mirror of
https://codeberg.org/Freeyourgadget/Gadgetbridge
synced 2024-06-25 14:31:05 +02:00
516 lines
17 KiB
Java
516 lines
17 KiB
Java
/* Copyright (C) 2022-2024 Andreas Shimokawa
|
|
|
|
This file is part of Gadgetbridge.
|
|
|
|
Gadgetbridge is free software: you can redistribute it and/or modify
|
|
it under the terms of the GNU Affero General Public License as published
|
|
by the Free Software Foundation, either version 3 of the License, or
|
|
(at your option) any later version.
|
|
|
|
Gadgetbridge is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU Affero General Public License for more details.
|
|
|
|
You should have received a copy of the GNU Affero General Public License
|
|
along with this program. If not, see <https://www.gnu.org/licenses/>. */
|
|
|
|
|
|
/*
|
|
This class is a really dumb pure java port of tiny-EDCH from here
|
|
https://github.com/kokke/tiny-ECDH-c/
|
|
|
|
What I did:
|
|
- remove all curves except B163 to make porting easier
|
|
- port to java with brain switched off
|
|
- fix the "java has no unsigned" bugs
|
|
- add some helpers to convert int[] to byte[] and back because java has no casts
|
|
|
|
The result is ugly, no one would write such crappy code from scratch, but I tried to
|
|
keep it as close to the C code as possible to prevent bugs. Since I did not know what
|
|
I was doing.
|
|
*/
|
|
|
|
|
|
package nodomain.freeyourgadget.gadgetbridge.util;
|
|
|
|
public class ECDH_B163 {
|
|
|
|
static final int CURVE_DEGREE = 163;
|
|
static final int ECC_PRV_KEY_SIZE = 24;
|
|
static final int ECC_PUB_KEY_SIZE = 2 * ECC_PRV_KEY_SIZE;
|
|
|
|
/* margin for overhead needed in intermediate calculations */
|
|
static final int BITVEC_MARGIN = 3;
|
|
static final int BITVEC_NBITS = (CURVE_DEGREE + BITVEC_MARGIN);
|
|
static final int BITVEC_NWORDS = ((BITVEC_NBITS + 31) / 32);
|
|
static final int BITVEC_NBYTES = (4 * BITVEC_NWORDS);
|
|
|
|
/******************************************************************************/
|
|
|
|
/* Here the curve parameters are defined. */
|
|
|
|
/* NIST B-163 */
|
|
static final int[] polynomial = {0x000000c9, 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000008};
|
|
static final int[] coeff_b = {0x4a3205fd, 0x512f7874, 0x1481eb10, 0xb8c953ca, 0x0a601907, 0x00000002};
|
|
static final int[] base_x = {0xe8343e36, 0xd4994637, 0xa0991168, 0x86a2d57e, 0xf0eba162, 0x00000003};
|
|
static final int[] base_y = {0x797324f1, 0xb11c5c0c, 0xa2cdd545, 0x71a0094f, 0xd51fbc6c, 0x00000000};
|
|
static final int[] base_order = {0xa4234c33, 0x77e70c12, 0x000292fe, 0x00000000, 0x00000000, 0x00000004};
|
|
|
|
/*************************************************************************************************/
|
|
|
|
/* Private / static functions: */
|
|
|
|
/* some basic bit-manipulation routines that act on bit-vectors follow */
|
|
static int bitvec_get_bit(final int[] x, final int idx) {
|
|
return (int) ((((((long) x[idx / 32] & 0xffffffffL) >> (idx & 31)) & 1)));
|
|
}
|
|
|
|
static void bitvec_clr_bit(final int[] x, final int idx) {
|
|
x[idx / 32] &= ~(1 << (idx & 31));
|
|
}
|
|
|
|
static void bitvec_copy(int[] x, int[] y) {
|
|
int i;
|
|
