Line data Source code
1 : /* ecdh.c - ECDH public key operations used in public key glue code
2 : * Copyright (C) 2010, 2011 Free Software Foundation, Inc.
3 : *
4 : * This file is part of GnuPG.
5 : *
6 : * GnuPG is free software; you can redistribute it and/or modify
7 : * it under the terms of the GNU General Public License as published by
8 : * the Free Software Foundation; either version 3 of the License, or
9 : * (at your option) any later version.
10 : *
11 : * GnuPG is distributed in the hope that it will be useful,
12 : * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 : * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 : * GNU General Public License for more details.
15 : *
16 : * You should have received a copy of the GNU General Public License
17 : * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 : */
19 :
20 : #include <config.h>
21 : #include <stdio.h>
22 : #include <stdlib.h>
23 : #include <string.h>
24 : #include <errno.h>
25 : #include <assert.h>
26 :
27 : #include "gpg.h"
28 : #include "util.h"
29 : #include "pkglue.h"
30 : #include "main.h"
31 : #include "options.h"
32 :
33 : /* A table with the default KEK parameters used by GnuPG. */
34 : static const struct
35 : {
36 : unsigned int qbits;
37 : int openpgp_hash_id; /* KEK digest algorithm. */
38 : int openpgp_cipher_id; /* KEK cipher algorithm. */
39 : } kek_params_table[] =
40 : /* Note: Must be sorted by ascending values for QBITS. */
41 : {
42 : { 256, DIGEST_ALGO_SHA256, CIPHER_ALGO_AES },
43 : { 384, DIGEST_ALGO_SHA384, CIPHER_ALGO_AES256 },
44 :
45 : /* Note: 528 is 521 rounded to the 8 bit boundary */
46 : { 528, DIGEST_ALGO_SHA512, CIPHER_ALGO_AES256 }
47 : };
48 :
49 :
50 :
51 : /* Return KEK parameters as an opaque MPI The caller must free the
52 : returned value. Returns NULL and sets ERRNO on error. */
53 : gcry_mpi_t
54 0 : pk_ecdh_default_params (unsigned int qbits)
55 : {
56 : byte *kek_params;
57 : int i;
58 :
59 0 : kek_params = xtrymalloc (4);
60 0 : if (!kek_params)
61 0 : return NULL;
62 0 : kek_params[0] = 3; /* Number of bytes to follow. */
63 0 : kek_params[1] = 1; /* Version for KDF+AESWRAP. */
64 :
65 : /* Search for matching KEK parameter. Defaults to the strongest
66 : possible choices. Performance is not an issue here, only
67 : interoperability. */
68 0 : for (i=0; i < DIM (kek_params_table); i++)
69 : {
70 0 : if (kek_params_table[i].qbits >= qbits
71 0 : || i+1 == DIM (kek_params_table))
72 : {
73 0 : kek_params[2] = kek_params_table[i].openpgp_hash_id;
74 0 : kek_params[3] = kek_params_table[i].openpgp_cipher_id;
75 0 : break;
76 : }
77 : }
78 0 : assert (i < DIM (kek_params_table));
79 0 : if (DBG_CRYPTO)
80 0 : log_printhex ("ECDH KEK params are", kek_params, sizeof(kek_params) );
81 :
82 0 : return gcry_mpi_set_opaque (NULL, kek_params, 4 * 8);
83 : }
84 :
85 :
86 : /* Encrypts/decrypts DATA using a key derived from the ECC shared
87 : point SHARED_MPI using the FIPS SP 800-56A compliant method
