nip44: add encrypt

we're not using this here, but i needed this for creating
giftwrap test cases in nostril

Signed-off-by: William Casarin <[email protected]>

Author: jb55

src/nip44.c

@@ -384,7 +384,24 @@ nip44_decrypt(void *secp,
 }
 
 /* Encryption */
-int nip44_encrypt() {
+enum ndb_decrypt_result
+nip44_encrypt(void *secp, const unsigned char *sender_seckey,
+	      const unsigned char *receiver_pubkey,
+	      const unsigned char *plaintext, uint16_t plaintext_size,
+	      unsigned char *buf, size_t bufsize,
+	      char **out, ssize_t *out_len)
+{
+	int rc;
+	struct cursor cursor;
+	struct hmac_sha256 auth, conversation_key;
+	unsigned char shared_secret[32];
+	unsigned char nonce[32];
+	unsigned char *ciphertext;
+	struct message_keys keys;
+	uint16_t ciphertext_len;
+	
+	make_cursor(buf, buf+bufsize, &cursor);
+
 	/* 
 	1. Calculate a conversation key
 	   - Execute ECDH (scalar multiplication) of public key B by private
@@ -399,14 +416,22 @@ int nip44_encrypt() {
 	   - It is always the same, when key roles are swapped:
 	     `conv(a, B) == conv(b, A)`
 	*/
+	if ((rc = calculate_shared_secret(secp, sender_seckey,
+					  receiver_pubkey, shared_secret))) {
+		return rc;
+	}
 
+	hmac_sha256(&conversation_key, "nip44-v2", 8, shared_secret, 32);
 	/*
 	2. Generate a random 32-byte nonce
 	   - Always use CSPRNG
 	   - Don't generate a nonce from message content
 	   - Don't re-use the same nonce between messages: doing so would make
 	     them decryptable, but won't leak the long-term key
 	*/
+	if (!fill_random(nonce, sizeof(nonce))) {
+		return NIP44_ERR_FILL_RANDOM_FAILED;
+	}
 
 	/*
 	3. Calculate message keys
@@ -417,6 +442,9 @@ int nip44_encrypt() {
 	   - Slice 76-byte HKDF output into: `chacha_key` (bytes 0..32),
 	     `chacha_nonce` (bytes 32..44), `hmac_key` (bytes 44..76)
 	*/
+	hkdf_expand(&keys, sizeof(keys),
+		    &conversation_key, sizeof(conversation_key),
+		    nonce, 32);
 
 	/*
 	4. Add padding
@@ -428,11 +456,31 @@ int nip44_encrypt() {
 	   - Plaintext length is encoded in big-endian as first 2 bytes of the
 	     padded blob
 	*/
+	if (!cursor_push_byte(&cursor, 0x02))
+		return NIP44_ERR_BUFFER_TOO_SMALL;
+	if (!cursor_push(&cursor, nonce, 32))
+		return NIP44_ERR_BUFFER_TOO_SMALL;
+
+	ciphertext = cursor.p;
+
+	if (!cursor_push_b16(&cursor, plaintext_size))
+		return NIP44_ERR_BUFFER_TOO_SMALL;
+	if (!cursor_push(&cursor, (unsigned char*)plaintext, plaintext_size))
+		return NIP44_ERR_BUFFER_TOO_SMALL;
+	if (!cursor_memset(&cursor, 0, calc_padded_len(plaintext_size) - plaintext_size))
+		return NIP44_ERR_BUFFER_TOO_SMALL;
+
+	ciphertext_len = cursor.p - ciphertext;
+	printf("plaintext_size %d ciphertext '%.*s'\n", plaintext_size,
+			plaintext_size, plaintext);
 
 	/*
 	5. Encrypt padded content
 	   - Use ChaCha20, with key and nonce from step 3
 	*/
+	crypto_stream_chacha20_ietf_xor_ic(ciphertext, ciphertext,
+					   ciphertext_len, keys.nonce, 0,
+					   keys.key);
 
 	/*
 	6. Calculate MAC (message authentication code)
@@ -442,11 +490,23 @@ int nip44_encrypt() {
 
 	   - Validate that AAD (nonce) is 32 bytes
 	*/
+	hmac_aad(&auth, keys.auth, nonce, ciphertext, ciphertext_len);
+
+	if (!cursor_push(&cursor, auth.sha.u.u8, 32))
+		return NIP44_ERR_BUFFER_TOO_SMALL;
 
