diff --git a/g10/ecdh.c b/g10/ecdh.c
index 46ac140f5..14ca82856 100644
--- a/g10/ecdh.c
+++ b/g10/ecdh.c
@@ -1,482 +1,552 @@
/* ecdh.c - ECDH public key operations used in public key glue code
* Copyright (C) 2010, 2011 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see .
*/
#include
#include
#include
#include
#include
#include "gpg.h"
#include "../common/util.h"
#include "pkglue.h"
#include "main.h"
#include "options.h"
/* A table with the default KEK parameters used by GnuPG. */
static const struct
{
unsigned int qbits;
int openpgp_hash_id; /* KEK digest algorithm. */
int openpgp_cipher_id; /* KEK cipher algorithm. */
} kek_params_table[] =
/* Note: Must be sorted by ascending values for QBITS. */
{
{ 256, DIGEST_ALGO_SHA256, CIPHER_ALGO_AES },
{ 384, DIGEST_ALGO_SHA384, CIPHER_ALGO_AES256 },
/* Note: 528 is 521 rounded to the 8 bit boundary */
{ 528, DIGEST_ALGO_SHA512, CIPHER_ALGO_AES256 }
};
/* Return KEK parameters as an opaque MPI The caller must free the
returned value. Returns NULL and sets ERRNO on error. */
gcry_mpi_t
pk_ecdh_default_params (unsigned int qbits)
{
byte *kek_params;
int i;
kek_params = xtrymalloc (4);
if (!kek_params)
return NULL;
kek_params[0] = 3; /* Number of bytes to follow. */
kek_params[1] = 1; /* Version for KDF+AESWRAP. */
/* Search for matching KEK parameter. Defaults to the strongest
possible choices. Performance is not an issue here, only
interoperability. */
for (i=0; i < DIM (kek_params_table); i++)
{
if (kek_params_table[i].qbits >= qbits
|| i+1 == DIM (kek_params_table))
{
kek_params[2] = kek_params_table[i].openpgp_hash_id;
kek_params[3] = kek_params_table[i].openpgp_cipher_id;
break;
}
}
log_assert (i < DIM (kek_params_table));
if (DBG_CRYPTO)
log_printhex (kek_params, sizeof(kek_params), "ECDH KEK params are");
return gcry_mpi_set_opaque (NULL, kek_params, 4 * 8);
}
-/* Encrypts/decrypts DATA using a key derived from the ECC shared
- point SHARED using the FIPS SP 800-56A compliant method
- key_derivation+key_wrapping. If IS_ENCRYPT is true the function
- encrypts; if false, it decrypts. PKEY is the public key and PK_FP
- the fingerprint of this public key. On success the result is
- stored at R_RESULT; on failure NULL is stored at R_RESULT and an
- error code returned. */
-gpg_error_t
-pk_ecdh_encrypt_with_shared_point (int is_encrypt,
- const char *shared, size_t nshared,
- const byte pk_fp[MAX_FINGERPRINT_LEN],
- const byte *data, size_t ndata,
- gcry_mpi_t *pkey,
- gcry_mpi_t *r_result)
+/* Extract xcomponent from the point SHARED. POINT_NBYTES is the
+ size to represent an EC point which is determined by the public
+ key. SECRET_X_SIZE is the size of x component to represent an
+ integer which is determined by the curve. */
+static gpg_error_t
+extract_secret_x (byte **r_secret_x,
+ const char *shared, size_t nshared,
+ size_t point_nbytes, size_t secret_x_size)
+{
+ byte *secret_x;
+
+ *r_secret_x = NULL;
+
+ /* Extract X from the result. It must be in the format of:
+ 04 || X || Y
+ 40 || X
+ 41 || X
+
+ Since it may come with the prefix, the size of point is larger
+ than or equals to the size of an integer X. */
+ if (point_nbytes < secret_x_size)
+ return gpg_error (GPG_ERR_BAD_DATA);
+
+ /* Extract x component of the shared point: this is the actual
+ shared secret. */
+ secret_x = xtrymalloc_secure (point_nbytes);
+ if (!secret_x)
+ return gpg_error_from_syserror ();
+
+ memcpy (secret_x, shared, nshared);
+
+ /* Remove the prefix. */
+ if ((point_nbytes & 1))
+ memmove (secret_x, secret_x+1, secret_x_size);
+
+ /* Clear the rest of data. */
+ if (point_nbytes - secret_x_size)
+ memset (secret_x+secret_x_size, 0, point_nbytes-secret_x_size);
+
+ if (DBG_CRYPTO)
+ log_printhex (secret_x, secret_x_size, "ECDH shared secret X is:");
+
+ *r_secret_x = secret_x;
+ return 0;
+}
+
+
+static gpg_error_t
+build_kdf_params (unsigned char kdf_params[256], size_t *r_size,
+ gcry_mpi_t *pkey, const byte pk_fp[MAX_FINGERPRINT_LEN])
+{
+ IOBUF obuf;
+ gpg_error_t err;
+
+ *r_size = 0;
+
+ obuf = iobuf_temp();
+ if (!obuf)
+ return gpg_error_from_syserror ();
+
+ /* variable-length field 1, curve name OID */
+ err = gpg_mpi_write_nohdr (obuf, pkey[0]);
+ /* fixed-length field 2 */
+ iobuf_put (obuf, PUBKEY_ALGO_ECDH);
+ /* variable-length field 3, KDF params */
+ err = (err ? err : gpg_mpi_write_nohdr (obuf, pkey[2]));
+ /* fixed-length field 4 */
+ iobuf_write (obuf, "Anonymous Sender ", 20);
+ /* fixed-length field 5, recipient fp */
+ iobuf_write (obuf, pk_fp, 20);
+
+ if (!err)
+ *r_size = iobuf_temp_to_buffer (obuf, kdf_params, 256);
+
+ iobuf_close (obuf);
+
+ if (!err)
+ {
+ if (DBG_CRYPTO)
+ log_printhex (kdf_params, *r_size, "ecdh KDF message params are:");
+ }
+
+ return err;
+}
+
+
+/* Derive KEK with KEK_SIZE into the memory at SECRET_X. */
+static gpg_error_t
+derive_kek (size_t kek_size,
+ int kdf_hash_algo,
+ byte *secret_x, int secret_x_size,
+ const unsigned char *kdf_params, size_t kdf_params_size)
+{
+ gpg_error_t err;
+ gcry_md_hd_t h;
+
+ log_assert( gcry_md_get_algo_dlen (kdf_hash_algo) >= 32 );
+
+ err = gcry_md_open (&h, kdf_hash_algo, 0);
+ if (err)
+ {
+ log_error ("gcry_md_open failed for kdf_hash_algo %d: %s",
+ kdf_hash_algo, gpg_strerror (err));
+ return err;
+ }
+ gcry_md_write(h, "\x00\x00\x00\x01", 4); /* counter = 1 */
+ gcry_md_write(h, secret_x, secret_x_size); /* x of the point X */
+ gcry_md_write(h, kdf_params, kdf_params_size); /* KDF parameters */
+ gcry_md_final (h);
+ memcpy (secret_x, gcry_md_read (h, kdf_hash_algo), kek_size);
+ gcry_md_close (h);
+ /* Clean the tail before returning. */
+ memset (secret_x+kek_size, 0, secret_x_size - kek_size);
+ if (DBG_CRYPTO)
+ log_printhex (secret_x, kek_size, "ecdh KEK is:");
+ return err;
+}
+
+
+/* Prepare ECDH using SHARED, PK_FP fingerprint, and PKEY array.
