Line data Source code
1 : /* ecdh.c - ECDH public key operations used in public key glue code
2 : * Copyright (C) 2010, 2011 Free Software Foundation, Inc.
3 : *
4 : * This file is part of GnuPG.
5 : *
6 : * GnuPG is free software; you can redistribute it and/or modify
7 : * it under the terms of the GNU General Public License as published by
8 : * the Free Software Foundation; either version 3 of the License, or
9 : * (at your option) any later version.
10 : *
11 : * GnuPG is distributed in the hope that it will be useful,
12 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 : * GNU General Public License for more details.
15 : *
16 : * You should have received a copy of the GNU General Public License
17 : * along with this program; if not, see <https://www.gnu.org/licenses/>.
18 : */
19 :
20 : #include <config.h>
21 : #include <stdio.h>
22 : #include <stdlib.h>
23 : #include <string.h>
24 : #include <errno.h>
25 :
26 : #include "gpg.h"
27 : #include "util.h"
28 : #include "pkglue.h"
29 : #include "main.h"
30 : #include "options.h"
31 :
32 : /* A table with the default KEK parameters used by GnuPG. */
33 : static const struct
34 : {
35 : unsigned int qbits;
36 : int openpgp_hash_id; /* KEK digest algorithm. */
37 : int openpgp_cipher_id; /* KEK cipher algorithm. */
38 : } kek_params_table[] =
39 : /* Note: Must be sorted by ascending values for QBITS. */
40 : {
41 : { 256, DIGEST_ALGO_SHA256, CIPHER_ALGO_AES },
42 : { 384, DIGEST_ALGO_SHA384, CIPHER_ALGO_AES256 },
43 :
44 : /* Note: 528 is 521 rounded to the 8 bit boundary */
45 : { 528, DIGEST_ALGO_SHA512, CIPHER_ALGO_AES256 }
46 : };
47 :
48 :
49 :
50 : /* Return KEK parameters as an opaque MPI The caller must free the
51 : returned value. Returns NULL and sets ERRNO on error. */
52 : gcry_mpi_t
53 0 : pk_ecdh_default_params (unsigned int qbits)
54 : {
55 : byte *kek_params;
56 : int i;
57 :
58 0 : kek_params = xtrymalloc (4);
59 0 : if (!kek_params)
60 0 : return NULL;
61 0 : kek_params[0] = 3; /* Number of bytes to follow. */
62 0 : kek_params[1] = 1; /* Version for KDF+AESWRAP. */
63 :
64 : /* Search for matching KEK parameter. Defaults to the strongest
65 : possible choices. Performance is not an issue here, only
66 : interoperability. */
67 0 : for (i=0; i < DIM (kek_params_table); i++)
68 : {
69 0 : if (kek_params_table[i].qbits >= qbits
70 0 : || i+1 == DIM (kek_params_table))
71 : {
72 0 : kek_params[2] = kek_params_table[i].openpgp_hash_id;
73 0 : kek_params[3] = kek_params_table[i].openpgp_cipher_id;
74 0 : break;
75 : }
76 : }
77 0 : log_assert (i < DIM (kek_params_table));
78 0 : if (DBG_CRYPTO)
79 0 : log_printhex ("ECDH KEK params are", kek_params, sizeof(kek_params) );
80 :
81 0 : return gcry_mpi_set_opaque (NULL, kek_params, 4 * 8);
82 : }
83 :
84 :
85 : /* Encrypts/decrypts DATA using a key derived from the ECC shared
86 : point SHARED_MPI using the FIPS SP 800-56A compliant method
