diff options
author | Peter Wu <peter@lekensteyn.nl> | 2018-07-30 18:18:40 +0200 |
---|---|---|
committer | Anders Broman <a.broman58@gmail.com> | 2018-08-08 11:23:55 +0000 |
commit | d7187e0b1ba0303dc493c4a75d9949cfca8ede98 (patch) | |
tree | 5020f7383683b77d341817992350ce55b06f1164 /wsutil/curve25519.h | |
parent | e50ae0ad11c63d47b864db7319aa9163eefd2296 (diff) |
wsutil: Add Curve25519 ECDH (X25519) using Gcrypt
The WireGuard dissector will need X25519 to enable decryption, add a
Gcrypt implementation that implements the NaCl/Sodium interface.
While inspired by the MPI example in t-cv25519.c, note subtle but
important correctness/interoperability fixes: add a check for infinity
(gcry_mpi_ec_get_affine) and handle short values from gcry_mpi_print.
The last issue is ugly, perhaps the high level API (gcry_pk_decrypt)
should be used instead (which < 2% slower than this MPI implementation).
(Both issues were found through fuzzing.)
As for alternative options, Sodium is superior but would be a new
dependency. For some older performance and usability notes (comparing
crypto_scalarmult_curve25519_base (note "_base") against others), see
https://lists.gnupg.org/pipermail/gcrypt-devel/2018-July/004532.html
Performance comparison on Ubuntu 18.04 (i7-3770) between Sodium 1.0.16
against Gcrypt 1.8.3 and Gcrypt 86e5e06a (git master, future 1.9.x) by
computing 65536 times X25519(1, 8) via crypto_scalarmult_curve25519:
Sodium (sandy2x): 1.4x faster than ref10
Sodium (ref10): 1 (baseline)
Gcrypt (git): 5x slower than ref10, 7x slower than sandy2x
Gcrypt (1.8.3): 17x ref10, 24x sandy2x (took 65 seconds)
Change-Id: Ia54e73cc3cc469a6697554729aff4edd19f55630
Ping-Bug: 15011
Reviewed-on: https://code.wireshark.org/review/28987
Reviewed-by: Anders Broman <a.broman58@gmail.com>
Diffstat (limited to 'wsutil/curve25519.h')
-rw-r--r-- | wsutil/curve25519.h | 41 |
1 files changed, 41 insertions, 0 deletions
diff --git a/wsutil/curve25519.h b/wsutil/curve25519.h new file mode 100644 index 0000000000..2868df1b63 --- /dev/null +++ b/wsutil/curve25519.h @@ -0,0 +1,41 @@ +/* curve25519.h + * NaCl/Sodium-compatible API for Curve25519 cryptography. + * + * Copyright (c) 2018, Peter Wu <peter@lekensteyn.nl> + * + * Wireshark - Network traffic analyzer + * By Gerald Combs <gerald@wireshark.org> + * Copyright 1998 Gerald Combs + * + * SPDX-License-Identifier: GPL-2.0-or-later + */ + +#ifndef __CURVE25519_H__ +#define __CURVE25519_H__ + +#include "ws_symbol_export.h" +#include "wsgcrypt.h" + +#if GCRYPT_VERSION_NUMBER >= 0x010700 /* 1.7.0 */ +#define HAVE_X25519 +#endif + +#ifdef HAVE_X25519 +/* + * Computes Q = X25519(n, P). In other words, given the secret key n, the public + * key P, compute the shared secret Q. Each key is 32 bytes long. + * Returns 0 on success or -1 on failure. + */ +WS_DLL_PUBLIC +int crypto_scalarmult_curve25519(unsigned char *q, const unsigned char *n, + const unsigned char *p); + +/* + * Computes the Curve25519 32-byte public key Q from the 32-byte secret key n. + * Returns 0 on success or -1 on failure. + */ +WS_DLL_PUBLIC +int crypto_scalarmult_curve25519_base(unsigned char *q, const unsigned char *n); +#endif /* HAVE_X25519 */ + +#endif /* __CURVE25519_H__ */ |