+ Returns the cipher handle in R_HD, which needs to be closed by
+ the caller. */
+static gpg_error_t
+prepare_ecdh_with_shared_point (const char *shared, size_t nshared,
+ const byte pk_fp[MAX_FINGERPRINT_LEN],
+ gcry_mpi_t *pkey, gcry_cipher_hd_t *r_hd)
{
gpg_error_t err;
byte *secret_x;
int secret_x_size;
unsigned int nbits;
const unsigned char *kek_params;
size_t kek_params_size;
int kdf_hash_algo;
int kdf_encr_algo;
- unsigned char message[256];
- size_t message_size;
-
- *r_result = NULL;
-
- nbits = pubkey_nbits (PUBKEY_ALGO_ECDH, pkey);
- if (!nbits)
- return gpg_error (GPG_ERR_TOO_SHORT);
+ unsigned char kdf_params[256];
+ size_t kdf_params_size;
+ size_t kek_size;
+ gcry_cipher_hd_t hd;
- {
- size_t nbytes;
-
- /* Extract x component of the shared point: this is the actual
- shared secret. */
- nbytes = (mpi_get_nbits (pkey[1] /* public point */)+7)/8;
- secret_x = xtrymalloc_secure (nshared);
- if (!secret_x)
- return gpg_error_from_syserror ();
- memcpy (secret_x, shared, nshared);
-
- /* Expected size of the x component */
- secret_x_size = (nbits+7)/8;
-
- /* Extract X from the result. It must be in the format of:
- 04 || X || Y
- 40 || X
- 41 || X
-
- Since it always comes with the prefix, it's larger than X. In
- old experimental version of libgcrypt, there is a case where it
- returns X with no prefix of 40, so, nbytes == secret_x_size
- is allowed. */
- if (nbytes < secret_x_size)
- {
- xfree (secret_x);
- return gpg_error (GPG_ERR_BAD_DATA);
- }
-
- /* Remove the prefix. */
- if ((nbytes & 1))
- memmove (secret_x, secret_x+1, secret_x_size);
-
- /* Clear the rest of data. */
- if (nbytes - secret_x_size)
- memset (secret_x+secret_x_size, 0, nbytes-secret_x_size);
-
- if (DBG_CRYPTO)
- log_printhex (secret_x, secret_x_size, "ECDH shared secret X is:");
- }
-
- /*** We have now the shared secret bytes in secret_x. ***/
+ *r_hd = NULL;
- /* At this point we are done with PK encryption and the rest of the
- * function uses symmetric key encryption techniques to protect the
- * input DATA. The following two sections will simply replace
- * current secret_x with a value derived from it. This will become
- * a KEK.
- */
if (!gcry_mpi_get_flag (pkey[2], GCRYMPI_FLAG_OPAQUE))
return gpg_error (GPG_ERR_BUG);
+
kek_params = gcry_mpi_get_opaque (pkey[2], &nbits);
kek_params_size = (nbits+7)/8;
if (DBG_CRYPTO)
log_printhex (kek_params, kek_params_size, "ecdh KDF params:");
/* Expect 4 bytes 03 01 hash_alg symm_alg. */
if (kek_params_size != 4 || kek_params[0] != 3 || kek_params[1] != 1)
- {
- xfree (secret_x);
- return gpg_error (GPG_ERR_BAD_PUBKEY);
- }
+ return gpg_error (GPG_ERR_BAD_PUBKEY);
kdf_hash_algo = kek_params[2];
kdf_encr_algo = kek_params[3];
if (DBG_CRYPTO)
log_debug ("ecdh KDF algorithms %s+%s with aeswrap\n",
openpgp_md_algo_name (kdf_hash_algo),
openpgp_cipher_algo_name (kdf_encr_algo));
if (kdf_hash_algo != GCRY_MD_SHA256
&& kdf_hash_algo != GCRY_MD_SHA384
&& kdf_hash_algo != GCRY_MD_SHA512)
- {
- xfree (secret_x);
- return gpg_error (GPG_ERR_BAD_PUBKEY);
- }
+ return gpg_error (GPG_ERR_BAD_PUBKEY);
+
if (kdf_encr_algo != CIPHER_ALGO_AES
&& kdf_encr_algo != CIPHER_ALGO_AES192
&& kdf_encr_algo != CIPHER_ALGO_AES256)
+ return gpg_error (GPG_ERR_BAD_PUBKEY);
+
+ kek_size = gcry_cipher_get_algo_keylen (kdf_encr_algo);
+ if (kek_size > gcry_md_get_algo_dlen (kdf_hash_algo))
+ return gpg_error (GPG_ERR_BAD_PUBKEY);
+
+ /* Build kdf_params. */
+ err = build_kdf_params (kdf_params, &kdf_params_size, pkey, pk_fp);
+ if (err)
+ return err;
+
+ nbits = pubkey_nbits (PUBKEY_ALGO_ECDH, pkey);
+ if (!nbits)
+ return gpg_error (GPG_ERR_TOO_SHORT);
+
+ secret_x_size = (nbits+7)/8;
+ if (kek_size > secret_x_size)
+ return gpg_error (GPG_ERR_BAD_PUBKEY);
+
+ err = extract_secret_x (&secret_x, shared, nshared,
+ /* pkey[1] is the public point */
+ (mpi_get_nbits (pkey[1])+7)/8,
+ secret_x_size);
+ if (err)
+ return err;
+
+ /*** We have now the shared secret bytes in secret_x. ***/
+
+ /* At this point we are done with PK encryption and the rest of the
+ * function uses symmetric key encryption techniques to protect the
+ * input DATA. The following two sections will simply replace
+ * current secret_x with a value derived from it. This will become
+ * a KEK.
