virgil-crypto 2.3.0 → 3.6.2

data/ext/native/src/cmake/virgil_depends_local.cmake

@@ -78,6 +78,7 @@
 cmake_minimum_required(VERSION 3.10 FATAL_ERROR)
 
 include (CMakeParseArguments)
+include (TransitiveArgs)
 
 function (virgil_depends_log_error)
     message ("")
@@ -233,6 +234,7 @@ function (virgil_depends)
         "-G${CMAKE_GENERATOR}"
         "-C${VIRGIL_DEPENDS_CACHE_FILE}"
         "-C${VIRGIL_DEPENDS_ARGS_FILE}"
+        "-C${TRANSITIVE_ARGS_FILE}"
         "-DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE}"
         "-DCMAKE_INSTALL_PREFIX=${VIRGIL_DEPENDS_PREFIX}"
         "-DCMAKE_TOOLCHAIN_FILE=${CMAKE_TOOLCHAIN_FILE}"

data/ext/native/src/lib/CMakeLists.txt

@@ -60,6 +60,7 @@ aux_source_directory ("src/internal" src)
 aux_source_directory ("src/primitive" src)
 aux_source_directory ("src/pfs" src)
 aux_source_directory ("src/stream" src)
+aux_source_directory ("src/pythia" src)
 
 aux_source_directory("${CMAKE_CURRENT_BINARY_DIR}/src" src)
 
@@ -90,15 +91,29 @@ target_include_directories (${PROJECT_NAME}
         "$<BUILD_INTERFACE:${CMAKE_CURRENT_BINARY_DIR}/include>"
         "$<INSTALL_INTERFACE:include>"
 )
-target_link_libraries (${PROJECT_NAME} mbedtls::mbedcrypto mbedtls::ed25519)
+
+target_link_libraries (${PROJECT_NAME} PUBLIC mbedtls::mbedcrypto mbedtls::ed25519)
+
 target_compile_definitions (${PROJECT_NAME}
     PUBLIC
         "VIRGIL_CRYPTO_FEATURE_STREAM_IMPL=$<BOOL:${VIRGIL_CRYPTO_FEATURE_STREAM_IMPL}>"
+        "VIRGIL_CRYPTO_FEATURE_PYTHIA=$<BOOL:${VIRGIL_CRYPTO_FEATURE_PYTHIA}>"
         "UCLIBC=$<BOOL:${UCLIBC}>"
     PRIVATE
         "FMT_HEADER_ONLY"
 )
 
+if (VIRGIL_CRYPTO_FEATURE_PYTHIA)
+    target_link_libraries (${PROJECT_NAME} PUBLIC pythia)
+
+    get_target_property (include_directories pythia INTERFACE_INCLUDE_DIRECTORIES)
+
+    foreach(include_dir ${include_directories})
+        target_include_directories (${PROJECT_NAME} PUBLIC "$<BUILD_INTERFACE:${include_dir}/pythia>")
+    endforeach(include_dir)
+endif ()
+
+
 # ---------------------------------------------------------------------------
 #   Apple specifc library configuration
 # ---------------------------------------------------------------------------
@@ -123,10 +138,43 @@ if (BUILD_LIBRARY_FRAMEWORK)
         )
     endforeach ()
 
+    if (VIRGIL_CRYPTO_FEATURE_PYTHIA)
+        find_file (pythia_buf_header_file_path
+                NAMES "pythia_buf.h" PATHS ${include_directories} PATH_SUFFIXES pythia
+                NO_DEFAULT_PATH NO_CMAKE_FIND_ROOT_PATH)
+
+        find_file (pythia_buf_sizes_header_file_path
+                NAMES "pythia_buf_sizes.h" PATHS ${include_directories} PATH_SUFFIXES pythia
+                NO_DEFAULT_PATH NO_CMAKE_FIND_ROOT_PATH)
+
+        if (NOT pythia_buf_header_file_path)
+            message (FATAL_ERROR "Header file 'pythia_buf.h' is not found within paths $${include_directories}")
+        endif ()
+
+        if (NOT pythia_buf_sizes_header_file_path)
+            message (FATAL_ERROR "Header file 'pythia_buf_sizes.h' is not found within paths $${include_directories}")
+        endif ()
+
+        target_sources (${PROJECT_NAME} PRIVATE "${pythia_buf_header_file_path}" "${pythia_buf_sizes_header_file_path}")
+
+        set_property (
+            SOURCE ${pythia_buf_header_file_path}
+            PROPERTY MACOSX_PACKAGE_LOCATION "Headers/pythia"
+        )
+
+        set_property (
+            SOURCE ${pythia_buf_sizes_header_file_path}
+            PROPERTY MACOSX_PACKAGE_LOCATION "Headers/pythia"
+        )
+
+
+    endif ()
+
     # Convert target to framework
     target_apple_framework (${PROJECT_NAME}
         NAME "VSCCrypto"
         IDENTIFIER "com.virgilsecurity.VSCCrypto"
+        MODULE_MAP "${CMAKE_CURRENT_LIST_DIR}/module.modulemap"
     )
 