87 : key_derivation+key_wrapping. If IS_ENCRYPT is true the function
88 : encrypts; if false, it decrypts. PKEY is the public key and PK_FP
89 : the fingerprint of this public key. On success the result is
90 : stored at R_RESULT; on failure NULL is stored at R_RESULT and an
91 : error code returned. */
92 : gpg_error_t
93 48 : pk_ecdh_encrypt_with_shared_point (int is_encrypt, gcry_mpi_t shared_mpi,
94 : const byte pk_fp[MAX_FINGERPRINT_LEN],
95 : gcry_mpi_t data, gcry_mpi_t *pkey,
96 : gcry_mpi_t *r_result)
97 : {
98 : gpg_error_t err;
99 : byte *secret_x;
100 : int secret_x_size;
101 : unsigned int nbits;
102 : const unsigned char *kek_params;
103 : size_t kek_params_size;
104 : int kdf_hash_algo;
105 : int kdf_encr_algo;
106 : unsigned char message[256];
107 : size_t message_size;
108 :
109 48 : *r_result = NULL;
110 :
111 48 : nbits = pubkey_nbits (PUBKEY_ALGO_ECDH, pkey);
112 48 : if (!nbits)
113 0 : return gpg_error (GPG_ERR_TOO_SHORT);
114 :
115 : {
116 : size_t nbytes;
117 :
118 : /* Extract x component of the shared point: this is the actual
119 : shared secret. */
120 48 : nbytes = (mpi_get_nbits (pkey[1] /* public point */)+7)/8;
121 48 : secret_x = xtrymalloc_secure (nbytes);
122 48 : if (!secret_x)
123 0 : return gpg_error_from_syserror ();
124 :
125 48 : err = gcry_mpi_print (GCRYMPI_FMT_USG, secret_x, nbytes,
126 : &nbytes, shared_mpi);
127 48 : if (err)
128 : {
129 0 : xfree (secret_x);
130 0 : log_error ("ECDH ephemeral export of shared point failed: %s\n",
131 : gpg_strerror (err));
132 0 : return err;
133 : }
134 :
135 : /* Expected size of the x component */
136 48 : secret_x_size = (nbits+7)/8;
137 :
138 : /* Extract X from the result. It must be in the format of:
139 : 04 || X || Y
140 : 40 || X
141 : 41 || X
142 :
143 : Since it always comes with the prefix, it's larger than X. In
144 : old experimental version of libgcrypt, there is a case where it
145 : returns X with no prefix of 40, so, nbytes == secret_x_size
146 : is allowed. */
147 48 : if (nbytes < secret_x_size)
148 : {
149 0 : xfree (secret_x);
150 0 : return gpg_error (GPG_ERR_BAD_DATA);
151 : }
152 :
153 : /* Remove the prefix. */
154 48 : if ((nbytes & 1))
155 48 : memmove (secret_x, secret_x+1, secret_x_size);
156 :
157 : /* Clear the rest of data. */
158 48 : if (nbytes - secret_x_size)
159 48 : memset (secret_x+secret_x_size, 0, nbytes-secret_x_size);
160 :
161 48 : if (DBG_CRYPTO)
162 0 : log_printhex ("ECDH shared secret X is:", secret_x, secret_x_size );
163 : }
164 :
165 : /*** We have now the shared secret bytes in secret_x. ***/
166 :
167 : /* At this point we are done with PK encryption and the rest of the
168 : * function uses symmetric key encryption techniques to protect the
169 : * input DATA. The following two sections will simply replace
170 : * current secret_x with a value derived from it. This will become
171 : * a KEK.