for (i = 0; i < BITVEC_NWORDS; ++i) {
|
|
x[i] = y[i];
|
|
}
|
|
}
|
|
|
|
static void bitvec_swap(int[] x, int[] y) {
|
|
int[] tmp = new int[BITVEC_NWORDS];
|
|
bitvec_copy(tmp, x);
|
|
bitvec_copy(x, y);
|
|
bitvec_copy(y, tmp);
|
|
}
|
|
|
|
/* fast version of equality test */
|
|
static boolean bitvec_equal(final int[] x, final int[] y) {
|
|
int i;
|
|
for (i = 0; i < BITVEC_NWORDS; ++i) {
|
|
if (x[i] != y[i]) {
|
|
return false;
|
|
}
|
|
}
|
|
return true;
|
|
}
|
|
|
|
static void bitvec_set_zero(int[] x) {
|
|
int i;
|
|
for (i = 0; i < BITVEC_NWORDS; ++i) {
|
|
x[i] = 0;
|
|
}
|
|
}
|
|
|
|
/* fast implementation */
|
|
static boolean bitvec_is_zero(final int[] x) {
|
|
int i = 0;
|
|
while (i < BITVEC_NWORDS) {
|
|
if (x[i] != 0) {
|
|
break;
|
|
}
|
|
i += 1;
|
|
}
|
|
return (i == BITVEC_NWORDS);
|
|
}
|
|
|
|
/* return the number of the highest one-bit + 1 */
|
|
static int bitvec_degree(final int[] x) {
|
|
int i = BITVEC_NWORDS * 32;
|
|
|
|
/* Start at the back of the vector (MSB) */
|
|
int y = BITVEC_NWORDS;
|
|
|
|
/* Skip empty / zero words */
|
|
while ((i > 0)
|
|
&& (x[--y] == 0)) {
|
|
i -= 32;
|
|
}
|
|
/* Run through rest if count is not multiple of bitsize of DTYPE */
|
|
if (i != 0) {
|
|
int u32mask = ((int) 1 << 31);
|
|
while (((x[y]) & u32mask) == 0) {
|
|
u32mask = (int) (((long) u32mask & 0xffffffffL) >> 1);
|
|
i -= 1;
|
|
}
|
|
}
|
|
return i;
|
|
}
|
|
|
|
/* left-shift by 'count' digits */
|
|
static void bitvec_lshift(int[] x, final int[] y, int nbits) {
|
|
int nwords = (nbits / 32);
|
|
|
|
/* Shift whole words first if nwords > 0 */
|
|
int i, j;
|
|
for (i = 0; i < nwords; ++i) {
|
|
/* Zero-initialize from least-significant word until offset reached */
|
|
x[i] = 0;
|
|
}
|
|
j = 0;
|
|
/* Copy to x output */
|
|
while (i < BITVEC_NWORDS) {
|
|
x[i] = y[j];
|
|
i += 1;
|
|
j += 1;
|
|
}
|
|
|
|
/* Shift the rest if count was not multiple of bitsize of DTYPE */
|
|
nbits &= 31;
|
|
if (nbits != 0) {
|
|
/* Left shift rest */
|
|
for (i = (BITVEC_NWORDS - 1); i > 0; --i) {
|
|
x[i] = (int) (((long) (x[i]) << nbits) | (((long) x[i - 1] & 0xffffffffL) >> (32 - nbits)));
|
|
}
|
|
x[0] = (int) ((long) (x[0]) << nbits);
|
|
}
|
|
}
|
|
|
|
/*************************************************************************************************/
|
|
/*
|
|
* Code that does arithmetic on bit-vectors in the Galois Field
|
|
* GF(2^CURVE_DEGREE).
|
|
*/
|
|
|
|
/*************************************************************************************************/
|
|
|
|
static void gf2field_set_one(int[] x) {
|
|
/* Set first word to one */
|
|
x[0] = 1;
|
|
/* .. and the rest to zero */
|
|
int i;
|
|
for (i = 1; i < BITVEC_NWORDS; ++i) {
|
|
x[i] = 0;
|
|
}
|
|
}
|
|
|
|
|
|
/* fastest check if x == 1 */
|
|
static boolean gf2field_is_one(int[] x) {
|
|
/* Check if first word == 1 */
|
|
if (x[0] != 1) {
|
|
return false;
|
|
}
|
|
/* ...and if rest of words == 0 */
|
|
int i;
|
|
for (i = 1; i < BITVEC_NWORDS; ++i) {
|
|
if (x[i] != 0) {
|
|
break;
|
|
}
|
|
}
|
|
return (i == BITVEC_NWORDS);
|
|
}
|
|
|
|
/* galois field(2^m) addition is modulo 2, so XOR is used instead - 'z := a + b' */
|
|