 endif ()
@@ -178,6 +226,16 @@ if (INSTALL_CORE_LIBS)
         )
     endif ()
 
+    if (VIRGIL_CRYPTO_FEATURE_PYTHIA)
+        get_target_property (PYTHIA_INCLUDE_DIRECTORIES pythia INTERFACE_INCLUDE_DIRECTORIES)
+        foreach(pythia_install_dir ${PYTHIA_INCLUDE_DIRECTORIES})
+            install (
+                DIRECTORY "${pythia_install_dir}/pythia" DESTINATION "${INSTALL_INC_DIR_NAME}/virgil/crypto"
+                FILES_MATCHING PATTERN "*buf*"
+            )
+        endforeach()
+    endif ()
+
     if (INSTALL_EXT_LIBS)
         install (DIRECTORY "${VIRGIL_DEPENDS_PREFIX}/lib/" DESTINATION "${INSTALL_LIB_DIR_NAME}")
     endif (INSTALL_EXT_LIBS)

data/ext/native/src/lib/Doxyfile.in

@@ -38,7 +38,7 @@ PROJECT_NAME           = "Virgil Security Crypto library"
 # could be handy for archiving the generated documentation or if some version
 # control system is used.
 
-PROJECT_NUMBER         = @VIRGIL_VERSION@
+PROJECT_NUMBER         = @VIRGIL_VERSION_FULL_NAME@
 
 # Using the PROJECT_BRIEF tag one can provide an optional one line description
 # for a project that appears at the top of each page and should give viewer a

data/ext/native/src/lib/include/virgil/crypto/VirgilCrypto.h

@@ -99,3 +99,16 @@
     #include "stream/VirgilStreamDataSink.h"
     #include "stream/VirgilStreamDataSource.h"
 #endif /* VIRGIL_CRYPTO_FEATURE_STREAM_IMPL */
+
+#if VIRGIL_CRYPTO_FEATURE_PYTHIA
+    #include "pythia/pythia_buf.h"
+    #include "pythia/pythia_buf_sizes.h"
+    #include "pythia/virgil_pythia_c.h"
+    #include "pythia/VirgilPythia.h"
+    #include "pythia/VirgilPythiaBlindResult.h"
+    #include "pythia/VirgilPythiaContext.h"
+    #include "pythia/VirgilPythiaError.h"
+    #include "pythia/VirgilPythiaProveResult.h"
+    #include "pythia/VirgilPythiaTransformationKeyPair.h"
+    #include "pythia/VirgilPythiaTransformResult.h"
+#endif /* VIRGIL_CRYPTO_FEATURE_PYTHIA */

data/ext/native/src/lib/include/virgil/crypto/VirgilKeyPair.h

@@ -130,6 +130,36 @@ public:
             const VirgilByteArray& donorPrivateKeyPassword = VirgilByteArray(),
             const VirgilByteArray& newKeyPairPassword = VirgilByteArray());
 