172 : */
173 48 : if (!gcry_mpi_get_flag (pkey[2], GCRYMPI_FLAG_OPAQUE))
174 : {
175 0 : xfree (secret_x);
176 0 : return gpg_error (GPG_ERR_BUG);
177 : }
178 48 : kek_params = gcry_mpi_get_opaque (pkey[2], &nbits);
179 48 : kek_params_size = (nbits+7)/8;
180 :
181 48 : if (DBG_CRYPTO)
182 0 : log_printhex ("ecdh KDF params:", kek_params, kek_params_size);
183 :
184 : /* Expect 4 bytes 03 01 hash_alg symm_alg. */
185 48 : if (kek_params_size != 4 || kek_params[0] != 3 || kek_params[1] != 1)
186 : {
187 0 : xfree (secret_x);
188 0 : return gpg_error (GPG_ERR_BAD_PUBKEY);
189 : }
190 :
191 48 : kdf_hash_algo = kek_params[2];
192 48 : kdf_encr_algo = kek_params[3];
193 :
194 48 : if (DBG_CRYPTO)
195 0 : log_debug ("ecdh KDF algorithms %s+%s with aeswrap\n",
196 : openpgp_md_algo_name (kdf_hash_algo),
197 : openpgp_cipher_algo_name (kdf_encr_algo));
198 :
199 48 : if (kdf_hash_algo != GCRY_MD_SHA256
200 30 : && kdf_hash_algo != GCRY_MD_SHA384
201 15 : && kdf_hash_algo != GCRY_MD_SHA512)
202 : {
203 0 : xfree (secret_x);
204 0 : return gpg_error (GPG_ERR_BAD_PUBKEY);
205 : }
206 48 : if (kdf_encr_algo != CIPHER_ALGO_AES
207 30 : && kdf_encr_algo != CIPHER_ALGO_AES192
208 30 : && kdf_encr_algo != CIPHER_ALGO_AES256)
209 : {
210 0 : xfree (secret_x);
211 0 : return gpg_error (GPG_ERR_BAD_PUBKEY);
212 : }
213 :
214 : /* Build kdf_params. */
215 : {
216 : IOBUF obuf;
217 :
218 48 : obuf = iobuf_temp();
219 : /* variable-length field 1, curve name OID */
220 48 : err = gpg_mpi_write_nohdr (obuf, pkey[0]);
221 : /* fixed-length field 2 */
222 48 : iobuf_put (obuf, PUBKEY_ALGO_ECDH);
223 : /* variable-length field 3, KDF params */
224 48 : err = (err ? err : gpg_mpi_write_nohdr (obuf, pkey[2]));
225 : /* fixed-length field 4 */
226 48 : iobuf_write (obuf, "Anonymous Sender ", 20);
227 : /* fixed-length field 5, recipient fp */
228 48 : iobuf_write (obuf, pk_fp, 20);
229 :
230 48 : message_size = iobuf_temp_to_buffer (obuf, message, sizeof message);
231 48 : iobuf_close (obuf);
232 48 : if (err)
233 : {
234 0 : xfree (secret_x);
235 0 : return err;
236 : }
237 :
238 48 : if(DBG_CRYPTO)
239 0 : log_printhex ("ecdh KDF message params are:", message, message_size);
240 : }
241 :
242 : /* Derive a KEK (key wrapping key) using MESSAGE and SECRET_X. */
243 : {
244 : gcry_md_hd_t h;
245 : int old_size;
246 :
247 48 : err = gcry_md_open (&h, kdf_hash_algo, 0);
248 48 : if (err)
249 : {
250 0 : log_error ("gcry_md_open failed for kdf_hash_algo %d: %s",
251 : kdf_hash_algo, gpg_strerror (err));
252 0 : xfree (secret_x);
253 0 : return err;
254 : }
255 48 : gcry_md_write(h, "\x00\x00\x00\x01", 4); /* counter = 1 */
256 48 : gcry_md_write(h, secret_x, secret_x_size); /* x of the point X */
257 48 : gcry_md_write(h, message, message_size); /* KDF parameters */
258 :
259 48 : gcry_md_final (h);
260 :
261 48 : log_assert( gcry_md_get_algo_dlen (kdf_hash_algo) >= 32 );
262 :
263 48 : memcpy (secret_x, gcry_md_read (h, kdf_hash_algo),
264 48 : gcry_md_get_algo_dlen (kdf_hash_algo));
265 48 : gcry_md_close (h);
266 :
267 48 : old_size = secret_x_size;
268 48 : log_assert( old_size >= gcry_cipher_get_algo_keylen( kdf_encr_algo ) );
