2011-01-05 17:33:17 -08:00
|
|
|
/* ecdh.c - ECDH public key operations used in public key glue code
|
2011-01-31 15:44:24 +01:00
|
|
|
* Copyright (C) 2010, 2011 Free Software Foundation, Inc.
|
2011-01-05 17:33:17 -08:00
|
|
|
*
|
|
|
|
* This file is part of GnuPG.
|
|
|
|
*
|
|
|
|
* GnuPG is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License as published by
|
|
|
|
* the Free Software Foundation; either version 3 of the License, or
|
|
|
|
* (at your option) any later version.
|
|
|
|
*
|
|
|
|
* GnuPG is distributed in the hope that it will be useful,
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
*
|
|
|
|
* You should have received a copy of the GNU General Public License
|
2016-11-05 12:02:19 +01:00
|
|
|
* along with this program; if not, see <https://www.gnu.org/licenses/>.
|
2011-01-05 17:33:17 -08:00
|
|
|
*/
|
|
|
|
|
|
|
|
#include <config.h>
|
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <string.h>
|
|
|
|
#include <errno.h>
|
|
|
|
|
|
|
|
#include "gpg.h"
|
2017-03-07 20:21:23 +09:00
|
|
|
#include "../common/util.h"
|
2011-01-05 17:33:17 -08:00
|
|
|
#include "pkglue.h"
|
|
|
|
#include "main.h"
|
|
|
|
#include "options.h"
|
|
|
|
|
2011-01-25 17:48:51 +01:00
|
|
|
/* A table with the default KEK parameters used by GnuPG. */
|
|
|
|
static const struct
|
2011-01-21 12:00:57 +01:00
|
|
|
{
|
2011-01-25 17:48:51 +01:00
|
|
|
unsigned int qbits;
|
|
|
|
int openpgp_hash_id; /* KEK digest algorithm. */
|
|
|
|
int openpgp_cipher_id; /* KEK cipher algorithm. */
|
2011-02-02 15:48:54 +01:00
|
|
|
} kek_params_table[] =
|
2011-01-25 17:48:51 +01:00
|
|
|
/* Note: Must be sorted by ascending values for QBITS. */
|
|
|
|
{
|
2011-01-05 17:33:17 -08:00
|
|
|
{ 256, DIGEST_ALGO_SHA256, CIPHER_ALGO_AES },
|
2019-03-13 09:12:14 +09:00
|
|
|
{ 384, DIGEST_ALGO_SHA384, CIPHER_ALGO_AES192 },
|
2011-01-21 12:00:57 +01:00
|
|
|
|
|
|
|
/* Note: 528 is 521 rounded to the 8 bit boundary */
|
|
|
|
{ 528, DIGEST_ALGO_SHA512, CIPHER_ALGO_AES256 }
|
2011-01-05 17:33:17 -08:00
|
|
|
};
|
|
|
|
|
|
|
|
|
2011-01-21 12:00:57 +01:00
|
|
|
|
2011-01-31 09:27:06 +01:00
|
|
|
/* Return KEK parameters as an opaque MPI The caller must free the
|
|
|
|
returned value. Returns NULL and sets ERRNO on error. */
|
|
|
|
gcry_mpi_t
|
|
|
|
pk_ecdh_default_params (unsigned int qbits)
|
2011-01-21 12:00:57 +01:00
|
|
|
{
|
2011-01-31 09:27:06 +01:00
|
|
|
byte *kek_params;
|
2011-01-05 17:33:17 -08:00
|
|
|
int i;
|
|
|
|
|
2011-01-31 09:27:06 +01:00
|
|
|
kek_params = xtrymalloc (4);
|
|
|
|
if (!kek_params)
|
|
|
|
return NULL;
|
2011-01-25 17:48:51 +01:00
|
|
|
kek_params[0] = 3; /* Number of bytes to follow. */
|
2011-02-02 15:48:54 +01:00
|
|
|
kek_params[1] = 1; /* Version for KDF+AESWRAP. */
|
|
|
|
|
2011-01-25 17:48:51 +01:00
|
|
|
/* Search for matching KEK parameter. Defaults to the strongest
|
|
|
|
possible choices. Performance is not an issue here, only