+ */
+
+ /* Derive a KEK (key wrapping key) using SECRET_X and KDF_PARAMS. */
+ err = derive_kek (kek_size, kdf_hash_algo, secret_x,
+ secret_x_size, kdf_params, kdf_params_size);
+ if (err)
{
xfree (secret_x);
- return gpg_error (GPG_ERR_BAD_PUBKEY);
+ return err;
}
- /* Build kdf_params. */
- {
- IOBUF obuf;
-
- obuf = iobuf_temp();
- /* variable-length field 1, curve name OID */
- err = gpg_mpi_write_nohdr (obuf, pkey[0]);
- /* fixed-length field 2 */
- iobuf_put (obuf, PUBKEY_ALGO_ECDH);
- /* variable-length field 3, KDF params */
- err = (err ? err : gpg_mpi_write_nohdr (obuf, pkey[2]));
- /* fixed-length field 4 */
- iobuf_write (obuf, "Anonymous Sender ", 20);
- /* fixed-length field 5, recipient fp */
- iobuf_write (obuf, pk_fp, 20);
-
- message_size = iobuf_temp_to_buffer (obuf, message, sizeof message);
- iobuf_close (obuf);
- if (err)
- {
- xfree (secret_x);
- return err;
- }
-
- if(DBG_CRYPTO)
- log_printhex (message, message_size, "ecdh KDF message params are:");
- }
-
- /* Derive a KEK (key wrapping key) using MESSAGE and SECRET_X. */
- {
- gcry_md_hd_t h;
- int old_size;
-
- err = gcry_md_open (&h, kdf_hash_algo, 0);
- if (err)
- {
- log_error ("gcry_md_open failed for kdf_hash_algo %d: %s",
- kdf_hash_algo, gpg_strerror (err));
- xfree (secret_x);
- return err;
- }
- gcry_md_write(h, "\x00\x00\x00\x01", 4); /* counter = 1 */
- gcry_md_write(h, secret_x, secret_x_size); /* x of the point X */
- gcry_md_write(h, message, message_size); /* KDF parameters */
-
- gcry_md_final (h);
-
- log_assert( gcry_md_get_algo_dlen (kdf_hash_algo) >= 32 );
-
- memcpy (secret_x, gcry_md_read (h, kdf_hash_algo),
- gcry_md_get_algo_dlen (kdf_hash_algo));
- gcry_md_close (h);
-
- old_size = secret_x_size;
- log_assert( old_size >= gcry_cipher_get_algo_keylen( kdf_encr_algo ) );
- secret_x_size = gcry_cipher_get_algo_keylen( kdf_encr_algo );
- log_assert( secret_x_size <= gcry_md_get_algo_dlen (kdf_hash_algo) );
-
- /* We could have allocated more, so clean the tail before returning. */
- memset (secret_x+secret_x_size, 0, old_size - secret_x_size);
- if (DBG_CRYPTO)
- log_printhex (secret_x, secret_x_size, "ecdh KEK is:");
- }
-
/* And, finally, aeswrap with key secret_x. */
- {
- gcry_cipher_hd_t hd;
-
- byte *data_buf;
- int data_buf_size;
-
- gcry_mpi_t result;
-
- err = gcry_cipher_open (&hd, kdf_encr_algo, GCRY_CIPHER_MODE_AESWRAP, 0);
- if (err)
- {
- log_error ("ecdh failed to initialize AESWRAP: %s\n",
- gpg_strerror (err));
- xfree (secret_x);
- return err;
- }
-
- err = gcry_cipher_setkey (hd, secret_x, secret_x_size);
- secret_x = NULL;
- xfree (secret_x);
- if (err)
- {
- gcry_cipher_close (hd);
- log_error ("ecdh failed in gcry_cipher_setkey: %s\n",
- gpg_strerror (err));
- return err;
- }
-
- data_buf_size = ndata;
- if ((data_buf_size & 7) != (is_encrypt ? 0 : 1))
- {
- log_error ("can't use a shared secret of %d bytes for ecdh\n",
- data_buf_size);
- return gpg_error (GPG_ERR_BAD_DATA);
- }
-
- data_buf = xtrymalloc_secure( 1 + 2*data_buf_size + 8);
- if (!data_buf)
- {
- err = gpg_error_from_syserror ();
- gcry_cipher_close (hd);
- return err;
- }
-
- if (is_encrypt)
- {
- byte *in = data_buf+1+data_buf_size+8;
-
- /* Write data MPI into the end of data_buf. data_buf is size
- aeswrap data. */
- memcpy (in, data, ndata);
-
- if (DBG_CRYPTO)
- log_printhex (in, data_buf_size, "ecdh encrypting :");
-
- err = gcry_cipher_encrypt (hd, data_buf+1, data_buf_size+8,
- in, data_buf_size);
- memset (in, 0, data_buf_size);
- gcry_cipher_close (hd);
- if (err)
- {
- log_error ("ecdh failed in gcry_cipher_encrypt: %s\n",
- gpg_strerror (err));
- xfree (data_buf);
- return err;
- }
- data_buf[0] = data_buf_size+8;
-
- if (DBG_CRYPTO)
- log_printhex (data_buf+1, data_buf[0], "ecdh encrypted to:");
-
- result = gcry_mpi_set_opaque (NULL, data_buf, 8 * (1+data_buf[0]));
- if (!result)
- {
- err = gpg_error_from_syserror ();
