsspeke_client_generate_blind // Write the digest value into `scalar_hash` crypto_blake2b_final(&hash_ctx, scalar_hash); } - debug(DEBUG, "Mapping password hash onto the curve"); + debug(LOG_DEBUG, "Mapping password hash onto the curve"); // Now use Elligator to map our scalar hash to a point on the curve crypto_hidden_to_curve(curve_point, scalar_hash); @@ -155,19 +159,19 @@ bsspeke_client_generate_blind // That way we know it will always lead us back to a point on the curve // * Then use the inverse of 1/r as `r` // FIXME: On second thought, monocypher seems to handle all of this complexity for us. Let's see what happens if we just do things the straightforward way for now... - debug(DEBUG, "Generating random blind `r`"); + debug(LOG_DEBUG, "Generating random blind `r`"); //arc4random_buf(client->r, 32); generate_random_bytes(client->r, 32); print_point("r", client->r); - debug(DEBUG, "Clamping r"); + debug(LOG_DEBUG, "Clamping r"); crypto_x25519_clamp(client->r); print_point("r", client->r); - debug(DEBUG, "Multiplying curve point by r"); + debug(LOG_DEBUG, "Multiplying curve point by r"); // 3. Multiply our curve point by r crypto_x25519_scalarmult(blind, client->r, curve_point, 256); print_point("blind", blind); - debug(DEBUG, "Done"); + debug(LOG_DEBUG, "Done"); return; } @@ -185,14 +189,14 @@ bsspeke_server_blind_salt // We MUST do this before calling the function!!! // We're setting up a new account // So we have to create a new random salt for the user - debug(DEBUG, "Generating new salt"); + debug(LOG_DEBUG, "Generating new salt"); salt_len = 32; generate_random_bytes(user_info->salt, user_info->salt_len); */ print_point("salt", salt); // Hash the salt - debug(DEBUG, "Hashing the salt"); + debug(LOG_DEBUG, "Hashing the salt"); uint8_t H_salt[32]; crypto_blake2b_general(H_salt, 32, NULL, 0, @@ -202,7 +206,7 @@ bsspeke_server_blind_salt crypto_x25519_clamp(H_salt); print_point("H_salt", H_salt); // Multiply H(salt) by blind, save into blind_salt - debug(DEBUG, "Multiplying H_salt by the user's blind"); + debug(LOG_DEBUG, "Multiplying H_salt by the user's blind"); crypto_x25519_scalarmult(blind_salt, H_salt, blind, 256); print_point("blndsalt", blind_salt); } @@ -212,17 +216,17 @@ bsspeke_server_generate_B(const uint8_t P[32], bsspeke_server_ctx *server) { // Generate random ephemeral private key b, save it in server->b - debug(DEBUG, "Generating ephemeral private key b"); + debug(LOG_DEBUG, "Generating ephemeral private key b"); //arc4random_buf(server->b, 32); generate_random_bytes(server->b, 32); crypto_x25519_clamp(server->b); print_point("b", server->b); - debug(DEBUG, "Using user's base point P"); + debug(LOG_DEBUG, "Using user's base point P"); print_point("P", P); // Compute public key B = b * P, save it in msg2->B - debug(DEBUG, "Computing ephemeral public key B = b * P"); + debug(LOG_DEBUG, "Computing ephemeral public key B = b * P"); crypto_x25519_scalarmult(server->B, server->b, P, 256); print_point("B", server->B); @@ -235,23 +239,23 @@ bsspeke_client_generate_keys_from_password(const uint8_t blind_salt[32], { // Sanity checks first, before we do any work if( phf_blocks < BSSPEKE_ARGON2_MIN_PHF_BLOCKS ) { - debug(ERROR, "Requested PHF blocks below the minimum"); + debug(LOG_ERROR, "Requested PHF blocks below the minimum"); return -1; } if( phf_iterations < BSSPEKE_ARGON2_MIN_PHF_ITERATIONS ) { - debug(ERROR, "Requested PHF iterations below the minimum"); + debug(LOG_ERROR, "Requested PHF iterations below the minimum"); return -1; } uint8_t oblivious_salt[32]; // Multiply the blinded salt by 1/r to get the oblivious salt // Here we rely on Monocypher to do the heavy lifting for us - debug(DEBUG, "Removing the blind from the oblivious salt"); + debug(LOG_DEBUG, "Removing the blind from the oblivious salt"); crypto_x25519_inverse(oblivious_salt, client->r, blind_salt); print_point("obv_salt", oblivious_salt); // Hash the oblivious salt together with the id's to create the salt for the PHF - debug(DEBUG, "Creating the salt for the PHF"); + debug(LOG_DEBUG, "Creating the salt for the PHF"); uint8_t phf_salt[32]; { crypto_blake2b_ctx hash_ctx; @@ -267,7 +271,7 @@ bsspeke_client_generate_keys_from_password(const uint8_t blind_salt[32], } print_point("phf_salt", phf_salt); - debug(DEBUG, "Running the PHF to generate p and v"); + debug(LOG_DEBUG, "Running the PHF to generate p and v"); uint8_t password_hash[64]; void *work_area; if ((work_area = malloc(phf_blocks * 1024)) == NULL) { @@ -309,18 +313,18 @@ bsspeke_client_generate_P_and_V phf_blocks, phf_iterations, client); if( rc != 0 ) { - debug(ERROR, "Password hashing function failed"); + debug(LOG_ERROR, "Password hashing function failed"); return -1; } // Hash p onto the curve to get this user's base point P //uint8_t P[32]; - debug(DEBUG, "Hashing p onto the curve to get P"); + debug(LOG_DEBUG, "Hashing p onto the curve to get P"); crypto_hidden_to_curve(P, client->p); print_point("P", P); // Generate our long-term public key V = v * P - debug(DEBUG, "V = v * P"); + debug(LOG_DEBUG, "V = v * P"); crypto_x25519_scalarmult(V, client->v, P, 256); print_point("V", V); @@ -337,24 +341,24 @@ bsspeke_client_generate_A(const uint8_t blind_salt[32], phf_blocks, phf_iterations, client); if( rc != 0 ) { - debug(ERROR, "Password hashing failed"); + debug(LOG_ERROR, "Password hashing failed"); return -1; } // Hash p onto the curve to get this user's base point P uint8_t P[32]; - debug(DEBUG, "Hashing p onto the curve to get P"); + debug(LOG_DEBUG, "Hashing p onto the curve to get P"); crypto_hidden_to_curve(P, client->p); print_point("P", P); // Generate a random ephemeral private key a, store it in ctx->a - debug(DEBUG, "Generating ephemeral private key a"); + debug(LOG_DEBUG, "Generating ephemeral private key a"); //arc4random_buf(client->a, 32); generate_random_bytes(client->a, 32); crypto_x25519_clamp(client->a); print_point("a", client->a); // Generate the ephemeral public key A = a * P, store it in msg3->A - debug(DEBUG, "Generating ephemeral public key A = a * P"); + debug(LOG_DEBUG, "Generating ephemeral public key A = a * P"); crypto_x25519_scalarmult(client->A, client->a, P, 256); print_point("A", client->A); @@ -366,7 +370,7 @@ bsspeke_client_derive_shared_key(const uint8_t B[32], bsspeke_client_ctx *client) { // Compute the two Diffie-Hellman shared secrets - debug(DEBUG, "Computing Diffie-Hellman shared secrets"); + debug(LOG_DEBUG, "Computing Diffie-Hellman shared secrets"); // DH shared secret from a * B uint8_t a_B[32]; crypto_x25519(a_B, client->a, B); @@ -377,7 +381,7 @@ bsspeke_client_derive_shared_key(const uint8_t B[32], print_point("v * B", v_B); // Hash everything we know so far to