|
|
|
|
interoperability. */
|
|
|
|
for (i=0; i < DIM (kek_params_table); i++)
|
2011-01-21 12:00:57 +01:00
|
|
|
{
|
2011-01-25 17:48:51 +01:00
|
|
|
if (kek_params_table[i].qbits >= qbits
|
|
|
|
|| i+1 == DIM (kek_params_table))
|
2011-01-21 12:00:57 +01:00
|
|
|
{
|
|
|
|
kek_params[2] = kek_params_table[i].openpgp_hash_id;
|
|
|
|
kek_params[3] = kek_params_table[i].openpgp_cipher_id;
|
|
|
|
break;
|
|
|
|
}
|
2011-01-05 17:33:17 -08:00
|
|
|
}
|
2016-04-29 11:05:24 +02:00
|
|
|
log_assert (i < DIM (kek_params_table));
|
2015-04-06 13:07:09 +02:00
|
|
|
if (DBG_CRYPTO)
|
2020-05-12 18:51:47 +02:00
|
|
|
log_printhex (kek_params, sizeof(kek_params), "ECDH KEK params are");
|
2011-02-02 15:48:54 +01:00
|
|
|
|
2011-01-31 09:27:06 +01:00
|
|
|
return gcry_mpi_set_opaque (NULL, kek_params, 4 * 8);
|
2011-01-05 17:33:17 -08:00
|
|
|
}
|
|
|
|
|
2011-01-21 12:00:57 +01:00
|
|
|
|
2021-05-04 11:51:34 +02:00
|
|
|
/* Extract x-component from the point (SHARED,NSHARED) and strore it
|
|
|
|
* in a new buffer at R_SECRET_X. POINT_NBYTES is the size to
|
|
|
|
* represent an EC point which is determined by the public key.
|
|
|
|
* SECRET_X_SIZE is the size of x component to represent an integer
|
|
|
|
* which is determined by the curve. */
|
|
|
|
static gpg_error_t
|
|
|
|
extract_secret_x (byte **r_secret_x,
|
|
|
|
const char *shared, size_t nshared,
|
|
|
|
size_t point_nbytes, size_t secret_x_size)
|
|
|
|
{
|
|
|
|
byte *secret_x;
|
|
|
|
|
|
|
|
*r_secret_x = NULL;
|
|
|
|
|
|
|
|
/* Extract X from the result. It must be in the format of:
|
|
|
|
04 || X || Y
|
|
|
|
40 || X
|
|
|
|
41 || X
|
|
|
|
|
|
|
|
Since it may come with the prefix, the size of point is larger
|
|
|
|
than or equals to the size of an integer X. We also better check
|
|
|
|
that the provided shared point is not larger than the size needed
|
|
|
|
to represent the point. */
|
|
|
|
if (point_nbytes < secret_x_size)
|
|
|
|
return gpg_error (GPG_ERR_BAD_DATA);
|
|
|
|
if (point_nbytes < nshared)
|
|
|
|
return gpg_error (GPG_ERR_BAD_DATA);
|
|
|
|
|
|
|
|
/* Extract x component of the shared point: this is the actual
|
|
|
|
shared secret. */
|
|
|
|
secret_x = xtrymalloc_secure (point_nbytes);
|
|
|
|
if (!secret_x)
|
|
|
|
return gpg_error_from_syserror ();
|
|
|
|
|
|
|
|
memcpy (secret_x, shared, nshared);
|
|
|
|
|
|
|
|
/* Wrangle the provided point unless only the x-component w/o any
|
|
|
|
* prefix was provided. */
|
|
|
|
if (nshared != secret_x_size)
|
|
|
|
{
|
|
|
|
/* Remove the prefix. */
|
|
|
|
if ((point_nbytes & 1))
|
|
|
|
memmove (secret_x, secret_x+1, secret_x_size);
|
|
|
|
|
|
|
|
/* Clear the rest of data. */
|
|
|
|
if (point_nbytes - secret_x_size)
|
|
|
|
memset (secret_x+secret_x_size, 0, point_nbytes-secret_x_size);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (DBG_CRYPTO)
|
|
|
|
log_printhex (secret_x, secret_x_size, "ECDH shared secret X is:");
|
|
|
|
