/*
This file is part of TALER
Copyright (C) 2022 Taler Systems SA
TALER is free software; you can redistribute it and/or modify it under the
terms of the GNU General Public License as published by the Free Software
Foundation; either version 3, or (at your option) any later version.
TALER is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License for more details.
You should have received a copy of the GNU General Public License along with
TALER; see the file COPYING. If not, see
*/
/**
* @file util/crypto_contract.c
* @brief functions for encrypting and decrypting contracts for P2P payments
* @author Christian Grothoff
*/
#include "platform.h"
#include "taler_util.h"
#include
#include "taler_exchange_service.h"
/**
* Different types of contracts supported.
*/
enum ContractFormats
{
/**
* The encrypted contract represents a payment offer. The receiver
* can merge it into a reserve/account to accept the contract and
* obtain the payment.
*/
TALER_EXCHANGE_CONTRACT_PAYMENT_OFFER = 0,
/**
* The encrypted contract represents a payment request.
*/
TALER_EXCHANGE_CONTRACT_PAYMENT_REQUEST = 1
};
/**
* Nonce used for encryption, 24 bytes.
*/
struct NonceP
{
uint8_t nonce[crypto_secretbox_NONCEBYTES];
};
/**
* Specifies a key used for symmetric encryption, 32 bytes.
*/
struct SymKeyP
{
uint32_t key[8];
};
/**
* Compute @a key.
*
* @param key_material key for calculation
* @param key_m_len length of key
* @param nonce nonce for calculation
* @param salt salt value for calculation
* @param[out] key where to write the en-/description key
*/
static void
derive_key (const void *key_material,
size_t key_m_len,
const struct NonceP *nonce,
const char *salt,
struct SymKeyP *key)
{
GNUNET_assert (GNUNET_YES ==
GNUNET_CRYPTO_kdf (key,
sizeof (*key),
/* salt / XTS */
nonce,
sizeof (*nonce),
/* ikm */
key_material,
key_m_len,
/* info chunks */
/* The "salt" passed here is actually not something random,
but a protocol-specific identifier string. Thus
we pass it as a context info to the HKDF */
salt,
strlen (salt),
NULL,
0));
}
/**
* Encryption of data.
*
* @param nonce value to use for the nonce
* @param key key which is used to derive a key/iv pair from
* @param key_len length of key
* @param data data to encrypt
* @param data_size size of the data
* @param salt salt value which is used for key derivation
* @param[out] res ciphertext output
* @param[out] res_size size of the ciphertext
*/
static void
blob_encrypt (const struct NonceP *nonce,
const void *key,
size_t key_len,
const void *data,
size_t data_size,
const char *salt,
void **res,
size_t *res_size)
{
size_t ciphertext_size;
struct SymKeyP skey;
derive_key (key,
key_len,
nonce,
salt,
&skey);
ciphertext_size = crypto_secretbox_NONCEBYTES
+ crypto_secretbox_MACBYTES
+ data_size;
*res_size = ciphertext_size;
*res = GNUNET_malloc (ciphertext_size);
GNUNET_memcpy (*res,
nonce,
crypto_secretbox_NONCEBYTES);
GNUNET_assert (0 ==
crypto_secretbox_easy (*res + crypto_secretbox_NONCEBYTES,
data,
data_size,
(void *) nonce,
(void *) &skey));
}
/**
* Decryption of data like encrypted recovery document etc.
*
* @param key key which is used to derive a key/iv pair from
* @param key_len length of key
* @param data data to decrypt
* @param data_size size of the data
* @param salt salt value which is used for key derivation
* @param[out] res plaintext output
* @param[out] res_size size of the plaintext
* @return #GNUNET_OK on success
*/
static enum GNUNET_GenericReturnValue
blob_decrypt (const void *key,
size_t key_len,
const void *data,
size_t data_size,
const char *salt,
void **res,
size_t *res_size)
{
const struct NonceP *nonce;
struct SymKeyP skey;
size_t plaintext_size;
if (data_size < crypto_secretbox_NONCEBYTES + crypto_secretbox_MACBYTES)
{
GNUNET_break (0);
return GNUNET_SYSERR;
}
nonce = data;
derive_key (key,
key_len,
nonce,
salt,
&skey);
plaintext_size = data_size - (crypto_secretbox_NONCEBYTES
+ crypto_secretbox_MACBYTES);
*res = GNUNET_malloc (plaintext_size);
*res_size = plaintext_size;
if (0 != crypto_secretbox_open_easy (*res,
data + crypto_secretbox_NONCEBYTES,
data_size - crypto_secretbox_NONCEBYTES,
(void *) nonce,
(void *) &skey))
{
GNUNET_break (0);
GNUNET_free (*res);
return GNUNET_SYSERR;
}
return GNUNET_OK;
}
/**
* Header for encrypted contracts.