88 : key_derivation+key_wrapping. If IS_ENCRYPT is true the function
89 : encrypts; if false, it decrypts. PKEY is the public key and PK_FP
90 : the fingerprint of this public key. On success the result is
91 : stored at R_RESULT; on failure NULL is stored at R_RESULT and an
92 : error code returned. */
93 : gpg_error_t
94 45 : pk_ecdh_encrypt_with_shared_point (int is_encrypt, gcry_mpi_t shared_mpi,
95 : const byte pk_fp[MAX_FINGERPRINT_LEN],
96 : gcry_mpi_t data, gcry_mpi_t *pkey,
97 : gcry_mpi_t *r_result)
98 : {
99 : gpg_error_t err;
100 : byte *secret_x;
101 : int secret_x_size;
102 : unsigned int nbits;
103 : const unsigned char *kek_params;
104 : size_t kek_params_size;
105 : int kdf_hash_algo;
106 : int kdf_encr_algo;
107 : unsigned char message[256];
108 : size_t message_size;
109 :
110 45 : *r_result = NULL;
111 :
112 45 : nbits = pubkey_nbits (PUBKEY_ALGO_ECDH, pkey);
113 45 : if (!nbits)
114 0 : return gpg_error (GPG_ERR_TOO_SHORT);
115 :
116 : {
117 : size_t nbytes;
118 :
119 : /* Extract x component of the shared point: this is the actual
120 : shared secret. */
121 45 : nbytes = (mpi_get_nbits (pkey[1] /* public point */)+7)/8;
122 45 : secret_x = xtrymalloc_secure (nbytes);
123 45 : if (!secret_x)
124 0 : return gpg_error_from_syserror ();
125 :
126 45 : err = gcry_mpi_print (GCRYMPI_FMT_USG, secret_x, nbytes,
127 : &nbytes, shared_mpi);
128 45 : if (err)
129 : {
130 0 : xfree (secret_x);
131 0 : log_error ("ECDH ephemeral export of shared point failed: %s\n",
132 : gpg_strerror (err));
133 0 : return err;
134 : }
135 :
136 45 : secret_x_size = (nbits+7)/8;
137 45 : assert (nbytes >= secret_x_size);
138 45 : if ((nbytes & 1))
139 : /* Remove the "04" prefix of non-compressed format. */
140 45 : memmove (secret_x, secret_x+1, secret_x_size);
141 45 : if (nbytes - secret_x_size)
142 45 : memset (secret_x+secret_x_size, 0, nbytes-secret_x_size);
143 :
144 45 : if (DBG_CRYPTO)
145 0 : log_printhex ("ECDH shared secret X is:", secret_x, secret_x_size );
146 : }
147 :
148 : /*** We have now the shared secret bytes in secret_x. ***/
149 :
150 : /* At this point we are done with PK encryption and the rest of the
151 : * function uses symmetric key encryption techniques to protect the
152 : * input DATA. The following two sections will simply replace
153 : * current secret_x with a value derived from it. This will become
154 : * a KEK.
155 : */
156 45 : if (!gcry_mpi_get_flag (pkey[2], GCRYMPI_FLAG_OPAQUE))
157 : {
158 0 : xfree (secret_x);
159 0 : return gpg_error (GPG_ERR_BUG);
160 : }
161 45 : kek_params = gcry_mpi_get_opaque (pkey[2], &nbits);
162 45 : kek_params_size = (nbits+7)/8;
163 :
164 45 : if (DBG_CRYPTO)
165 0 : log_printhex ("ecdh KDF params:", kek_params, kek_params_size);
166 :
167 : /* Expect 4 bytes 03 01 hash_alg symm_alg. */
168 45 : if (kek_params_size != 4 || kek_params[0] != 3 || kek_params[1] != 1)
169 : {
170 0 : xfree (secret_x);
171 0 : return gpg_error (GPG_ERR_BAD_PUBKEY);
172 : }
173 :