- xfree (data_buf);
- log_error ("ecdh failed to create an MPI: %s\n",
- gpg_strerror (err));
- return err;
- }
-
- *r_result = result;
- }
- else
- {
- byte *in;
-
- if (!data || ndata > data_buf_size || !ndata)
- {
- xfree (data_buf);
- return gpg_error (GPG_ERR_BAD_MPI);
- }
- memcpy (data_buf, data, ndata);
- if (data_buf[0] != ndata-1)
- {
- log_error ("ecdh inconsistent size\n");
- xfree (data_buf);
- return gpg_error (GPG_ERR_BAD_MPI);
- }
- in = data_buf+data_buf_size;
- data_buf_size = data_buf[0];
-
- if (DBG_CRYPTO)
- log_printhex (data_buf+1, data_buf_size, "ecdh decrypting :");
-
- err = gcry_cipher_decrypt (hd, in, data_buf_size, data_buf+1,
- data_buf_size);
- gcry_cipher_close (hd);
- if (err)
- {
- log_error ("ecdh failed in gcry_cipher_decrypt: %s\n",
- gpg_strerror (err));
- xfree (data_buf);
- return err;
- }
-
- data_buf_size -= 8;
-
- if (DBG_CRYPTO)
- log_printhex (in, data_buf_size, "ecdh decrypted to :");
-
- /* Padding is removed later. */
- /* if (in[data_buf_size-1] > 8 ) */
- /* { */
- /* log_error ("ecdh failed at decryption: invalid padding." */
- /* " 0x%02x > 8\n", in[data_buf_size-1] ); */
- /* return gpg_error (GPG_ERR_BAD_KEY); */
- /* } */
-
- err = gcry_mpi_scan (&result, GCRYMPI_FMT_USG, in, data_buf_size, NULL);
- xfree (data_buf);
- if (err)
- {
- log_error ("ecdh failed to create a plain text MPI: %s\n",
- gpg_strerror (err));
- return err;
- }
-
- *r_result = result;
- }
- }
+ err = gcry_cipher_open (&hd, kdf_encr_algo, GCRY_CIPHER_MODE_AESWRAP, 0);
+ if (err)
+ {
+ log_error ("ecdh failed to initialize AESWRAP: %s\n",
+ gpg_strerror (err));
+ xfree (secret_x);
+ return err;
+ }
+
+ err = gcry_cipher_setkey (hd, secret_x, kek_size);
+ xfree (secret_x);
+ secret_x = NULL;
+ if (err)
+ {
+ gcry_cipher_close (hd);
+ log_error ("ecdh failed in gcry_cipher_setkey: %s\n",
+ gpg_strerror (err));
+ }
+ else
+ *r_hd = hd;
+
+ return err;
+}
+
+
+/* Encrypts DATA using a key derived from the ECC shared point SHARED
+ using the FIPS SP 800-56A compliant method
+ key_derivation+key_wrapping. PKEY is the public key and PK_FP the
+ fingerprint of this public key. On success the result is stored at
+ R_RESULT; on failure NULL is stored at R_RESULT and an error code
+ returned. */
+gpg_error_t
+pk_ecdh_encrypt_with_shared_point (const char *shared, size_t nshared,
+ const byte pk_fp[MAX_FINGERPRINT_LEN],
+ const byte *data, size_t ndata,
+ gcry_mpi_t *pkey, gcry_mpi_t *r_result)
+{
+ gpg_error_t err;
+ gcry_cipher_hd_t hd;
+ byte *data_buf;
+ int data_buf_size;
+ gcry_mpi_t result;
+ byte *in;
+
+ *r_result = NULL;
+
+ err = prepare_ecdh_with_shared_point (shared, nshared, pk_fp, pkey, &hd);
+ if (err)
+ return err;
+
+ data_buf_size = ndata;
+ if ((data_buf_size & 7) != 0)
+ {
+ log_error ("can't use a shared secret of %d bytes for ecdh\n",
+ data_buf_size);
+ gcry_cipher_close (hd);
+ return gpg_error (GPG_ERR_BAD_DATA);
+ }
+
+ data_buf = xtrymalloc_secure( 1 + 2*data_buf_size + 8);
+ if (!data_buf)
+ {
+ err = gpg_error_from_syserror ();
+ gcry_cipher_close (hd);
+ return err;
+ }
+
+ in = data_buf+1+data_buf_size+8;
+
+ /* Write data MPI into the end of data_buf. data_buf is size
+ aeswrap data. */
+ memcpy (in, data, ndata);
+
+ if (DBG_CRYPTO)
+ log_printhex (in, data_buf_size, "ecdh encrypting :");
+
+ err = gcry_cipher_encrypt (hd, data_buf+1, data_buf_size+8,
+ in, data_buf_size);
+ memset (in, 0, data_buf_size);
+ gcry_cipher_close (hd);
+ if (err)
+ {
+ log_error ("ecdh failed in gcry_cipher_encrypt: %s\n",
+ gpg_strerror (err));
+ xfree (data_buf);
+ return err;
+ }
+ data_buf[0] = data_buf_size+8;
+
+ if (DBG_CRYPTO)
+ log_printhex (data_buf+1, data_buf[0], "ecdh encrypted to:");
+
+ result = gcry_mpi_set_opaque (NULL, data_buf, 8 * (1+data_buf[0]));
+ if (!result)
+ {
+ err = gpg_error_from_syserror ();
+ xfree (data_buf);