*/
struct ContractHeaderP
{
/**
* Type of the contract, in NBO.
*/
uint32_t ctype;
/**
* Length of the encrypted contract, in NBO.
*/
uint32_t clen;
};
/**
* Header for encrypted contracts.
*/
struct ContractHeaderMergeP
{
/**
* Generic header.
*/
struct ContractHeaderP header;
/**
* Private key with the merge capability.
*/
struct TALER_PurseMergePrivateKeyP merge_priv;
};
/**
* Salt we use when encrypting contracts for merge.
*/
#define MERGE_SALT "p2p-merge-contract"
void
TALER_CRYPTO_contract_encrypt_for_merge (
const struct TALER_PurseContractPublicKeyP *purse_pub,
const struct TALER_ContractDiffiePrivateP *contract_priv,
const struct TALER_PurseMergePrivateKeyP *merge_priv,
const json_t *contract_terms,
void **econtract,
size_t *econtract_size)
{
struct GNUNET_HashCode key;
char *cstr;
size_t clen;
void *xbuf;
struct ContractHeaderMergeP *hdr;
struct NonceP nonce;
uLongf cbuf_size;
int ret;
GNUNET_assert (GNUNET_OK ==
GNUNET_CRYPTO_ecdh_eddsa (&contract_priv->ecdhe_priv,
&purse_pub->eddsa_pub,
&key));
cstr = json_dumps (contract_terms,
JSON_COMPACT | JSON_SORT_KEYS);
clen = strlen (cstr);
cbuf_size = compressBound (clen);
xbuf = GNUNET_malloc (cbuf_size);
ret = compress (xbuf,
&cbuf_size,
(const Bytef *) cstr,
clen);
GNUNET_assert (Z_OK == ret);
free (cstr);
hdr = GNUNET_malloc (sizeof (*hdr) + cbuf_size);
hdr->header.ctype = htonl (TALER_EXCHANGE_CONTRACT_PAYMENT_OFFER);
hdr->header.clen = htonl ((uint32_t) clen);
hdr->merge_priv = *merge_priv;
GNUNET_memcpy (&hdr[1],
xbuf,
cbuf_size);
GNUNET_free (xbuf);
GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_NONCE,
&nonce,
sizeof (nonce));
blob_encrypt (&nonce,
&key,
sizeof (key),
hdr,
sizeof (*hdr) + cbuf_size,
MERGE_SALT,
econtract,
econtract_size);
GNUNET_free (hdr);
}
json_t *
TALER_CRYPTO_contract_decrypt_for_merge (
const struct TALER_ContractDiffiePrivateP *contract_priv,
const struct TALER_PurseContractPublicKeyP *purse_pub,
const void *econtract,
size_t econtract_size,
struct TALER_PurseMergePrivateKeyP *merge_priv)
{
struct GNUNET_HashCode key;
void *xhdr;
size_t hdr_size;
const struct ContractHeaderMergeP *hdr;
char *cstr;
uLongf clen;
json_error_t json_error;
json_t *ret;
if (GNUNET_OK !=
GNUNET_CRYPTO_ecdh_eddsa (&contract_priv->ecdhe_priv,
&purse_pub->eddsa_pub,
&key))
{
GNUNET_break (0);
return NULL;
}
if (GNUNET_OK !=
blob_decrypt (&key,
sizeof (key),
econtract,
econtract_size,
MERGE_SALT,
&xhdr,
&hdr_size))
{
GNUNET_break_op (0);
return NULL;
}
if (hdr_size < sizeof (*hdr))
{
GNUNET_break_op (0);
GNUNET_free (xhdr);
return NULL;
}
hdr = xhdr;
if (TALER_EXCHANGE_CONTRACT_PAYMENT_OFFER != ntohl (hdr->header.ctype))
{
GNUNET_break_op (0);
GNUNET_free (xhdr);
return NULL;
}
clen = ntohl (hdr->header.clen);
if (clen >= GNUNET_MAX_MALLOC_CHECKED)
{
GNUNET_break_op (0);
GNUNET_free (xhdr);
return NULL;
}
cstr = GNUNET_malloc (clen + 1);
if (Z_OK !=
uncompress ((Bytef *) cstr,
&clen,
(const Bytef *) &hdr[1],
hdr_size - sizeof (*hdr)))
{
GNUNET_break_op (0);
GNUNET_free (cstr);
GNUNET_free (xhdr);
return NULL;
}
*merge_priv = hdr->merge_priv;
GNUNET_free (xhdr);
ret = json_loadb ((char *) cstr,
clen,
JSON_DECODE_ANY,
&json_error);
if (NULL == ret)
{
GNUNET_break_op (0);
GNUNET_free (cstr);
return NULL;
}
GNUNET_free (cstr);
return ret;
}
/**
* Salt we use when encrypting contracts for merge.