generate our key, save it in ctx->K_c - debug(DEBUG, "Hashing current state to get key K_c"); + debug(LOG_DEBUG, "Hashing current state to get key K_c"); { crypto_blake2b_ctx hash_ctx; crypto_blake2b_general_init(&hash_ctx, 32, NULL, 0); @@ -401,7 +405,7 @@ bsspeke_client_generate_verifier(uint8_t client_verifier[32], bsspeke_client_ctx *client) { // Hash k and the client modifier to get our verifier, save it in msg3->client_verifier - debug(DEBUG, "Hashing K_c and modifier to get our verifier"); + debug(LOG_DEBUG, "Hashing K_c and modifier to get our verifier"); { crypto_blake2b_ctx hash_ctx; crypto_blake2b_general_init(&hash_ctx, 32, NULL, 0); @@ -420,7 +424,7 @@ bsspeke_server_derive_shared_key(const uint8_t A[32], bsspeke_server_ctx *server ) { // Compute the two Diffie-Hellman shared secrets - debug(DEBUG, "Computing Diffie-Hellman shared secrets"); + debug(LOG_DEBUG, "Computing Diffie-Hellman shared secrets"); // DH shared secret from b * A uint8_t b_A[32]; crypto_x25519(b_A, server->b, A); @@ -431,7 +435,7 @@ bsspeke_server_derive_shared_key(const uint8_t A[32], print_point("b * V", b_V); // Hash everything we've learned so far to generate k, save it in ctx->k - debug(DEBUG, "Hashing state so far to generate K_s"); + debug(LOG_DEBUG, "Hashing state so far to generate K_s"); { crypto_blake2b_ctx hash_ctx; crypto_blake2b_general_init(&hash_ctx, 32, NULL, 0); @@ -457,7 +461,7 @@ bsspeke_server_verify_client(uint8_t client_verifier[32], // Check that the client's hash is correct // Compute H( k || VERIFY_CLIENT_MODIFIER ) - debug(DEBUG, "Checking client's verifier hash"); + debug(LOG_DEBUG, "Checking client's verifier hash"); uint8_t my_client_verifier[32]; { crypto_blake2b_ctx hash_ctx; @@ -473,10 +477,10 @@ bsspeke_server_verify_client(uint8_t client_verifier[32], // Compare vs msg3->client_verifier if( crypto_verify32(client_verifier, my_client_verifier) != 0 ) { - debug(ERROR, "Client's verifier doesn't match!"); + debug(LOG_ERROR, "Client's verifier doesn't match!"); return -1; } - debug(DEBUG, "Client's verifier checks out"); + debug(LOG_DEBUG, "Client's verifier checks out"); return 0; } @@ -486,7 +490,7 @@ bsspeke_server_generate_verifier(uint8_t server_verifier[32], bsspeke_server_ctx *server ) { // Compute our own verifier H( k || VERIFY_SERVER_MODIFIER ), save it in server_verifier - debug(DEBUG, "Computing server verifier hash"); + debug(LOG_DEBUG, "Computing server verifier hash"); { crypto_blake2b_ctx hash_ctx; crypto_blake2b_general_init(&hash_ctx, 32, NULL, 0); @@ -504,7 +508,7 @@ bsspeke_client_verify_server(const uint8_t server_verifier[32], const bsspeke_client_ctx *client ) { // Compute our own version of the server's verifier hash - debug(DEBUG, "Verifying hash from the server"); + debug(LOG_DEBUG, "Verifying hash from the server"); uint8_t my_server_verifier[32]; { crypto_blake2b_ctx hash_ctx; @@ -520,10 +524,10 @@ bsspeke_client_verify_server(const uint8_t server_verifier[32], // If the hashes don't match, return failure if( crypto_verify32(server_verifier, my_server_verifier) != 0 ) { - debug(WARN, "Server's hash doesn't match. Aborting."); + debug(LOG_WARN, "Server's hash doesn't match. Aborting."); return -1; } - debug(DEBUG, "Server's hash checks out. SUCCESS!"); + debug(LOG_DEBUG, "Server's hash checks out. SUCCESS!"); // Otherwise, return success return 0;