+ log_error ("ecdh failed to create an MPI: %s\n",
+ gpg_strerror (err));
+ return err;
+ }
+
+ *r_result = result;
return err;
}
static gcry_mpi_t
gen_k (unsigned nbits)
{
gcry_mpi_t k;
k = gcry_mpi_snew (nbits);
if (DBG_CRYPTO)
log_debug ("choosing a random k of %u bits\n", nbits);
gcry_mpi_randomize (k, nbits-1, GCRY_STRONG_RANDOM);
if (DBG_CRYPTO)
{
unsigned char *buffer;
if (gcry_mpi_aprint (GCRYMPI_FMT_HEX, &buffer, NULL, k))
BUG ();
log_debug ("ephemeral scalar MPI #0: %s\n", buffer);
gcry_free (buffer);
}
return k;
}
/* Generate an ephemeral key for the public ECDH key in PKEY. On
success the generated key is stored at R_K; on failure NULL is
stored at R_K and an error code returned. */
gpg_error_t
pk_ecdh_generate_ephemeral_key (gcry_mpi_t *pkey, gcry_mpi_t *r_k)
{
unsigned int nbits;
gcry_mpi_t k;
*r_k = NULL;
nbits = pubkey_nbits (PUBKEY_ALGO_ECDH, pkey);
if (!nbits)
return gpg_error (GPG_ERR_TOO_SHORT);
k = gen_k (nbits);
if (!k)
BUG ();
*r_k = k;
return 0;
}
/* Perform ECDH decryption. */
int
-pk_ecdh_decrypt (gcry_mpi_t * result, const byte sk_fp[MAX_FINGERPRINT_LEN],
+pk_ecdh_decrypt (gcry_mpi_t * r_result, const byte sk_fp[MAX_FINGERPRINT_LEN],
gcry_mpi_t data,
- const byte *frame, size_t nframe, gcry_mpi_t * skey)
+ const byte *shared, size_t nshared, gcry_mpi_t * skey)
{
- int r;
- byte *p;
+ gpg_error_t err;
+ gcry_cipher_hd_t hd;
+ size_t nbytes;
+ byte *data_buf;
+ int data_buf_size;
+ byte *in;
+ const void *p;
unsigned int nbits;
- if (!data)
- return gpg_error (GPG_ERR_BAD_MPI);
+ *r_result = NULL;
+
+ err = prepare_ecdh_with_shared_point (shared, nshared, sk_fp, skey, &hd);
+ if (err)
+ return err;
+
+ p = gcry_mpi_get_opaque (data, &nbits);
+ nbytes = (nbits+7)/8;
+
+ data_buf_size = nbytes;
+ if ((data_buf_size & 7) != 1)
+ {
+ log_error ("can't use a shared secret of %d bytes for ecdh\n",
+ data_buf_size);
+ gcry_cipher_close (hd);
+ return gpg_error (GPG_ERR_BAD_DATA);
+ }
+
+ data_buf = xtrymalloc_secure( 1 + 2*data_buf_size + 8);
+ if (!data_buf)
+ {
+ err = gpg_error_from_syserror ();
+ gcry_cipher_close (hd);
+ return err;
+ }
+
+ if (!p)
+ {
+ xfree (data_buf);
+ gcry_cipher_close (hd);
+ return gpg_error (GPG_ERR_BAD_MPI);
+ }
+ memcpy (data_buf, p, nbytes);
+ if (data_buf[0] != nbytes-1)
+ {
+ log_error ("ecdh inconsistent size\n");
+ xfree (data_buf);
+ gcry_cipher_close (hd);
+ return gpg_error (GPG_ERR_BAD_MPI);
+ }
+ in = data_buf+data_buf_size;
+ data_buf_size = data_buf[0];
- p = gcry_mpi_get_opaque (data, &nbits);/*encr data as an MPI*/
+ if (DBG_CRYPTO)
+ log_printhex (data_buf+1, data_buf_size, "ecdh decrypting :");
- r = pk_ecdh_encrypt_with_shared_point (0 /*=decryption*/, frame, nframe,
- sk_fp, p, (nbits+7)/8,
- skey, result);
- return r;
+ err = gcry_cipher_decrypt (hd, in, data_buf_size, data_buf+1,
+ data_buf_size);
+ gcry_cipher_close (hd);
+ if (err)
+ {
+ log_error ("ecdh failed in gcry_cipher_decrypt: %s\n",
+ gpg_strerror (err));
+ xfree (data_buf);
+ return err;
+ }
+
+ data_buf_size -= 8;
+
+ if (DBG_CRYPTO)
+ log_printhex (in, data_buf_size, "ecdh decrypted to :");
+
+ /* Padding is removed later. */
+ /* if (in[data_buf_size-1] > 8 ) */
+ /* { */
+ /* log_error ("ecdh failed at decryption: invalid padding." */
+ /* " 0x%02x > 8\n", in[data_buf_size-1] ); */
+ /* return gpg_error (GPG_ERR_BAD_KEY); */
+ /* } */
+
+ err = gcry_mpi_scan (r_result, GCRYMPI_FMT_USG, in, data_buf_size, NULL);
+ xfree (data_buf);
+ if (err)
+ {
+ log_error ("ecdh failed to create a plain text MPI: %s\n",
+ gpg_strerror (err));
+ return err;
+ }
+
+ return err;
}
diff --git a/g10/pkglue.c b/g10/pkglue.c
index 7dadeb44a..747159759 100644
--- a/g10/pkglue.c
+++ b/g10/pkglue.c
@@ -1,469 +1,469 @@
/* pkglue.c - public key operations glue code
* Copyright (C) 2000, 2003, 2010 Free Software Foundation, Inc.
* Copyright (C) 2014 Werner Koch
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see .
