Refactor: Updated SHA256 implementation and secure channel improvements

doc/etcp_config.txt

@@ -5,6 +5,6 @@
 виртуальные сокеты - плохо т.к. используются ip/port для поиск подключения
 
 
-план:
 
-1. доработать тест чтобы после init соединения еще и посылал пакеты
+./configure --with-openssl    - openssl
+./configure --without-openssl - tinycrypt

lib/sha256.c

@@ -1,4 +1,4 @@
-/*********************************************************************
+/*********************************************************************
 * Filename:   sha256.c
 * Author:     Brad Conte (brad AT bradconte.com)
 * Copyright:
@@ -29,7 +29,7 @@
 #define SIG1(x) (ROTRIGHT(x,17) ^ ROTRIGHT(x,19) ^ ((x) >> 10))
 
 /**************************** VARIABLES *****************************/
-static const WORD k[64] = {
+static const uint32_t k[64] = {
 	0x428a2f98,0x71374491,0xb5c0fbcf,0xe9b5dba5,0x3956c25b,0x59f111f1,0x923f82a4,0xab1c5ed5,
 	0xd807aa98,0x12835b01,0x243185be,0x550c7dc3,0x72be5d74,0x80deb1fe,0x9bdc06a7,0xc19bf174,
 	0xe49b69c1,0xefbe4786,0x0fc19dc6,0x240ca1cc,0x2de92c6f,0x4a7484aa,0x5cb0a9dc,0x76f988da,
@@ -41,9 +41,9 @@ static const WORD k[64] = {
 };
 
 /*********************** FUNCTION DEFINITIONS ***********************/
-void sha256_transform(SHA256_CTX *ctx, const BYTE data[])
+static void sc_sha256_transform(SC_SHA256_CTX *ctx, const uint8_t data[])
 {
-	WORD a, b, c, d, e, f, g, h, i, j, t1, t2, m[64];
+	uint32_t a, b, c, d, e, f, g, h, i, j, t1, t2, m[64];
 
 	for (i = 0, j = 0; i < 16; ++i, j += 4)
 		m[i] = (data[j] << 24) | (data[j + 1] << 16) | (data[j + 2] << 8) | (data[j + 3]);
@@ -82,7 +82,7 @@ void sha256_transform(SHA256_CTX *ctx, const BYTE data[])
 	ctx->state[7] += h;
 }
 
-void sha256_init(SHA256_CTX *ctx)
+void sc_sha256_init(SC_SHA256_CTX *ctx)
 {
 	ctx->datalen = 0;
 	ctx->bitlen = 0;
@@ -96,24 +96,24 @@ void sha256_init(SHA256_CTX *ctx)
 	ctx->state[7] = 0x5be0cd19;
 }
 
-void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len)
+void sc_sha256_update(SC_SHA256_CTX *ctx, const uint8_t data[], size_t len)
 {
-	WORD i;
+	uint32_t i;
 
 	for (i = 0; i < len; ++i) {
 		ctx->data[ctx->datalen] = data[i];
 		ctx->datalen++;
 		if (ctx->datalen == 64) {
-			sha256_transform(ctx, ctx->data);
+			sc_sha256_transform(ctx, ctx->data);
 			ctx->bitlen += 512;
 			ctx->datalen = 0;
 		}
 	}
 }
 
-void sha256_final(SHA256_CTX *ctx, BYTE hash[])
+void sc_sha256_final(SC_SHA256_CTX *ctx, uint8_t hash[])
 {
-	WORD i;
+	uint32_t i;
 
 	i = ctx->datalen;
 
@@ -127,7 +127,7 @@ void sha256_final(SHA256_CTX *ctx, BYTE hash[])
 		ctx->data[i++] = 0x80;
 		while (i < 64)
 			ctx->data[i++] = 0x00;
-		sha256_transform(ctx, ctx->data);
+		sc_sha256_transform(ctx, ctx->data);
 		memset(ctx->data, 0, 56);
 	}
 
@@ -141,7 +141,7 @@ void sha256_final(SHA256_CTX *ctx, BYTE hash[])
 	ctx->data[58] = ctx->bitlen >> 40;
 	ctx->data[57] = ctx->bitlen >> 48;
 	ctx->data[56] = ctx->bitlen >> 56;
-	sha256_transform(ctx, ctx->data);
+	sc_sha256_transform(ctx, ctx->data);
 
 	// Since this implementation uses little endian byte ordering and SHA uses big endian,
 	// reverse all the bytes when copying the final state to the output hash.

lib/sha256.h

@@ -1,4 +1,4 @@
-/*********************************************************************
+/*********************************************************************
 * Filename:   sha256.h
 * Author:     Brad Conte (brad AT bradconte.com)
 * Copyright:
@@ -6,29 +6,27 @@
 * Details:    Defines the API for the corresponding SHA1 implementation.
 *********************************************************************/
 
-#ifndef SHA256_H
-#define SHA256_H
+#ifndef SC_SHA256_H
+#define SC_SHA256_H
 
 /*************************** HEADER FILES ***************************/
 #include <stddef.h>
+#include <stdint.h>
 