174 45 : kdf_hash_algo = kek_params[2];
175 45 : kdf_encr_algo = kek_params[3];
176 :
177 45 : if (DBG_CRYPTO)
178 0 : log_debug ("ecdh KDF algorithms %s+%s with aeswrap\n",
179 : openpgp_md_algo_name (kdf_hash_algo),
180 : openpgp_cipher_algo_name (kdf_encr_algo));
181 :
182 45 : if (kdf_hash_algo != GCRY_MD_SHA256
183 30 : && kdf_hash_algo != GCRY_MD_SHA384
184 15 : && kdf_hash_algo != GCRY_MD_SHA512)
185 : {
186 0 : xfree (secret_x);
187 0 : return gpg_error (GPG_ERR_BAD_PUBKEY);
188 : }
189 45 : if (kdf_encr_algo != CIPHER_ALGO_AES
190 30 : && kdf_encr_algo != CIPHER_ALGO_AES192
191 30 : && kdf_encr_algo != CIPHER_ALGO_AES256)
192 : {
193 0 : xfree (secret_x);
194 0 : return gpg_error (GPG_ERR_BAD_PUBKEY);
195 : }
196 :
197 : /* Build kdf_params. */
198 : {
199 : IOBUF obuf;
200 :
201 45 : obuf = iobuf_temp();
202 : /* variable-length field 1, curve name OID */
203 45 : err = gpg_mpi_write_nohdr (obuf, pkey[0]);
204 : /* fixed-length field 2 */
205 45 : iobuf_put (obuf, PUBKEY_ALGO_ECDH);
206 : /* variable-length field 3, KDF params */
207 45 : err = (err ? err : gpg_mpi_write_nohdr (obuf, pkey[2]));
208 : /* fixed-length field 4 */
209 45 : iobuf_write (obuf, "Anonymous Sender ", 20);
210 : /* fixed-length field 5, recipient fp */
211 45 : iobuf_write (obuf, pk_fp, 20);
212 :
213 45 : message_size = iobuf_temp_to_buffer (obuf, message, sizeof message);
214 45 : iobuf_close (obuf);
215 45 : if (err)
216 : {
217 0 : xfree (secret_x);
218 0 : return err;
219 : }
220 :
221 45 : if(DBG_CRYPTO)
222 0 : log_printhex ("ecdh KDF message params are:", message, message_size);
223 : }
224 :
225 : /* Derive a KEK (key wrapping key) using MESSAGE and SECRET_X. */
226 : {
227 : gcry_md_hd_t h;
228 : int old_size;
229 :
230 45 : err = gcry_md_open (&h, kdf_hash_algo, 0);
231 45 : if (err)
232 : {
233 0 : log_error ("gcry_md_open failed for kdf_hash_algo %d: %s",
234 : kdf_hash_algo, gpg_strerror (err));
235 0 : xfree (secret_x);
236 0 : return err;
237 : }
238 45 : gcry_md_write(h, "\x00\x00\x00\x01", 4); /* counter = 1 */
239 45 : gcry_md_write(h, secret_x, secret_x_size); /* x of the point X */
240 45 : gcry_md_write(h, message, message_size);/* KDF parameters */
241 :
242 45 : gcry_md_final (h);
243 :
244 45 : assert( gcry_md_get_algo_dlen (kdf_hash_algo) >= 32 );
245 :
246 45 : memcpy (secret_x, gcry_md_read (h, kdf_hash_algo),
247 45 : gcry_md_get_algo_dlen (kdf_hash_algo));
248 45 : gcry_md_close (h);
249 :
250 45 : old_size = secret_x_size;
251 45 : assert( old_size >= gcry_cipher_get_algo_keylen( kdf_encr_algo ) );
252 45 : secret_x_size = gcry_cipher_get_algo_keylen( kdf_encr_algo );
253 45 : assert( secret_x_size <= gcry_md_get_algo_dlen (kdf_hash_algo) );
254 :
255 : /* We could have allocated more, so clean the tail before returning. */
256 45 : memset (secret_x+secret_x_size, 0, old_size - secret_x_size);
257 45 : if (DBG_CRYPTO)
258 0 : log_printhex ("ecdh KEK is:", secret_x, secret_x_size );
259 : }
260 :