*/
#include
#include
#include
#include
#include
#include "gpg.h"
#include "../common/util.h"
#include "pkglue.h"
#include "main.h"
#include "options.h"
/* FIXME: Better change the function name because mpi_ is used by
gcrypt macros. */
gcry_mpi_t
get_mpi_from_sexp (gcry_sexp_t sexp, const char *item, int mpifmt)
{
gcry_sexp_t list;
gcry_mpi_t data;
list = gcry_sexp_find_token (sexp, item, 0);
log_assert (list);
data = gcry_sexp_nth_mpi (list, 1, mpifmt);
log_assert (data);
gcry_sexp_release (list);
return data;
}
static byte *
get_data_from_sexp (gcry_sexp_t sexp, const char *item, size_t *r_size)
{
gcry_sexp_t list;
size_t valuelen;
const char *value;
byte *v;
log_printsexp ("get_data_from_sexp:", sexp);
list = gcry_sexp_find_token (sexp, item, 0);
log_assert (list);
value = gcry_sexp_nth_data (list, 1, &valuelen);
log_assert (value);
v = xtrymalloc (valuelen);
memcpy (v, value, valuelen);
gcry_sexp_release (list);
*r_size = valuelen;
return v;
}
/****************
* Emulate our old PK interface here - sometime in the future we might
* change the internal design to directly fit to libgcrypt.
*/
int
pk_verify (pubkey_algo_t pkalgo, gcry_mpi_t hash,
gcry_mpi_t *data, gcry_mpi_t *pkey)
{
gcry_sexp_t s_sig, s_hash, s_pkey;
int rc;
unsigned int neededfixedlen = 0;
/* Make a sexp from pkey. */
if (pkalgo == PUBKEY_ALGO_DSA)
{
rc = gcry_sexp_build (&s_pkey, NULL,
"(public-key(dsa(p%m)(q%m)(g%m)(y%m)))",
pkey[0], pkey[1], pkey[2], pkey[3]);
}
else if (pkalgo == PUBKEY_ALGO_ELGAMAL_E || pkalgo == PUBKEY_ALGO_ELGAMAL)
{
rc = gcry_sexp_build (&s_pkey, NULL,
"(public-key(elg(p%m)(g%m)(y%m)))",
pkey[0], pkey[1], pkey[2]);
}
else if (pkalgo == PUBKEY_ALGO_RSA || pkalgo == PUBKEY_ALGO_RSA_S)
{
rc = gcry_sexp_build (&s_pkey, NULL,
"(public-key(rsa(n%m)(e%m)))", pkey[0], pkey[1]);
}
else if (pkalgo == PUBKEY_ALGO_ECDSA)
{
char *curve = openpgp_oid_to_str (pkey[0]);
if (!curve)
rc = gpg_error_from_syserror ();
else
{
rc = gcry_sexp_build (&s_pkey, NULL,
"(public-key(ecdsa(curve %s)(q%m)))",
curve, pkey[1]);
xfree (curve);
}
}
else if (pkalgo == PUBKEY_ALGO_EDDSA)
{
char *curve = openpgp_oid_to_str (pkey[0]);
if (!curve)
rc = gpg_error_from_syserror ();
else
{
rc = gcry_sexp_build (&s_pkey, NULL,
"(public-key(ecc(curve %s)"
"(flags eddsa)(q%m)))",
curve, pkey[1]);
xfree (curve);
}
if (openpgp_oid_is_ed25519 (pkey[0]))
neededfixedlen = 256 / 8;
}
else
return GPG_ERR_PUBKEY_ALGO;
if (rc)
BUG (); /* gcry_sexp_build should never fail. */
/* Put hash into a S-Exp s_hash. */
if (pkalgo == PUBKEY_ALGO_EDDSA)
{
if (gcry_sexp_build (&s_hash, NULL,
"(data(flags eddsa)(hash-algo sha512)(value %m))",
hash))
BUG (); /* gcry_sexp_build should never fail. */
}
else
{
if (gcry_sexp_build (&s_hash, NULL, "%m", hash))
BUG (); /* gcry_sexp_build should never fail. */
}
/* Put data into a S-Exp s_sig. */
s_sig = NULL;
if (pkalgo == PUBKEY_ALGO_DSA)
{
if (!data[0] || !data[1])
rc = gpg_error (GPG_ERR_BAD_MPI);
else
rc = gcry_sexp_build (&s_sig, NULL,
"(sig-val(dsa(r%m)(s%m)))", data[0], data[1]);
}
else if (pkalgo == PUBKEY_ALGO_ECDSA)
{
if (!data[0] || !data[1])
rc = gpg_error (GPG_ERR_BAD_MPI);
else
rc = gcry_sexp_build (&s_sig, NULL,
"(sig-val(ecdsa(r%m)(s%m)))", data[0], data[1]);
}
else if (pkalgo == PUBKEY_ALGO_EDDSA)
{
gcry_mpi_t r = data[0];
gcry_mpi_t s = data[1];
size_t rlen, slen, n; /* (bytes) */
char buf[64];
unsigned int nbits;
log_assert (neededfixedlen <= sizeof buf);
if (!r || !s)
rc = gpg_error (GPG_ERR_BAD_MPI);
else if ((rlen = (gcry_mpi_get_nbits (r)+7)/8) > neededfixedlen || !rlen)
rc = gpg_error (GPG_ERR_BAD_MPI);
else if ((slen = (gcry_mpi_get_nbits (s)+7)/8) > neededfixedlen || !slen)
rc = gpg_error (GPG_ERR_BAD_MPI);
else
{
/* We need to fixup the length in case of leading zeroes.
