From f6b864d4e70192ce780c3487b200506dec64f275 Mon Sep 17 00:00:00 2001 From: "Jason A. Donenfeld" Date: Tue, 8 Aug 2017 18:22:41 +0200 Subject: Constant time base64 Signed-off-by: Jason A. Donenfeld --- .../java/com/wireguard/crypto/KeyEncoding.java | 75 ++++++++++++++++++++++ .../main/java/com/wireguard/crypto/Keypair.java | 24 ++----- 2 files changed, 80 insertions(+), 19 deletions(-) create mode 100644 app/src/main/java/com/wireguard/crypto/KeyEncoding.java (limited to 'app/src/main/java/com/wireguard/crypto') diff --git a/app/src/main/java/com/wireguard/crypto/KeyEncoding.java b/app/src/main/java/com/wireguard/crypto/KeyEncoding.java new file mode 100644 index 00000000..c62657cb --- /dev/null +++ b/app/src/main/java/com/wireguard/crypto/KeyEncoding.java @@ -0,0 +1,75 @@ +/* Copyright (C) 2015-2017 Jason A. Donenfeld . All Rights Reserved. + * + * This is a specialized constant-time base64 implementation that resists side-channel attacks. + */ + +package com.wireguard.crypto; + +public class KeyEncoding { + public static final int WG_KEY_LEN = 32; + public static final int WG_KEY_LEN_BASE64 = 44; + + private static void encodeBase64(char dest[], final int dest_offset, final byte src[], final int src_offset) { + final byte input[] = { (byte)((src[0 + src_offset] >>> 2) & 63), + (byte)(((src[0 + src_offset] << 4) | ((src[1 + src_offset] & 0xff) >>> 4)) & 63), + (byte)(((src[1 + src_offset] << 2) | ((src[2 + src_offset] & 0xff) >>> 6)) & 63), + (byte)(src[2 + src_offset] & 63) }; + for (int i = 0; i < 4; ++i) + dest[i + dest_offset] = (char)(input[i] + 'A' + + (((25 - input[i]) >>> 8) & 6) + - (((51 - input[i]) >>> 8) & 75) + - (((61 - input[i]) >>> 8) & 15) + + (((62 - input[i]) >>> 8) & 3)); + } + + public static String keyToBase64(final byte key[]) { + if (key.length != WG_KEY_LEN) + throw new IllegalArgumentException("WireGuard keys must be 32 bytes"); + final char base64[] = new char[WG_KEY_LEN_BASE64]; + int i; + for (i = 0; i < WG_KEY_LEN / 3; ++i) + encodeBase64(base64, i * 4, key, i * 3); + final byte endSegment[] = { key[i * 3 + 0], key[i * 3 + 1], 0 }; + encodeBase64(base64, i * 4, endSegment, 0); + base64[WG_KEY_LEN_BASE64 - 1] = '='; + return new String(base64); + } + + private static int decodeBase64(final char src[], int src_offset) { + int val = 0; + for (int i = 0; i < 4; ++i) + val |= (-1 + + ((((('A' - 1) - src[i + src_offset]) & (src[i + src_offset] - ('Z' + 1))) >>> 8) & (src[i + src_offset] - 64)) + + ((((('a' - 1) - src[i + src_offset]) & (src[i + src_offset] - ('z' + 1))) >>> 8) & (src[i + src_offset] - 70)) + + ((((('0' - 1) - src[i + src_offset]) & (src[i + src_offset] - ('9' + 1))) >>> 8) & (src[i + src_offset] + 5)) + + ((((('+' - 1) - src[i + src_offset]) & (src[i + src_offset] - ('+' + 1))) >>> 8) & 63) + + ((((('/' - 1) - src[i + src_offset]) & (src[i + src_offset] - ('/' + 1))) >>> 8) & 64) + ) << (18 - 6 * i); + return val; + } + + public static byte[] keyFromBase64(final String input) { + final char base64[] = input.toCharArray(); + if (base64.length != WG_KEY_LEN_BASE64 || base64[WG_KEY_LEN_BASE64 - 1] != '=') + throw new IllegalArgumentException("WireGuard base64 keys must be 44 characters encoding 32 bytes"); + final byte key[] = new byte[WG_KEY_LEN]; + int i; + int val; + + for (i = 0; i < WG_KEY_LEN / 3; ++i) { + val = decodeBase64(base64, i * 4); + if (val < 0) + throw new IllegalArgumentException("WireGuard base64 keys must be 44 characters encoding 32 bytes"); + key[i * 3 + 0] = (byte)((val >>> 16) & 0xff); + key[i * 3 + 1] = (byte)((val >>> 8) & 0xff); + key[i * 3 + 2] = (byte)(val & 0xff); + } + final char endSegment[] = { base64[i * 4 + 0], base64[i * 4 + 1], base64[i * 4 + 2], 'A' }; + val = decodeBase64(endSegment, 0); + if (val < 0 || (val & 0xff) != 0) + throw new IllegalArgumentException("WireGuard base64 keys must be 44 characters encoding 32 bytes"); + key[i * 3 + 0] = (byte)((val >>> 16) & 0xff); + key[i * 3 + 1] = (byte)((val >>> 8) & 0xff); + return key; + } +} diff --git a/app/src/main/java/com/wireguard/crypto/Keypair.java b/app/src/main/java/com/wireguard/crypto/Keypair.java index ef2a4b31..f98b5e21 100644 --- a/app/src/main/java/com/wireguard/crypto/Keypair.java +++ b/app/src/main/java/com/wireguard/crypto/Keypair.java @@ -9,12 +9,9 @@ import java.security.SecureRandom; */ public class Keypair { - private static final int KEY_LENGTH = 32; - public static final int KEY_STRING_LENGTH = 44; - private static byte[] generatePrivateKey() { final SecureRandom secureRandom = new SecureRandom(); - final byte privateKey[] = new byte[KEY_LENGTH]; + final byte privateKey[] = new byte[KeyEncoding.WG_KEY_LEN]; secureRandom.nextBytes(privateKey); privateKey[0] &= 248; privateKey[31] &= 127; @@ -23,22 +20,11 @@ public class Keypair { } private static byte[] generatePublicKey(byte privateKey[]) { - final byte publicKey[] = new byte[KEY_LENGTH]; + final byte publicKey[] = new byte[KeyEncoding.WG_KEY_LEN]; Curve25519.eval(publicKey, 0, privateKey, null); return publicKey; } - private static byte[] parseKey(String key) { - final byte keyBytes[] = Base64.decode(key, Base64.NO_WRAP); - if (keyBytes.length != KEY_LENGTH) - throw new IndexOutOfBoundsException("Key is not the correct length"); - return keyBytes; - } - - private static String unParseKey(byte keyBytes[]) { - return Base64.encodeToString(keyBytes, Base64.NO_WRAP); - } - private final byte privateKey[]; private final byte publicKey[]; @@ -52,14 +38,14 @@ public class Keypair { } public Keypair(String privateKey) { - this(parseKey(privateKey)); + this(KeyEncoding.keyFromBase64(privateKey)); } public String getPrivateKey() { - return unParseKey(privateKey); + return KeyEncoding.keyToBase64(privateKey); } public String getPublicKey() { - return unParseKey(publicKey); + return KeyEncoding.keyToBase64(publicKey); } } -- cgit v1.2.3