261 : /* And, finally, aeswrap with key secret_x. */
262 : {
263 : gcry_cipher_hd_t hd;
264 : size_t nbytes;
265 :
266 : byte *data_buf;
267 : int data_buf_size;
268 :
269 : gcry_mpi_t result;
270 :
271 45 : err = gcry_cipher_open (&hd, kdf_encr_algo, GCRY_CIPHER_MODE_AESWRAP, 0);
272 45 : if (err)
273 : {
274 0 : log_error ("ecdh failed to initialize AESWRAP: %s\n",
275 : gpg_strerror (err));
276 0 : xfree (secret_x);
277 0 : return err;
278 : }
279 :
280 45 : err = gcry_cipher_setkey (hd, secret_x, secret_x_size);
281 45 : xfree (secret_x);
282 45 : secret_x = NULL;
283 45 : if (err)
284 : {
285 0 : gcry_cipher_close (hd);
286 0 : log_error ("ecdh failed in gcry_cipher_setkey: %s\n",
287 : gpg_strerror (err));
288 0 : return err;
289 : }
290 :
291 45 : data_buf_size = (gcry_mpi_get_nbits(data)+7)/8;
292 45 : if ((data_buf_size & 7) != (is_encrypt ? 0 : 1))
293 : {
294 0 : log_error ("can't use a shared secret of %d bytes for ecdh\n",
295 : data_buf_size);
296 0 : return gpg_error (GPG_ERR_BAD_DATA);
297 : }
298 :
299 45 : data_buf = xtrymalloc_secure( 1 + 2*data_buf_size + 8);
300 45 : if (!data_buf)
301 : {
302 0 : err = gpg_error_from_syserror ();
303 0 : gcry_cipher_close (hd);
304 0 : return err;
305 : }
306 :
307 45 : if (is_encrypt)
308 : {
309 21 : byte *in = data_buf+1+data_buf_size+8;
310 :
311 : /* Write data MPI into the end of data_buf. data_buf is size
312 : aeswrap data. */
313 21 : err = gcry_mpi_print (GCRYMPI_FMT_USG, in,
314 : data_buf_size, &nbytes, data/*in*/);
315 21 : if (err)
316 : {
317 0 : log_error ("ecdh failed to export DEK: %s\n", gpg_strerror (err));
318 0 : gcry_cipher_close (hd);
319 0 : xfree (data_buf);
320 0 : return err;
321 : }
322 :
323 21 : if (DBG_CRYPTO)
324 0 : log_printhex ("ecdh encrypting :", in, data_buf_size );
325 :
326 21 : err = gcry_cipher_encrypt (hd, data_buf+1, data_buf_size+8,
327 : in, data_buf_size);
328 21 : memset (in, 0, data_buf_size);
329 21 : gcry_cipher_close (hd);
330 21 : if (err)
331 : {
332 0 : log_error ("ecdh failed in gcry_cipher_encrypt: %s\n",
333 : gpg_strerror (err));
334 0 : xfree (data_buf);
335 0 : return err;
336 : }
337 21 : data_buf[0] = data_buf_size+8;
338 :
339 21 : if (DBG_CRYPTO)
340 0 : log_printhex ("ecdh encrypted to:", data_buf+1, data_buf[0] );
341 :
342 21 : result = gcry_mpi_set_opaque (NULL, data_buf, 8 * (1+data_buf[0]));
343 21 : if (!result)
344 : {
345 0 : err = gpg_error_from_syserror ();
346 0 : xfree (data_buf);
347 0 : log_error ("ecdh failed to create an MPI: %s\n",
348 : gpg_strerror (err));
349 0 : return err;
350 : }
351 :
352 21 : *r_result = result;
353 : }
354 : else
355 : {
356 : byte *in;
357 : const void *p;
358 :
359 24 : p = gcry_mpi_get_opaque (data, &nbits);
360 24 : nbytes = (nbits+7)/8;
361 24 : if (!p || nbytes > data_buf_size || !nbytes)
362 : {
363 0 : xfree (data_buf);
364 0 : return gpg_error (GPG_ERR_BAD_MPI);
365 : }
366 24 : memcpy (data_buf, p, nbytes);
367 24 : if (data_buf[0] != nbytes-1)
368 : {