269 48 : secret_x_size = gcry_cipher_get_algo_keylen( kdf_encr_algo );
270 48 : log_assert( secret_x_size <= gcry_md_get_algo_dlen (kdf_hash_algo) );
271 :
272 : /* We could have allocated more, so clean the tail before returning. */
273 48 : memset (secret_x+secret_x_size, 0, old_size - secret_x_size);
274 48 : if (DBG_CRYPTO)
275 0 : log_printhex ("ecdh KEK is:", secret_x, secret_x_size );
276 : }
277 :
278 : /* And, finally, aeswrap with key secret_x. */
279 : {
280 : gcry_cipher_hd_t hd;
281 : size_t nbytes;
282 :
283 : byte *data_buf;
284 : int data_buf_size;
285 :
286 : gcry_mpi_t result;
287 :
288 48 : err = gcry_cipher_open (&hd, kdf_encr_algo, GCRY_CIPHER_MODE_AESWRAP, 0);
289 48 : if (err)
290 : {
291 0 : log_error ("ecdh failed to initialize AESWRAP: %s\n",
292 : gpg_strerror (err));
293 0 : xfree (secret_x);
294 0 : return err;
295 : }
296 :
297 48 : err = gcry_cipher_setkey (hd, secret_x, secret_x_size);
298 48 : xfree (secret_x);
299 48 : secret_x = NULL;
300 48 : if (err)
301 : {
302 0 : gcry_cipher_close (hd);
303 0 : log_error ("ecdh failed in gcry_cipher_setkey: %s\n",
304 : gpg_strerror (err));
305 0 : return err;
306 : }
307 :
308 48 : data_buf_size = (gcry_mpi_get_nbits(data)+7)/8;
309 48 : if ((data_buf_size & 7) != (is_encrypt ? 0 : 1))
310 : {
311 0 : log_error ("can't use a shared secret of %d bytes for ecdh\n",
312 : data_buf_size);
313 0 : return gpg_error (GPG_ERR_BAD_DATA);
314 : }
315 :
316 48 : data_buf = xtrymalloc_secure( 1 + 2*data_buf_size + 8);
317 48 : if (!data_buf)
318 : {
319 0 : err = gpg_error_from_syserror ();
320 0 : gcry_cipher_close (hd);
321 0 : return err;
322 : }
323 :
324 48 : if (is_encrypt)
325 : {
326 24 : byte *in = data_buf+1+data_buf_size+8;
327 :
328 : /* Write data MPI into the end of data_buf. data_buf is size
329 : aeswrap data. */
330 24 : err = gcry_mpi_print (GCRYMPI_FMT_USG, in,
331 : data_buf_size, &nbytes, data/*in*/);
332 24 : if (err)
333 : {
334 0 : log_error ("ecdh failed to export DEK: %s\n", gpg_strerror (err));
335 0 : gcry_cipher_close (hd);
336 0 : xfree (data_buf);
337 0 : return err;
338 : }
339 :
340 24 : if (DBG_CRYPTO)
341 0 : log_printhex ("ecdh encrypting :", in, data_buf_size );
342 :
343 24 : err = gcry_cipher_encrypt (hd, data_buf+1, data_buf_size+8,
344 : in, data_buf_size);
345 24 : memset (in, 0, data_buf_size);
346 24 : gcry_cipher_close (hd);
347 24 : if (err)
348 : {
349 0 : log_error ("ecdh failed in gcry_cipher_encrypt: %s\n",
350 : gpg_strerror (err));
351 0 : xfree (data_buf);
352 0 : return err;
353 : }
354 24 : data_buf[0] = data_buf_size+8;
355 :
356 24 : if (DBG_CRYPTO)
357 0 : log_printhex ("ecdh encrypted to:", data_buf+1, data_buf[0] );
358 :
359 24 : result = gcry_mpi_set_opaque (NULL, data_buf, 8 * (1+data_buf[0]));
360 24 : if (!result)
361 : {
362 0 : err = gpg_error_from_syserror ();
363 0 : xfree (data_buf);
364 0 : log_error ("ecdh failed to create an MPI: %s\n",
365 : gpg_strerror (err));
366 0 : return err;
367 : }
368 :
369 24 : *r_result = result;
370 : }
371 : else
372 : {
373 : byte *in;
374 : const void *p;
375 :
376 24 : p = gcry_mpi_get_opaque (data, &nbits);
377 24 : nbytes = (nbits+7)/8;
378 24 : if (!p || nbytes > data_buf_size || !nbytes)