static void gf2field_add(int[] z, final int[] x, final int[] y) {
|
|
int i;
|
|
for (i = 0; i < BITVEC_NWORDS; ++i) {
|
|
z[i] = (x[i] ^ y[i]);
|
|
}
|
|
}
|
|
|
|
/* increment element */
|
|
static void gf2field_inc(int[] x) {
|
|
x[0] ^= 1;
|
|
}
|
|
|
|
/* field multiplication 'z := (x * y)' */
|
|
static void gf2field_mul(int[] z, final int[] x, final int[] y) {
|
|
int i;
|
|
int[] tmp = new int[BITVEC_NWORDS];
|
|
assert (z != y);
|
|
|
|
bitvec_copy(tmp, x);
|
|
|
|
/* LSB set? Then start with x */
|
|
if (bitvec_get_bit(y, 0) != 0) {
|
|
bitvec_copy(z, x);
|
|
} else /* .. or else start with zero */ {
|
|
bitvec_set_zero(z);
|
|
}
|
|
|
|
/* Then add 2^i * x for the rest */
|
|
for (i = 1; i < CURVE_DEGREE; ++i) {
|
|
/* lshift 1 - doubling the value of tmp */
|
|
bitvec_lshift(tmp, tmp, 1);
|
|
|
|
/* Modulo reduction polynomial if degree(tmp) > CURVE_DEGREE */
|
|
if (bitvec_get_bit(tmp, CURVE_DEGREE) != 0) {
|
|
gf2field_add(tmp, tmp, polynomial);
|
|
}
|
|
|
|
/* Add 2^i * tmp if this factor in y is non-zero */
|
|
if (bitvec_get_bit(y, i) != 0) {
|
|
gf2field_add(z, z, tmp);
|
|
}
|
|
}
|
|
}
|
|
|
|
/* field inversion 'z := 1/x' */
|
|
static void gf2field_inv(int[] z, final int[] x) {
|
|
int[] u = new int[BITVEC_NWORDS];
|
|
int[] v = new int[BITVEC_NWORDS];
|
|
int[] g = new int[BITVEC_NWORDS];
|
|
int[] h = new int[BITVEC_NWORDS];
|
|
|
|
int i;
|
|
|
|
bitvec_copy(u, x);
|
|
bitvec_copy(v, polynomial);
|
|
bitvec_set_zero(g);
|
|
gf2field_set_one(z);
|
|
|
|
while (!gf2field_is_one(u)) {
|
|
i = (bitvec_degree(u) - bitvec_degree(v));
|
|
|
|
if (i < 0) {
|
|
bitvec_swap(u, v);
|
|
bitvec_swap(g, z);
|
|
i = -i;
|
|
}
|
|
bitvec_lshift(h, v, i);
|
|
gf2field_add(u, u, h);
|
|
bitvec_lshift(h, g, i);
|
|
gf2field_add(z, z, h);
|
|
}
|
|
}
|
|
|
|
/*************************************************************************************************/
|
|
/*
|
|
* The following code takes care of Galois-Field arithmetic.
|
|
* Elliptic curve points are represented by pairs (x,y) of bitvec_t.
|
|
* It is assumed that curve coefficient 'a' is {0,1}
|
|
* This is the case for all NIST binary curves.
|
|
* Coefficient 'b' is given in 'coeff_b'.
|
|
* '(base_x, base_y)' is a point that generates a large prime order group.
|
|
*/
|
|
|
|
/*************************************************************************************************/
|
|
|
|
|
|
static void gf2point_copy(int[] x1, int[] y1, final int[] x2, final int[] y2) {
|
|
bitvec_copy(x1, x2);
|
|
bitvec_copy(y1, y2);
|
|
}
|
|
|
|
static void gf2point_set_zero(int[] x, int[] y) {
|
|
bitvec_set_zero(x);
|
|
bitvec_set_zero(y);
|
|
}
|
|
|
|
static boolean gf2point_is_zero(final int[] x, final int[] y) {
|
|
return (bitvec_is_zero(x)
|
|
&& bitvec_is_zero(y));
|
|
}
|
|
|
|
/* double the point (x,y) */
|
|
static void gf2point_double(int[] x, int[] y) {
|
|
/* iff P = O (zero or infinity): 2 * P = P */
|
|
if (bitvec_is_zero(x)) {
|
|
bitvec_set_zero(y);
|
|
} else {
|
|
int[] l = new int[BITVEC_NWORDS];
|
|
gf2field_inv(l, x);
|
|
gf2field_mul(l, l, y);
|
|
gf2field_add(l, l, x);
|
|
gf2field_mul(y, x, x);
|
|
gf2field_mul(x, l, l);
|
|
gf2field_inc(l);
|
|
gf2field_add(x, x, l);
|
|