369 0 : log_error ("ecdh inconsistent size\n");
370 0 : xfree (data_buf);
371 0 : return gpg_error (GPG_ERR_BAD_MPI);
372 : }
373 24 : in = data_buf+data_buf_size;
374 24 : data_buf_size = data_buf[0];
375 :
376 24 : if (DBG_CRYPTO)
377 0 : log_printhex ("ecdh decrypting :", data_buf+1, data_buf_size);
378 :
379 24 : err = gcry_cipher_decrypt (hd, in, data_buf_size, data_buf+1,
380 : data_buf_size);
381 24 : gcry_cipher_close (hd);
382 24 : if (err)
383 : {
384 0 : log_error ("ecdh failed in gcry_cipher_decrypt: %s\n",
385 : gpg_strerror (err));
386 0 : xfree (data_buf);
387 0 : return err;
388 : }
389 :
390 24 : data_buf_size -= 8;
391 :
392 24 : if (DBG_CRYPTO)
393 0 : log_printhex ("ecdh decrypted to :", in, data_buf_size);
394 :
395 : /* Padding is removed later. */
396 : /* if (in[data_buf_size-1] > 8 ) */
397 : /* { */
398 : /* log_error ("ecdh failed at decryption: invalid padding." */
399 : /* " 0x%02x > 8\n", in[data_buf_size-1] ); */
400 : /* return gpg_error (GPG_ERR_BAD_KEY); */
401 : /* } */
402 :
403 24 : err = gcry_mpi_scan (&result, GCRYMPI_FMT_USG, in, data_buf_size, NULL);
404 24 : xfree (data_buf);
405 24 : if (err)
406 : {
407 0 : log_error ("ecdh failed to create a plain text MPI: %s\n",
408 : gpg_strerror (err));
409 0 : return err;
410 : }
411 :
412 24 : *r_result = result;
413 : }
414 : }
415 :
416 45 : return err;
417 : }
418 :
419 :
420 : static gcry_mpi_t
421 21 : gen_k (unsigned nbits)
422 : {
423 : gcry_mpi_t k;
424 :
425 21 : k = gcry_mpi_snew (nbits);
426 21 : if (DBG_CRYPTO)
427 0 : log_debug ("choosing a random k of %u bits\n", nbits);
428 :
429 21 : gcry_mpi_randomize (k, nbits-1, GCRY_STRONG_RANDOM);
430 :
431 21 : if (DBG_CRYPTO)
432 : {
433 : unsigned char *buffer;
434 0 : if (gcry_mpi_aprint (GCRYMPI_FMT_HEX, &buffer, NULL, k))
435 0 : BUG ();
436 0 : log_debug ("ephemeral scalar MPI #0: %s\n", buffer);
437 0 : gcry_free (buffer);
438 : }
439 :
440 21 : return k;
441 : }
442 :
443 :
444 : /* Generate an ephemeral key for the public ECDH key in PKEY. On
445 : success the generated key is stored at R_K; on failure NULL is
446 : stored at R_K and an error code returned. */
447 : gpg_error_t
448 21 : pk_ecdh_generate_ephemeral_key (gcry_mpi_t *pkey, gcry_mpi_t *r_k)
449 : {
450 : unsigned int nbits;
451 : gcry_mpi_t k;
452 :
453 21 : *r_k = NULL;
454 :
455 21 : nbits = pubkey_nbits (PUBKEY_ALGO_ECDH, pkey);
456 21 : if (!nbits)
457 0 : return gpg_error (GPG_ERR_TOO_SHORT);
458 21 : k = gen_k (nbits);
459 21 : if (!k)
460 0 : BUG ();
461 :
462 21 : *r_k = k;
463 21 : return 0;
464 : }
465 :
466 :
467 :
468 : /* Perform ECDH decryption. */
469 : int
470 24 : pk_ecdh_decrypt (gcry_mpi_t * result, const byte sk_fp[MAX_FINGERPRINT_LEN],
471 : gcry_mpi_t data, gcry_mpi_t shared, gcry_mpi_t * skey)
472 : {
473 24 : if (!data)
474 0 : return gpg_error (GPG_ERR_BAD_MPI);
475 24 : return pk_ecdh_encrypt_with_shared_point (0 /*=decryption*/, shared,
476 : sk_fp, data/*encr data as an MPI*/,
477 : skey, result);
478 : }
|