|
|
|
|
*r_secret_x = secret_x;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2011-01-25 20:28:25 +01:00
|
|
|
/* Encrypts/decrypts DATA using a key derived from the ECC shared
|
2021-05-04 11:51:34 +02:00
|
|
|
point (SHARED,NSHARED) using the FIPS SP 800-56A compliant method
|
2011-01-25 20:28:25 +01:00
|
|
|
key_derivation+key_wrapping. If IS_ENCRYPT is true the function
|
2011-04-28 10:51:14 +02:00
|
|
|
encrypts; if false, it decrypts. PKEY is the public key and PK_FP
|
|
|
|
the fingerprint of this public key. On success the result is
|
|
|
|
stored at R_RESULT; on failure NULL is stored at R_RESULT and an
|
|
|
|
error code returned. */
|
2011-01-25 20:28:25 +01:00
|
|
|
gpg_error_t
|
2021-05-04 11:51:34 +02:00
|
|
|
pk_ecdh_encrypt_with_shared_point (int is_encrypt,
|
|
|
|
const char *shared, size_t nshared,
|
2011-01-21 12:00:57 +01:00
|
|
|
const byte pk_fp[MAX_FINGERPRINT_LEN],
|
|
|
|
gcry_mpi_t data, gcry_mpi_t *pkey,
|
2011-01-25 20:28:25 +01:00
|
|
|
gcry_mpi_t *r_result)
|
2011-01-05 17:33:17 -08:00
|
|
|
{
|
2011-01-25 20:28:25 +01:00
|
|
|
gpg_error_t err;
|
2011-01-05 17:33:17 -08:00
|
|
|
byte *secret_x;
|
|
|
|
int secret_x_size;
|
2011-01-31 15:44:24 +01:00
|
|
|
unsigned int nbits;
|
2011-02-02 15:48:54 +01:00
|
|
|
const unsigned char *kek_params;
|
|
|
|
size_t kek_params_size;
|
2011-01-05 17:33:17 -08:00
|
|
|
int kdf_hash_algo;
|
|
|
|
int kdf_encr_algo;
|
2021-05-04 11:51:34 +02:00
|
|
|
size_t kek_size;
|
2011-01-31 15:44:24 +01:00
|
|
|
unsigned char message[256];
|
|
|
|
size_t message_size;
|
2011-01-05 17:33:17 -08:00
|
|
|
|
2011-01-25 20:28:25 +01:00
|
|
|
*r_result = NULL;
|
2011-01-05 17:33:17 -08:00
|
|
|
|
2011-01-31 15:44:24 +01:00
|
|
|
if (!gcry_mpi_get_flag (pkey[2], GCRYMPI_FLAG_OPAQUE))
|
2021-05-04 11:51:34 +02:00
|
|
|
return gpg_error (GPG_ERR_BUG);
|
|
|
|
|
2011-02-02 15:48:54 +01:00
|
|
|
kek_params = gcry_mpi_get_opaque (pkey[2], &nbits);
|
|
|
|
kek_params_size = (nbits+7)/8;
|
|
|
|
|
2015-04-06 13:07:09 +02:00
|
|
|
if (DBG_CRYPTO)
|
2020-05-12 18:51:47 +02:00
|
|
|
log_printhex (kek_params, kek_params_size, "ecdh KDF params:");
|
2011-02-02 15:48:54 +01:00
|
|
|
|
2011-01-31 15:44:24 +01:00
|
|
|
/* Expect 4 bytes 03 01 hash_alg symm_alg. */
|
2011-02-02 15:48:54 +01:00
|
|
|
if (kek_params_size != 4 || kek_params[0] != 3 || kek_params[1] != 1)
|
2021-05-04 11:51:34 +02:00
|
|
|
return gpg_error (GPG_ERR_BAD_PUBKEY);
|
2011-02-02 15:48:54 +01:00
|
|
|
|
|
|
|
kdf_hash_algo = kek_params[2];
|
|
|
|
kdf_encr_algo = kek_params[3];
|
|
|
|
|
2015-04-06 13:07:09 +02:00
|
|
|
if (DBG_CRYPTO)
|
2011-01-31 15:44:24 +01:00
|
|
|
log_debug ("ecdh KDF algorithms %s+%s with aeswrap\n",
|
|
|
|
openpgp_md_algo_name (kdf_hash_algo),
|
|
|
|
openpgp_cipher_algo_name (kdf_encr_algo));
|
2011-02-02 15:48:54 +01:00
|
|
|
|
2011-01-31 15:44:24 +01:00
|
|
|
if (kdf_hash_algo != GCRY_MD_SHA256
|
|
|
|
&& kdf_hash_algo != GCRY_MD_SHA384