gf2field_mul(l, l, x);
|
|
gf2field_add(y, y, l);
|
|
}
|
|
}
|
|
|
|
/* add two points together (x1, y1) := (x1, y1) + (x2, y2) */
|
|
static void gf2point_add(int[] x1, int[] y1, final int[] x2, final int[] y2) {
|
|
if (!gf2point_is_zero(x2, y2)) {
|
|
if (gf2point_is_zero(x1, y1)) {
|
|
gf2point_copy(x1, y1, x2, y2);
|
|
} else {
|
|
if (bitvec_equal(x1, x2)) {
|
|
if (bitvec_equal(y1, y2)) {
|
|
gf2point_double(x1, y1);
|
|
} else {
|
|
gf2point_set_zero(x1, y1);
|
|
}
|
|
} else {
|
|
/* Arithmetic with temporary variables */
|
|
int[] a = new int[BITVEC_NWORDS];
|
|
int[] b = new int[BITVEC_NWORDS];
|
|
int[] c = new int[BITVEC_NWORDS];
|
|
int[] d = new int[BITVEC_NWORDS];
|
|
|
|
gf2field_add(a, y1, y2);
|
|
gf2field_add(b, x1, x2);
|
|
gf2field_inv(c, b);
|
|
gf2field_mul(c, c, a);
|
|
gf2field_mul(d, c, c);
|
|
gf2field_add(d, d, c);
|
|
gf2field_add(d, d, b);
|
|
gf2field_inc(d);
|
|
gf2field_add(x1, x1, d);
|
|
gf2field_mul(a, x1, c);
|
|
gf2field_add(a, a, d);
|
|
gf2field_add(y1, y1, a);
|
|
bitvec_copy(x1, d);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
/* point multiplication via double-and-add algorithm */
|
|
static void gf2point_mul(int[] x, int[] y, final int[] exp) {
|
|
int[] tmpx = new int[BITVEC_NWORDS];
|
|
int[] tmpy = new int[BITVEC_NWORDS];
|
|
|
|
int i;
|
|
int nbits = bitvec_degree(exp);
|
|
gf2point_set_zero(tmpx, tmpy);
|
|
|
|
for (i = (nbits - 1); i >= 0; --i) {
|
|
gf2point_double(tmpx, tmpy);
|
|
|
|
if (bitvec_get_bit(exp, i) != 0) {
|
|
gf2point_add(tmpx, tmpy, x, y);
|
|
}
|
|
}
|
|
|
|
gf2point_copy(x, y, tmpx, tmpy);
|
|
}
|
|
|
|
|
|
/* check if y^2 + x*y = x^3 + a*x^2 + coeff_b holds */
|
|
static boolean gf2point_on_curve(final int[] x, final int[] y) {
|
|
int[] a = new int[BITVEC_NWORDS];
|
|
int[] b = new int[BITVEC_NWORDS];
|
|
|
|
if (gf2point_is_zero(x, y)) {
|
|
return false;
|
|
} else {
|
|
gf2field_mul(a, x, x);
|
|
gf2field_mul(b, a, x);
|
|
gf2field_add(a, a, b);
|
|
gf2field_add(a, a, coeff_b);
|
|
gf2field_mul(b, y, y);
|
|
gf2field_add(a, a, b);
|
|
gf2field_mul(b, x, y);
|
|
|
|
return bitvec_equal(a, b);
|
|
}
|
|
}
|
|
|
|
// helper needed for C->Java conversion (Java cant cast pointers)
|
|
static int[] bytes_to_int(byte[] bytes, int offset) {
|
|
int[] value = new int[BITVEC_NWORDS];
|
|
int byteptr = offset;
|
|
for (int i = 0; i < BITVEC_NWORDS; i++) {
|
|
value[i] = ((bytes[byteptr++] & 0xff)) | ((bytes[byteptr++] & 0xff) << 8) | ((bytes[byteptr++] & 0xff) << 16) | ((bytes[byteptr++] & 0xff) << 24);
|
|
}
|
|
return value;
|
|
}
|
|
|
|
// helper needed for C->Java conversion (Java cant cast pointers)
|
|
static void ints_to_bytes(byte[] bytes, int[] ints, int offset) {
|
|
int byteptr = offset;
|
|
for (int i = 0; i < BITVEC_NWORDS; i++) {
|
|
bytes[byteptr++] = (byte) (ints[i] & 0x000000ff);
|
|
bytes[byteptr++] = (byte) ((ints[i] & 0x0000ff00) >> 8);
|
|
bytes[byteptr++] = (byte) ((ints[i] & 0x00ff0000) >> 16);
|
|
bytes[byteptr++] = (byte) ((ints[i] & 0xff000000) >> 24);
|
|
}
|
|
}
|
|
|
|
/*************************************************************************************************/
|
|
/*
|
|
* Elliptic Curve Diffie-Hellman key exchange protocol.