*/
#define DEPOSIT_SALT "p2p-deposit-contract"
void
TALER_CRYPTO_contract_encrypt_for_deposit (
const struct TALER_PurseContractPublicKeyP *purse_pub,
const struct TALER_ContractDiffiePrivateP *contract_priv,
const json_t *contract_terms,
void **econtract,
size_t *econtract_size)
{
struct GNUNET_HashCode key;
char *cstr;
size_t clen;
void *xbuf;
struct ContractHeaderP *hdr;
struct NonceP nonce;
uLongf cbuf_size;
int ret;
void *xecontract;
size_t xecontract_size;
GNUNET_assert (GNUNET_OK ==
GNUNET_CRYPTO_ecdh_eddsa (&contract_priv->ecdhe_priv,
&purse_pub->eddsa_pub,
&key));
cstr = json_dumps (contract_terms,
JSON_COMPACT | JSON_SORT_KEYS);
GNUNET_assert (NULL != cstr);
clen = strlen (cstr);
cbuf_size = compressBound (clen);
xbuf = GNUNET_malloc (cbuf_size);
ret = compress (xbuf,
&cbuf_size,
(const Bytef *) cstr,
clen);
GNUNET_assert (Z_OK == ret);
free (cstr);
hdr = GNUNET_malloc (sizeof (*hdr) + cbuf_size);
hdr->ctype = htonl (TALER_EXCHANGE_CONTRACT_PAYMENT_REQUEST);
hdr->clen = htonl ((uint32_t) clen);
GNUNET_memcpy (&hdr[1],
xbuf,
cbuf_size);
GNUNET_free (xbuf);
GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_NONCE,
&nonce,
sizeof (nonce));
blob_encrypt (&nonce,
&key,
sizeof (key),
hdr,
sizeof (*hdr) + cbuf_size,
DEPOSIT_SALT,
&xecontract,
&xecontract_size);
GNUNET_free (hdr);
/* prepend purse_pub */
*econtract = GNUNET_malloc (xecontract_size + sizeof (*purse_pub));
GNUNET_memcpy (*econtract,
purse_pub,
sizeof (*purse_pub));
GNUNET_memcpy (sizeof (*purse_pub) + *econtract,
xecontract,
xecontract_size);
*econtract_size = xecontract_size + sizeof (*purse_pub);
GNUNET_free (xecontract);
}
json_t *
TALER_CRYPTO_contract_decrypt_for_deposit (
const struct TALER_ContractDiffiePrivateP *contract_priv,
const void *econtract,
size_t econtract_size)
{
const struct TALER_PurseContractPublicKeyP *purse_pub = econtract;
if (econtract_size < sizeof (*purse_pub))
{
GNUNET_break_op (0);
return NULL;
}
struct GNUNET_HashCode key;
void *xhdr;
size_t hdr_size;
const struct ContractHeaderP *hdr;
char *cstr;
uLongf clen;
json_error_t json_error;
json_t *ret;
if (GNUNET_OK !=
GNUNET_CRYPTO_ecdh_eddsa (&contract_priv->ecdhe_priv,
&purse_pub->eddsa_pub,
&key))
{
GNUNET_break (0);
return NULL;
}
econtract += sizeof (*purse_pub);
econtract_size -= sizeof (*purse_pub);
if (GNUNET_OK !=
blob_decrypt (&key,
sizeof (key),
econtract,
econtract_size,
DEPOSIT_SALT,
&xhdr,
&hdr_size))
{
GNUNET_break_op (0);
return NULL;
}
if (hdr_size < sizeof (*hdr))
{
GNUNET_break_op (0);
GNUNET_free (xhdr);
return NULL;
}
hdr = xhdr;
if (TALER_EXCHANGE_CONTRACT_PAYMENT_REQUEST != ntohl (hdr->ctype))