+    /**
+     * @brief Generates private and public keys from the given key material.
+     *
+     * This is a deterministic key generation algorithm that allows create private key
+     * from any secret data, i.e. password.
+     *
+     * @param type - private key type to be generated.
+     * @param keyMaterial - the only data to be used for key generation, must be strong enough.
+     * @param pwd - private key password.
+     */
+    static VirgilKeyPair generateFromKeyMaterial(
+            VirgilKeyPair::Type type,
+            const VirgilByteArray& keyMaterial,
+            const VirgilByteArray& pwd = VirgilByteArray());
+    /**
+     * @brief Generates recommended private and public keys from the given key material.
+     *
+     * This is a deterministic key generation algorithm that allows create private key
+     * from any secret data, i.e. password.
+     *
+     * @param keyMaterial - the only data to be used for key generation, must be strong enough.
+     * @param pwd - private key password.
+     *
+     * @throw VirgilCryptoException with VirgilCryptoError::NotSecure,
+     *     if Key Material is weak.
+     */
+    static VirgilKeyPair generateRecommendedFromKeyMaterial(
+            const VirgilByteArray& keyMaterial,
+            const VirgilByteArray& pwd = VirgilByteArray());
+
     /**
      * @name Keys validation
      */

data/ext/native/src/lib/include/virgil/crypto/foundation/VirgilAsymmetricCipher.h

@@ -190,6 +190,23 @@ public:
      */
     void genKeyPairFrom(const VirgilAsymmetricCipher& other);
 
+    /**
+     * @brief Generates private and public keys from the given key material.
+     *
+     * This is a deterministic key generation algorithm that allows create private key
+     * from any secret data, i.e. password.
+     *
+     * @param type - keypair type.
+     * @param keyMaterial - the only data to be used for key generation, must be strong enough.
+     *
+     * @throw VirgilCryptoException with VirgilCryptoError::UnsupportedAlgorithm,
+     *     if key pair can't be generated with given type.
+     *
+     * @throw VirgilCryptoException with VirgilCryptoError::NotSecure,
+     *     if Key Material is weak.
+     */
+    void genKeyPairFromKeyMaterial(VirgilKeyPair::Type type, const VirgilByteArray& keyMaterial);
+
     /**
      * @brief Compute shared secret key on a given contexts.
      *