379 : {
380 0 : xfree (data_buf);
381 0 : return gpg_error (GPG_ERR_BAD_MPI);
382 : }
383 24 : memcpy (data_buf, p, nbytes);
384 24 : if (data_buf[0] != nbytes-1)
385 : {
386 0 : log_error ("ecdh inconsistent size\n");
387 0 : xfree (data_buf);
388 0 : return gpg_error (GPG_ERR_BAD_MPI);
389 : }
390 24 : in = data_buf+data_buf_size;
391 24 : data_buf_size = data_buf[0];
392 :
393 24 : if (DBG_CRYPTO)
394 0 : log_printhex ("ecdh decrypting :", data_buf+1, data_buf_size);
395 :
396 24 : err = gcry_cipher_decrypt (hd, in, data_buf_size, data_buf+1,
397 : data_buf_size);
398 24 : gcry_cipher_close (hd);
399 24 : if (err)
400 : {
401 0 : log_error ("ecdh failed in gcry_cipher_decrypt: %s\n",
402 : gpg_strerror (err));
403 0 : xfree (data_buf);
404 0 : return err;
405 : }
406 :
407 24 : data_buf_size -= 8;
408 :
409 24 : if (DBG_CRYPTO)
410 0 : log_printhex ("ecdh decrypted to :", in, data_buf_size);
411 :
412 : /* Padding is removed later. */
413 : /* if (in[data_buf_size-1] > 8 ) */
414 : /* { */
415 : /* log_error ("ecdh failed at decryption: invalid padding." */
416 : /* " 0x%02x > 8\n", in[data_buf_size-1] ); */
417 : /* return gpg_error (GPG_ERR_BAD_KEY); */
418 : /* } */
419 :
420 24 : err = gcry_mpi_scan (&result, GCRYMPI_FMT_USG, in, data_buf_size, NULL);
421 24 : xfree (data_buf);
422 24 : if (err)
423 : {
424 0 : log_error ("ecdh failed to create a plain text MPI: %s\n",
425 : gpg_strerror (err));
426 0 : return err;
427 : }
428 :
429 24 : *r_result = result;
430 : }
431 : }
432 :
433 48 : return err;
434 : }
435 :
436 :
437 : static gcry_mpi_t
438 24 : gen_k (unsigned nbits)
439 : {
440 : gcry_mpi_t k;
441 :
442 24 : k = gcry_mpi_snew (nbits);
443 24 : if (DBG_CRYPTO)
444 0 : log_debug ("choosing a random k of %u bits\n", nbits);
445 :
446 24 : gcry_mpi_randomize (k, nbits-1, GCRY_STRONG_RANDOM);
447 :
448 24 : if (DBG_CRYPTO)
449 : {
450 : unsigned char *buffer;
451 0 : if (gcry_mpi_aprint (GCRYMPI_FMT_HEX, &buffer, NULL, k))
452 0 : BUG ();
453 0 : log_debug ("ephemeral scalar MPI #0: %s\n", buffer);
454 0 : gcry_free (buffer);
455 : }
456 :
457 24 : return k;
458 : }
459 :
460 :
461 : /* Generate an ephemeral key for the public ECDH key in PKEY. On
462 : success the generated key is stored at R_K; on failure NULL is
463 : stored at R_K and an error code returned. */
464 : gpg_error_t
465 24 : pk_ecdh_generate_ephemeral_key (gcry_mpi_t *pkey, gcry_mpi_t *r_k)
466 : {
467 : unsigned int nbits;
468 : gcry_mpi_t k;
469 :
470 24 : *r_k = NULL;
471 :
472 24 : nbits = pubkey_nbits (PUBKEY_ALGO_ECDH, pkey);
473 24 : if (!nbits)
474 0 : return gpg_error (GPG_ERR_TOO_SHORT);
475 24 : k = gen_k (nbits);
476 24 : if (!k)
477 0 : BUG ();
478 :
479 24 : *r_k = k;
480 24 : return 0;
481 : }
482 :
483 :
484 :
485 : /* Perform ECDH decryption. */
486 : int
487 24 : pk_ecdh_decrypt (gcry_mpi_t * result, const byte sk_fp[MAX_FINGERPRINT_LEN],
488 : gcry_mpi_t data, gcry_mpi_t shared, gcry_mpi_t * skey)
489 : {
490 24 : if (!data)
491 0 : return gpg_error (GPG_ERR_BAD_MPI);
492 24 : return pk_ecdh_encrypt_with_shared_point (0 /*=decryption*/, shared,
493 : sk_fp, data/*encr data as an MPI*/,
494 : skey, result);
495 : }
|