{
GNUNET_break_op (0);
GNUNET_free (xhdr);
return NULL;
}
clen = ntohl (hdr->clen);
if (clen >= GNUNET_MAX_MALLOC_CHECKED)
{
GNUNET_break_op (0);
GNUNET_free (xhdr);
return NULL;
}
cstr = GNUNET_malloc (clen + 1);
if (Z_OK !=
uncompress ((Bytef *) cstr,
&clen,
(const Bytef *) &hdr[1],
hdr_size - sizeof (*hdr)))
{
GNUNET_break_op (0);
GNUNET_free (cstr);
GNUNET_free (xhdr);
return NULL;
}
GNUNET_free (xhdr);
ret = json_loadb ((char *) cstr,
clen,
JSON_DECODE_ANY,
&json_error);
if (NULL == ret)
{
GNUNET_break_op (0);
GNUNET_free (cstr);
return NULL;
}
GNUNET_free (cstr);
return ret;
}
/**
* Salt we use when encrypting KYC attributes.
*/
#define ATTRIBUTE_SALT "kyc-attributes"
void
TALER_CRYPTO_kyc_attributes_encrypt (
const struct TALER_AttributeEncryptionKeyP *key,
const json_t *attr,
void **enc_attr,
size_t *enc_attr_size)
{
uLongf cbuf_size;
char *cstr;
uLongf clen;
void *xbuf;
int ret;
uint32_t belen;
struct NonceP nonce;
cstr = json_dumps (attr,
JSON_COMPACT | JSON_SORT_KEYS);
GNUNET_assert (NULL != cstr);
clen = strlen (cstr);
GNUNET_assert (clen <= UINT32_MAX);
cbuf_size = compressBound (clen);
xbuf = GNUNET_malloc (cbuf_size + sizeof (uint32_t));
belen = htonl ((uint32_t) clen);
GNUNET_memcpy (xbuf,
&belen,
sizeof (belen));
ret = compress (xbuf + 4,
&cbuf_size,
(const Bytef *) cstr,
clen);
GNUNET_assert (Z_OK == ret);
free (cstr);
GNUNET_CRYPTO_random_block (GNUNET_CRYPTO_QUALITY_NONCE,
&nonce,
sizeof (nonce));
blob_encrypt (&nonce,
key,
sizeof (*key),
xbuf,
cbuf_size + sizeof (uint32_t),
ATTRIBUTE_SALT,
enc_attr,
enc_attr_size);
GNUNET_free (xbuf);
}
json_t *
TALER_CRYPTO_kyc_attributes_decrypt (
const struct TALER_AttributeEncryptionKeyP *key,
const void *enc_attr,
size_t enc_attr_size)
{
void *xhdr;
size_t hdr_size;
char *cstr;
uLongf clen;
json_error_t json_error;
json_t *ret;
uint32_t belen;
if (GNUNET_OK !=
blob_decrypt (key,
sizeof (*key),
enc_attr,
enc_attr_size,
ATTRIBUTE_SALT,
&xhdr,
&hdr_size))
{
GNUNET_break_op (0);
return NULL;
}
GNUNET_memcpy (&belen,
xhdr,
sizeof (belen));
clen = ntohl (belen);
if (clen >= GNUNET_MAX_MALLOC_CHECKED)
{
GNUNET_break_op (0);
GNUNET_free (xhdr);
return NULL;
}
cstr = GNUNET_malloc (clen + 1);
if (Z_OK !=
uncompress ((Bytef *) cstr,
&clen,
(const Bytef *) (xhdr + sizeof (uint32_t)),
hdr_size - sizeof (uint32_t)))
{
GNUNET_break_op (0);
GNUNET_free (cstr);
GNUNET_free (xhdr);
return NULL;
}
GNUNET_free (xhdr);
ret = json_loadb ((char *) cstr,
clen,
JSON_DECODE_ANY,
&json_error);
if (NULL == ret)
{
GNUNET_break_op (0);
GNUNET_free (cstr);
return NULL;
}
GNUNET_free (cstr);
return ret;
}