data/ext/native/src/lib/include/virgil/crypto/pythia/VirgilPythia.h

@@ -0,0 +1,181 @@
+/**
+ * Copyright (C) 2015-2018 Virgil Security Inc.
+ *
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *     (1) Redistributions of source code must retain the above copyright
+ *     notice, this list of conditions and the following disclaimer.
+ *
+ *     (2) Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in
+ *     the documentation and/or other materials provided with the
+ *     distribution.
+ *
+ *     (3) Neither the name of the copyright holder nor the names of its
+ *     contributors may be used to endorse or promote products derived from
+ *     this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ''AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ * DISCLAIMED. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT,
+ * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+ * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
+ * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING
+ * IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ *
+ * Lead Maintainer: Virgil Security Inc. <support@virgilsecurity.com>
+ */
+
+#ifndef virgilPythiaH
+#define virgilPythiaH
+
+#include "../VirgilByteArray.h"
+#include "VirgilPythiaBlindResult.h"
+#include "VirgilPythiaContext.h"
+#include "VirgilPythiaTransformationKeyPair.h"
+#include "VirgilPythiaProveResult.h"
+#include "VirgilPythiaTransformResult.h"
+
+namespace virgil {
+namespace crypto {
+namespace pythia {
+
+/**
+ * @brief This class provides PYTHIA cryptographic functions and primitives.
+ *
+ * PYTHIA is a verifiable, cryptographic protocol that hardens passwords
+ * with the help of a remote service.
+ *
+ * @ingroup pythia
+ */
+class VirgilPythia {
+public:
+
+    /**
+     * @brief Blinds password.
+     *
+     * Turns password into a pseudo-random string.
+     * This step is necessary to prevent 3rd-parties from knowledge of end user's password.
+     *
+     * @param password - end user's password.
+     * @return VirgilPythiaBlindResult
+     */
+    VirgilPythiaBlindResult blind(const VirgilByteArray& password);
+
+    /**
+     * @brief Deblinds transformedPassword value with previously returned blindingSecret from blind().
+     *
+     * @param transformedPassword - GT transformed password from transform().
+     * @param blindingSecret - BN value that was generated in blind().
+     *
+     * @return Deblinded transformedPassword value.
+     *         This value is not equal to password and is zero-knowledge protected.
+     */
+    VirgilByteArray
+    deblind(const VirgilByteArray& transformedPassword, const VirgilByteArray& blindingSecret);
+
+    /**
+     * @brief Computes transformation private and public key.
+     *
+     * @param transformationKeyID - ensemble key ID used to enclose operations in subsets.
+     * @param pythiaSecret - global common for all secret random Key.
+     * @param pythiaScopeSecret - ensemble secret generated and versioned transparently.
+     *
+     * @return VirgilPythiaTransformationKeyPair
+     */
+    VirgilPythiaTransformationKeyPair
+    computeTransformationKeyPair(const VirgilByteArray& transformationKeyID, const VirgilByteArray& pythiaSecret,
+                                 const VirgilByteArray& pythiaScopeSecret);
+
+    /**
+     * @brief Transforms blinded password using the private key, generated from pythiaSecret + pythiaScopeSecret.
+     *
+     * @param blindedPassword - G1 password obfuscated into a pseudo-random string.
+     * @param tweak - some random value used to identify user
+     * @param transformationPrivateKey - BN transformation private key.
+     *
+     * @return VirgilPythiaTransformResult
+     */
+    VirgilPythiaTransformResult transform(
+            const VirgilByteArray& blindedPassword, const VirgilByteArray& tweak,
+            const VirgilByteArray& transformationPrivateKey);
+
+    /**
+     * @brief Generates proof that server possesses secret values that were used to transform password.
+     *
+     * @param transformedPassword - GT transformed password from transform()
+     * @param blindedPassword - G1 blinded password from blind().
+     * @param transformedTweak - G2 transformed tweak from transform().
+     * @param transformationKeyPair - transformation key pair.
+     *
+     * @return VirgilPythiaProveResult
+     */
+    VirgilPythiaProveResult
+    prove(const VirgilByteArray& transformedPassword, const VirgilByteArray& blindedPassword,
+          const VirgilByteArray& transformedTweak, const VirgilPythiaTransformationKeyPair& transformationKeyPair);
+
+    /**
+     * @brief Verifies the output of transform().
+     *
+     * This operation allows client to verify that the output of transform() is correct,
+     * assuming that client has previously stored tweak.
+     *
+     * @param transformedPassword - GT transformed password from transform()
+     * @param blindedPassword - G1 blinded password from blind().
+     * @param tweak - tweak from transform()
+     * @param transformationPublicKey - G1 transformation public key
+     * @param proofValueC - BN proof value C from prove()
+     * @param proofValueU - BN proof value U from prove()
+     *
+     * @return true if output of transform() is correct, false - otherwise.
+     */
+    bool
+    verify(const VirgilByteArray& transformedPassword, const VirgilByteArray& blindedPassword,
+           const VirgilByteArray& tweak, const VirgilByteArray& transformationPublicKey,
+           const VirgilByteArray& proofValueC, const VirgilByteArray& proofValueU);
+
+    /**
+     * @brief Computes update token.
+     *
+     * Computes update token which allows update deblindedPassword when rotating transformation private key
+     * This action should increment version of pythiaScopeSecret.
+     *
+     * @param previousTransformationPrivateKey - transformation private key
+     * @param newTransformationPrivateKey - new transformation private key
+     *
+     * @return VirgilBteArray
+     */
+    VirgilByteArray getPasswordUpdateToken(
+            const VirgilByteArray& previousTransformationPrivateKey,
+            const VirgilByteArray& newTransformationPrivateKey);
+
+    /**
+     * @brief Updates previously stored deblindedPassword with passwordUpdateToken.
+     *
+     * After this call, transform() called with new arguments will return corresponding values.
+     *
+     * @param deblindedPassword - GT previous deblinded password from deblind().
+     * @param passwordUpdateToken - BN password update token from getPasswordUpdateToken().
+     *
+     * @return New deblinded password.
+     */
+    VirgilByteArray updateDeblindedWithToken(
+            const VirgilByteArray& deblindedPassword, const VirgilByteArray& passwordUpdateToken);
+
+private:
+    VirgilPythiaContext pythiaContext;
+};
+
+} // namespace pythia
+} // namespace crypto
+} // namespace virgil
+
+#endif /* virgilPythiaH */