* OpenPGP does not allow leading zeroes and the parser for
* the signature packet has no information on the use curve,
* thus we need to do it here. We won't do it for opaque
* MPIs under the assumption that they are known to be fine;
* we won't see them here anyway but the check is anyway
* required. Fixme: A nifty feature for gcry_sexp_build
* would be a format to left pad the value (e.g. "%*M"). */
rc = 0;
if (rlen < neededfixedlen
&& !gcry_mpi_get_flag (r, GCRYMPI_FLAG_OPAQUE)
&& !(rc=gcry_mpi_print (GCRYMPI_FMT_USG, buf, sizeof buf, &n, r)))
{
log_assert (n < neededfixedlen);
memmove (buf + (neededfixedlen - n), buf, n);
memset (buf, 0, neededfixedlen - n);
r = gcry_mpi_set_opaque_copy (NULL, buf, neededfixedlen * 8);
}
else if (rlen < neededfixedlen
&& gcry_mpi_get_flag (r, GCRYMPI_FLAG_OPAQUE))
{
const unsigned char *p;
p = gcry_mpi_get_opaque (r, &nbits);
n = (nbits+7)/8;
memcpy (buf + (neededfixedlen - n), p, n);
memset (buf, 0, neededfixedlen - n);
gcry_mpi_set_opaque_copy (r, buf, neededfixedlen * 8);
}
if (slen < neededfixedlen
&& !gcry_mpi_get_flag (s, GCRYMPI_FLAG_OPAQUE)
&& !(rc=gcry_mpi_print (GCRYMPI_FMT_USG, buf, sizeof buf, &n, s)))
{
log_assert (n < neededfixedlen);
memmove (buf + (neededfixedlen - n), buf, n);
memset (buf, 0, neededfixedlen - n);
s = gcry_mpi_set_opaque_copy (NULL, buf, neededfixedlen * 8);
}
else if (slen < neededfixedlen
&& gcry_mpi_get_flag (s, GCRYMPI_FLAG_OPAQUE))
{
const unsigned char *p;
p = gcry_mpi_get_opaque (s, &nbits);
n = (nbits+7)/8;
memcpy (buf + (neededfixedlen - n), p, n);
memset (buf, 0, neededfixedlen - n);
gcry_mpi_set_opaque_copy (s, buf, neededfixedlen * 8);
}
if (!rc)
rc = gcry_sexp_build (&s_sig, NULL,
"(sig-val(eddsa(r%M)(s%M)))", r, s);
if (r != data[0])
gcry_mpi_release (r);
if (s != data[1])
gcry_mpi_release (s);
}
}
else if (pkalgo == PUBKEY_ALGO_ELGAMAL || pkalgo == PUBKEY_ALGO_ELGAMAL_E)
{
if (!data[0] || !data[1])
rc = gpg_error (GPG_ERR_BAD_MPI);
else
rc = gcry_sexp_build (&s_sig, NULL,
"(sig-val(elg(r%m)(s%m)))", data[0], data[1]);
}
else if (pkalgo == PUBKEY_ALGO_RSA || pkalgo == PUBKEY_ALGO_RSA_S)
{
if (!data[0])
rc = gpg_error (GPG_ERR_BAD_MPI);
else
rc = gcry_sexp_build (&s_sig, NULL, "(sig-val(rsa(s%m)))", data[0]);
}
else
BUG ();
if (!rc)
rc = gcry_pk_verify (s_sig, s_hash, s_pkey);
gcry_sexp_release (s_sig);
gcry_sexp_release (s_hash);
gcry_sexp_release (s_pkey);
return rc;
}
/****************
* Emulate our old PK interface here - sometime in the future we might
* change the internal design to directly fit to libgcrypt.
* PK is only required to compute the fingerprint for ECDH.
*/
int
pk_encrypt (pubkey_algo_t algo, gcry_mpi_t *resarr, gcry_mpi_t data,
PKT_public_key *pk, gcry_mpi_t *pkey)
{
gcry_sexp_t s_ciph = NULL;
gcry_sexp_t s_data = NULL;
gcry_sexp_t s_pkey = NULL;
int rc;
/* Make a sexp from pkey. */
if (algo == PUBKEY_ALGO_ELGAMAL || algo == PUBKEY_ALGO_ELGAMAL_E)
{
rc = gcry_sexp_build (&s_pkey, NULL,
"(public-key(elg(p%m)(g%m)(y%m)))",
pkey[0], pkey[1], pkey[2]);
/* Put DATA into a simplified S-expression. */
if (!rc)
rc = gcry_sexp_build (&s_data, NULL, "%m", data);
}
else if (algo == PUBKEY_ALGO_RSA || algo == PUBKEY_ALGO_RSA_E)
{
rc = gcry_sexp_build (&s_pkey, NULL,
"(public-key(rsa(n%m)(e%m)))",
pkey[0], pkey[1]);
/* Put DATA into a simplified S-expression. */
if (!rc)
rc = gcry_sexp_build (&s_data, NULL, "%m", data);
}
else if (algo == PUBKEY_ALGO_ECDH)
{
gcry_mpi_t k;
rc = pk_ecdh_generate_ephemeral_key (pkey, &k);
if (!rc)
{
char *curve;
curve = openpgp_oid_to_str (pkey[0]);
if (!curve)
rc = gpg_error_from_syserror ();
else
{
int with_djb_tweak_flag = openpgp_oid_is_cv25519 (pkey[0]);
/* Now use the ephemeral secret to compute the shared point. */
rc = gcry_sexp_build (&s_pkey, NULL,
with_djb_tweak_flag ?