 /****************************** MACROS ******************************/
-#define SHA256_BLOCK_SIZE 32            // SHA256 outputs a 32 byte digest
+#define SC_SHA256_BLOCK_SIZE 32            // SHA256 outputs a 32 byte digest
 
 /**************************** DATA TYPES ****************************/
-typedef unsigned char BYTE;             // 8-bit byte
-typedef unsigned int  WORD;             // 32-bit word, change to "long" for 16-bit machines
-
 typedef struct {
-	BYTE data[64];
-	WORD datalen;
+	uint8_t data[64];
+	uint32_t datalen;
 	unsigned long long bitlen;
-	WORD state[8];
-} SHA256_CTX;
+	uint32_t state[8];
+} SC_SHA256_CTX;
 
 /*********************** FUNCTION DECLARATIONS **********************/
-void sha256_init(SHA256_CTX *ctx);
-void sha256_update(SHA256_CTX *ctx, const BYTE data[], size_t len);
-void sha256_final(SHA256_CTX *ctx, BYTE hash[]);
+void sc_sha256_init(SC_SHA256_CTX *ctx);
+void sc_sha256_update(SC_SHA256_CTX *ctx, const uint8_t data[], size_t len);
+void sc_sha256_final(SC_SHA256_CTX *ctx, uint8_t hash[]);
 
-#endif   // SHA256_H
+#endif   // SC_SHA256_H

src/etcp_connections.c

@@ -75,6 +75,8 @@ static void etcp_link_send_init(struct ETCP_LINK* link) {
     dgram->data[offset++] = link->local_link_id;
 
     memcpy(dgram->data + offset, link->etcp->instance->my_keys.public_key, SC_PUBKEY_SIZE);
+    // Шифруем public_key inplace используя собственный ключ
+    sc_sha_transcode(link->etcp->crypto_ctx.peer_public_key, SC_PUBKEY_SIZE, dgram->data + offset, SC_PUBKEY_SIZE);
     dgram->data_len = offset + SC_PUBKEY_SIZE;
     
     DEBUG_INFO(DEBUG_CATEGORY_CONNECTION, "Sending INIT request to link, node_id=%llu, retry=%d", (unsigned long long)node_id, link->init_retry_count);
@@ -589,6 +591,9 @@ static void etcp_connections_read_callback(int fd, void* arg) {
 //        printf("[ETCP DEBUG] Last 64 bytes of packet (PUBKEY): ");
 //        for (int i=0; i<SC_PUBKEY_SIZE; i++) DEBUG_INFO(DEBUG_CATEGORY_CRYPTO, "%02x ", data[recv_len-SC_PUBKEY_SIZE+i]);
         
+        // Расшифровываем public_key inplace используя собственный ключ
+        sc_sha_transcode(e_sock->instance->my_keys.public_key, SC_PUBKEY_SIZE, data + recv_len - SC_PUBKEY_SIZE, SC_PUBKEY_SIZE);
+        
         if (sc_set_peer_public_key(&sc, &data[recv_len-SC_PUBKEY_SIZE], SC_PEER_PUBKEY_BIN)!=SC_OK) { 
             DEBUG_ERROR(DEBUG_CATEGORY_CRYPTO, "etcp_connections_read_callback: failed to set peer public key during init");
             errorcode=2; 

src/secure_channel.c

@@ -14,6 +14,7 @@
 #include <stdio.h>
 #include <fcntl.h>
 #include "crc32.h"
+#include "../lib/sha256.h"
 
 // To switch between implementations, define USE_OPENSSL before including/compiling.
 // If USE_OPENSSL is defined, use OpenSSL; otherwise, use TinyCrypt (original logic).
@@ -803,3 +804,22 @@ sc_status_t sc_compute_public_key_from_private(const uint8_t *private_key, uint8
 }
 
 #endif
+
+sc_status_t sc_sha_transcode(const uint8_t *key, size_t key_len, uint8_t *data, size_t data_len) {
+    if (!key || !data || key_len == 0 || data_len == 0) {
+        return SC_ERR_INVALID_ARG;
+    }
+    
+    uint8_t sha_hash[SC_SHA256_BLOCK_SIZE];
+    SC_SHA256_CTX ctx;
+    
+    sc_sha256_init(&ctx);
+    sc_sha256_update(&ctx, key, key_len);
+    sc_sha256_final(&ctx, sha_hash);
+    
+    for (size_t i = 0; i < data_len; i++) {
+        data[i] ^= sha_hash[i % SC_SHA256_BLOCK_SIZE];
+    }
+    
+    return SC_OK;
+}

src/secure_channel.h

@@ -65,4 +65,7 @@ sc_status_t sc_compute_public_key_from_private(const uint8_t *private_key, uint8
 sc_status_t sc_encrypt(sc_context_t *ctx, const uint8_t *plaintext,  size_t plaintext_len,  uint8_t *ciphertext, size_t *ciphertext_len);
 sc_status_t sc_decrypt(sc_context_t *ctx, const uint8_t *ciphertext, size_t ciphertext_len, uint8_t *plaintext,  size_t *plaintext_len);
 
+// SHA256-based transcode: XOR data with SHA256(key)
+sc_status_t sc_sha_transcode(const uint8_t *key, size_t key_len, uint8_t *data, size_t data_len);
+
 #endif // SECURE_CHANNEL_H