|
|
*/
|
|
|
|
/*************************************************************************************************/
|
|
|
|
/* NOTE: private should contain random data a-priori! */
|
|
static boolean ecdh_generate_keys(byte[] public_key, byte[] private_key) {
|
|
int[] private_key_int32 = bytes_to_int(private_key, 0);
|
|
int[] public_key_int32_1 = bytes_to_int(public_key, 0);
|
|
int[] public_key_int32_2 = bytes_to_int(public_key, BITVEC_NBYTES);
|
|
/* Get copy of "base" point 'G' */
|
|
gf2point_copy(public_key_int32_1, public_key_int32_2, base_x, base_y);
|
|
|
|
/* Abort key generation if random number is too small */
|
|
if (bitvec_degree(private_key_int32) < (CURVE_DEGREE / 2)) {
|
|
return false;
|
|
} else {
|
|
/* Clear bits > CURVE_DEGREE in highest word to satisfy constraint 1 <= exp < n. */
|
|
int nbits = bitvec_degree(base_order);
|
|
int i;
|
|
|
|
for (i = (nbits - 1); i < (BITVEC_NWORDS * 32); ++i) {
|
|
bitvec_clr_bit(private_key_int32, i);
|
|
}
|
|
|
|
/* Multiply base-point with scalar (private-key) */
|
|
gf2point_mul(public_key_int32_1, public_key_int32_2, private_key_int32);
|
|
|
|
ints_to_bytes(public_key, public_key_int32_1, 0);
|
|
ints_to_bytes(public_key, public_key_int32_2, BITVEC_NBYTES);
|
|
|
|
return true;
|
|
}
|
|
}
|
|
|
|
static boolean ecdh_shared_secret(byte[] private_key, byte[] others_pub, byte[] output) {
|
|
int[] private_key_int32 = bytes_to_int(private_key, 0);
|
|
int[] others_pub_int32_1 = bytes_to_int(others_pub, 0);
|
|
int[] others_pub_int32_2 = bytes_to_int(others_pub, BITVEC_NBYTES);
|
|
|
|
/* Do some basic validation of other party's public key */
|
|
|
|
if (!gf2point_is_zero(others_pub_int32_1, others_pub_int32_2)
|
|
&& gf2point_on_curve(others_pub_int32_1, others_pub_int32_2)) {
|
|
/* Copy other side's public key to output */
|
|
int i;
|
|
for (i = 0; i < (BITVEC_NBYTES * 2); ++i) {
|
|
output[i] = others_pub[i];
|
|
}
|
|
|
|
/* Clear bits > CURVE_DEGREE in highest word to satisfy constraint 1 <= exp < n. */
|
|
int nbits = bitvec_degree(base_order);
|
|
|
|
for (i = (nbits - 1); i < (BITVEC_NWORDS * 32); ++i) {
|
|
bitvec_clr_bit(private_key_int32, i);
|
|
}
|
|
|
|
/* Multiply other side's public key with own private key */
|
|
int[] output_int32_1 = bytes_to_int(output, 0);
|
|
int[] output_int32_2 = bytes_to_int(output, BITVEC_NBYTES);
|
|
|
|
gf2point_mul(output_int32_1, output_int32_2, private_key_int32);
|
|
|
|
ints_to_bytes(output, output_int32_1, 0);
|
|
ints_to_bytes(output, output_int32_2, BITVEC_NBYTES);
|
|
|
|
return true;
|
|
} else {
|
|
return false;
|
|
}
|
|
}
|
|
|
|
// these are wrappers around the above C-style methods for Gadgetbridge to use
|
|
public static byte[] ecdh_generate_public(byte[] privateEC) {
|
|
byte[] pubKey = new byte[ECC_PUB_KEY_SIZE];
|
|
if (ecdh_generate_keys(pubKey, privateEC)) {
|
|
return pubKey;
|
|
}
|
|
return null;
|
|
}
|
|
|
|
public static byte[] ecdh_generate_shared(byte[] privateEC, byte[] remotePublicEC) {
|
|
byte[] sharedKey = new byte[ECC_PUB_KEY_SIZE];
|
|
if (ecdh_shared_secret(privateEC, remotePublicEC, sharedKey)) {
|
|
return sharedKey;
|
|
}
|
|
return null;
|
|
}
|
|
}
|