"(public-key(ecdh(curve%s)(flags djb-tweak)(q%m)))"
: "(public-key(ecdh(curve%s)(q%m)))",
curve, pkey[1]);
xfree (curve);
/* Put K into a simplified S-expression. */
if (!rc)
rc = gcry_sexp_build (&s_data, NULL, "%m", k);
}
gcry_mpi_release (k);
}
}
else
rc = gpg_error (GPG_ERR_PUBKEY_ALGO);
/* Pass it to libgcrypt. */
if (!rc)
rc = gcry_pk_encrypt (&s_ciph, s_data, s_pkey);
gcry_sexp_release (s_data);
gcry_sexp_release (s_pkey);
if (rc)
;
else if (algo == PUBKEY_ALGO_ECDH)
{
gcry_mpi_t public, result;
byte fp[MAX_FINGERPRINT_LEN];
size_t fpn;
byte *shared;
size_t nshared;
/* Get the shared point and the ephemeral public key. */
shared = get_data_from_sexp (s_ciph, "s", &nshared);
public = get_mpi_from_sexp (s_ciph, "e", GCRYMPI_FMT_OPAQUE);
if (DBG_CRYPTO)
{
log_debug ("ECDH ephemeral key:");
gcry_mpi_dump (public);
log_printf ("\n");
}
result = NULL;
fingerprint_from_pk (pk, fp, &fpn);
if (fpn != 20)
rc = gpg_error (GPG_ERR_INV_LENGTH);
else
{
unsigned int nbits;
byte *p = gcry_mpi_get_opaque (data, &nbits);
- rc = pk_ecdh_encrypt_with_shared_point (1 /*=encrypton*/, shared, nshared,
- fp, p, (nbits+7)/8, pkey, &result);
+ rc = pk_ecdh_encrypt_with_shared_point (shared, nshared, fp, p,
+ (nbits+7)/8, pkey, &result);
}
xfree (shared);
if (!rc)
{
resarr[0] = public;
resarr[1] = result;
}
else
{
gcry_mpi_release (public);
gcry_mpi_release (result);
}
}
else /* Elgamal or RSA case. */
{ /* Fixme: Add better error handling or make gnupg use
S-expressions directly. */
resarr[0] = get_mpi_from_sexp (s_ciph, "a", GCRYMPI_FMT_USG);
if (!is_RSA (algo))
resarr[1] = get_mpi_from_sexp (s_ciph, "b", GCRYMPI_FMT_USG);
}
gcry_sexp_release (s_ciph);
return rc;
}
/* Check whether SKEY is a suitable secret key. */
int
pk_check_secret_key (pubkey_algo_t pkalgo, gcry_mpi_t *skey)
{
gcry_sexp_t s_skey;
int rc;
if (pkalgo == PUBKEY_ALGO_DSA)
{
rc = gcry_sexp_build (&s_skey, NULL,
"(private-key(dsa(p%m)(q%m)(g%m)(y%m)(x%m)))",
skey[0], skey[1], skey[2], skey[3], skey[4]);
}
else if (pkalgo == PUBKEY_ALGO_ELGAMAL || pkalgo == PUBKEY_ALGO_ELGAMAL_E)
{
rc = gcry_sexp_build (&s_skey, NULL,
"(private-key(elg(p%m)(g%m)(y%m)(x%m)))",
skey[0], skey[1], skey[2], skey[3]);
}
else if (is_RSA (pkalgo))
{
rc = gcry_sexp_build (&s_skey, NULL,
"(private-key(rsa(n%m)(e%m)(d%m)(p%m)(q%m)(u%m)))",
skey[0], skey[1], skey[2], skey[3], skey[4],
skey[5]);
}
else if (pkalgo == PUBKEY_ALGO_ECDSA || pkalgo == PUBKEY_ALGO_ECDH)
{
char *curve = openpgp_oid_to_str (skey[0]);
if (!curve)
rc = gpg_error_from_syserror ();
else
{
rc = gcry_sexp_build (&s_skey, NULL,
"(private-key(ecc(curve%s)(q%m)(d%m)))",
curve, skey[1], skey[2]);
xfree (curve);
}
}
else if (pkalgo == PUBKEY_ALGO_EDDSA)
{
char *curve = openpgp_oid_to_str (skey[0]);
if (!curve)
rc = gpg_error_from_syserror ();
else
{
rc = gcry_sexp_build (&s_skey, NULL,
"(private-key(ecc(curve %s)"
"(flags eddsa)(q%m)(d%m)))",
curve, skey[1], skey[2]);
xfree (curve);
}
}
else
return GPG_ERR_PUBKEY_ALGO;
if (!rc)
{
rc = gcry_pk_testkey (s_skey);
gcry_sexp_release (s_skey);
}
return rc;
}
diff --git a/g10/pkglue.h b/g10/pkglue.h
index 438a0c542..93f998937 100644
--- a/g10/pkglue.h
+++ b/g10/pkglue.h
@@ -1,53 +1,53 @@
/* pkglue.h - public key operations definitions
* Copyright (C) 2003, 2010 Free Software Foundation, Inc.
*
* This file is part of GnuPG.
*
* GnuPG is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 3 of the License, or
* (at your option) any later version.
*
* GnuPG is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, see .
*/
#ifndef GNUPG_G10_PKGLUE_H
#define GNUPG_G10_PKGLUE_H
#include "packet.h" /* For PKT_public_key. */
/*-- pkglue.c --*/
gcry_mpi_t get_mpi_from_sexp (gcry_sexp_t sexp, const char *item, int mpifmt);
int pk_verify (pubkey_algo_t algo, gcry_mpi_t hash, gcry_mpi_t *data,
gcry_mpi_t *pkey);
int pk_encrypt (pubkey_algo_t algo, gcry_mpi_t *resarr, gcry_mpi_t data,
PKT_public_key *pk, gcry_mpi_t *pkey);
int pk_check_secret_key (pubkey_algo_t algo, gcry_mpi_t *skey);
/*-- ecdh.c --*/
gcry_mpi_t pk_ecdh_default_params (unsigned int qbits);
gpg_error_t pk_ecdh_generate_ephemeral_key (gcry_mpi_t *pkey, gcry_mpi_t *r_k);
gpg_error_t pk_ecdh_encrypt_with_shared_point
-/* */ (int is_encrypt, const char *shared, size_t nshared,
+/* */ (const char *shared, size_t nshared,
const byte pk_fp[MAX_FINGERPRINT_LEN],
const byte *data, size_t ndata,
gcry_mpi_t *pkey,
gcry_mpi_t *out);
int pk_ecdh_encrypt (gcry_mpi_t *resarr, const byte pk_fp[MAX_FINGERPRINT_LEN],
gcry_mpi_t data, gcry_mpi_t * pkey);
int pk_ecdh_decrypt (gcry_mpi_t *result, const byte sk_fp[MAX_FINGERPRINT_LEN],
gcry_mpi_t data,
const byte *frame, size_t nframe,
gcry_mpi_t * skey);
#endif /*GNUPG_G10_PKGLUE_H*/