 	/*
 	7. Base64-encode (with padding) params using `concat(version, nonce,
 	ciphertext, mac)`
 	*/
-	return 0;
+	*out = (char*)cursor.p;
+	*out_len = base64_encode((char*)cursor.p,
+				 cursor_remaining_capacity(&cursor),
+				 (const char*)cursor.start,
+				 cursor.p - cursor.start);
+
+	if (*out_len == -1)
+		return NIP44_ERR_BUFFER_TOO_SMALL;
+	return NIP44_OK;
 }
 

src/nip44.h

@@ -33,6 +33,13 @@ nip44_decrypt(void *secp_context,
 	      unsigned char *buf, size_t bufsize,
 	      unsigned char **decrypted, uint16_t *decrypted_len);
 
+enum ndb_decrypt_result
+nip44_encrypt(void *secp, const unsigned char *sender_seckey,
+	      const unsigned char *receiver_pubkey,
+	      const unsigned char *plaintext, uint16_t plaintext_size,
+	      unsigned char *buf, size_t bufsize,
+	      char **out, ssize_t *out_len);
+
 enum ndb_decrypt_result
 nip44_decrypt_raw(void *secp,
 	      const unsigned char *sender_pubkey,

test.c

@@ -285,6 +285,65 @@ static void test_nip44_decrypt()
 	secp256k1_context_destroy(context);
 }
 
+static void test_nip44_round_trip()
+{
+	static const unsigned char send_sec[32] = {
+		0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 
+	};
+	static const unsigned char recv_sec[32] = {
+		0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2 
+	};
+	static const unsigned char send_pub[32] = {
+		0x79, 0xbe, 0x66, 0x7e, 0xf9, 0xdc, 0xbb, 0xac, 0x55, 0xa0,
+		0x62, 0x95, 0xce, 0x87, 0x0b, 0x07, 0x02, 0x9b, 0xfc, 0xdb,
+		0x2d, 0xce, 0x28, 0xd9, 0x59, 0xf2, 0x81, 0x5b, 0x16, 0xf8,
+		0x17, 0x98
+	};
+	static const unsigned char recv_pub[32] = {
+		0xc6, 0x04, 0x7f, 0x94, 0x41, 0xed, 0x7d, 0x6d, 0x30, 0x45,
+		0x40, 0x6e, 0x95, 0xc0, 0x7c, 0xd8, 0x5c, 0x77, 0x8e, 0x4b,
+		0x8c, 0xef, 0x3c, 0xa7, 0xab, 0xac, 0x09, 0xb9, 0x5c, 0x70,
+		0x9e, 0xe5
+	};
+	static const char plaintext[] = "hello, world";
+
+	unsigned char buf[1024];
+	unsigned char buf2[1024];
+	char *out, *plaintext_out;
+	ssize_t out_len;
+	int ok;
+	uint16_t plaintext_len;
+	secp256k1_context *context;
+
+
+	context = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
+
+	ok = nip44_encrypt(context, send_sec, recv_pub,
+			   (const unsigned char *)plaintext, sizeof(plaintext)-1,
+			   buf, sizeof(buf), &out, &out_len);
+
+	if (ok != NIP44_OK)
+		printf("nip44 encrypt err: %s\n", nip44_err_msg(ok));
+	assert(ok == NIP44_OK);
+	printf("encrypted '%.*s' out_len: %ld\n", (int)out_len, out, out_len);
+
+	ok = nip44_decrypt(context, send_pub, recv_sec,
+			   out, out_len,
+			   buf2, sizeof(buf2),
+			   (unsigned char**)&plaintext_out, &plaintext_len);
+
+	if (ok != NIP44_OK)
+		printf("nip44 decrypt err: %s\n", nip44_err_msg(ok));
+	assert(ok == NIP44_OK);
+	printf("plaintext_len %d, sizeof plaintext(%ld)\n", plaintext_len, sizeof(plaintext));
+	assert(plaintext_len == sizeof(plaintext)-1);
+
+
+	assert(!strcmp(plaintext, plaintext_out));
+
+	secp256k1_context_destroy(context);
+}
+
 static void test_giftwrap_unwrap()
 {
 	/*
@@ -2393,6 +2452,7 @@ void test_replay_attack() {
 int main(int argc, const char *argv[]) {
 	delete_test_db();
 
+	test_nip44_round_trip();
 	test_nip44_test_vector();
 	test_nip44_decrypt();
 	test_replay_attack();