|
|
|
|
&& kdf_hash_algo != GCRY_MD_SHA512)
|
2021-05-04 11:51:34 +02:00
|
|
|
return gpg_error (GPG_ERR_BAD_PUBKEY);
|
|
|
|
|
2014-01-31 14:35:49 +01:00
|
|
|
if (kdf_encr_algo != CIPHER_ALGO_AES
|
|
|
|
&& kdf_encr_algo != CIPHER_ALGO_AES192
|
|
|
|
&& kdf_encr_algo != CIPHER_ALGO_AES256)
|
2021-05-04 11:51:34 +02:00
|
|
|
return gpg_error (GPG_ERR_BAD_PUBKEY);
|
|
|
|
|
|
|
|
kek_size = gcry_cipher_get_algo_keylen (kdf_encr_algo);
|
|
|
|
if (kek_size > gcry_md_get_algo_dlen (kdf_hash_algo))
|
|
|
|
return gpg_error (GPG_ERR_BAD_PUBKEY);
|
|
|
|
|
|
|
|
|
|
|
|
nbits = pubkey_nbits (PUBKEY_ALGO_ECDH, pkey);
|
|
|
|
if (!nbits)
|
|
|
|
return gpg_error (GPG_ERR_TOO_SHORT);
|
|
|
|
|
|
|
|
/* Expected size of the x component */
|
|
|
|
secret_x_size = (nbits+7)/8;
|
|
|
|
|
|
|
|
if (kek_size > secret_x_size)
|
|
|
|
return gpg_error (GPG_ERR_BAD_PUBKEY);
|
|
|
|
|
|
|
|
err = extract_secret_x (&secret_x, shared, nshared,
|
|
|
|
(mpi_get_nbits (pkey[1] /* public point */)+7)/8,
|
|
|
|
secret_x_size);
|
|
|
|
if (err)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
/*** We have now the shared secret bytes in secret_x. ***/
|
|
|
|
|
|
|
|
/* At this point we are done with PK encryption and the rest of the
|
|
|
|
* function uses symmetric key encryption techniques to protect the
|
|
|
|
* input DATA. The following two sections will simply replace
|
|
|
|
* current secret_x with a value derived from it. This will become
|
|
|
|
* a KEK.
|
|
|
|
*/
|
|
|
|
|
2011-01-05 17:33:17 -08:00
|
|
|
|
2011-01-21 12:00:57 +01:00
|
|
|
/* Build kdf_params. */
|
2011-01-05 17:33:17 -08:00
|
|
|
{
|
|
|
|
IOBUF obuf;
|
|
|
|
|
|
|
|
obuf = iobuf_temp();
|
|
|
|
/* variable-length field 1, curve name OID */
|
2013-11-15 08:59:45 +01:00
|
|
|
err = gpg_mpi_write_nohdr (obuf, pkey[0]);
|
2011-01-05 17:33:17 -08:00
|
|
|
/* fixed-length field 2 */
|
|
|
|
iobuf_put (obuf, PUBKEY_ALGO_ECDH);
|
|
|
|
/* variable-length field 3, KDF params */
|
2013-11-15 08:59:45 +01:00
|
|
|
err = (err ? err : gpg_mpi_write_nohdr (obuf, pkey[2]));
|
2011-01-05 17:33:17 -08:00
|
|
|
/* fixed-length field 4 */
|
|
|
|
iobuf_write (obuf, "Anonymous Sender ", 20);
|
|
|
|
/* fixed-length field 5, recipient fp */
|
2011-02-02 15:48:54 +01:00
|
|
|
iobuf_write (obuf, pk_fp, 20);
|
2011-01-05 17:33:17 -08:00
|
|
|
|
2011-01-31 15:44:24 +01:00
|
|
|
message_size = iobuf_temp_to_buffer (obuf, message, sizeof message);
|
2011-01-21 12:00:57 +01:00
|
|
|
iobuf_close (obuf);
|
2011-01-25 20:28:25 +01:00
|
|
|
if (err)
|
2011-04-28 10:51:14 +02:00
|
|
|
{
|
|
|
|
xfree (secret_x);
|
|
|
|
return err;
|
|
|
|
}
|
2011-01-21 12:00:57 +01:00
|
|
|
|
2015-04-06 13:07:09 +02:00
|
|
|
if(DBG_CRYPTO)
|
2020-05-12 18:51:47 +02:00
|
|
|
log_printhex (message, message_size, "ecdh KDF message params are:");
|
2011-01-05 17:33:17 -08:00
|
|
|
}
|
|
|
|
|
2011-02-02 15:48:54 +01:00
|
|
|
/* Derive a KEK (key wrapping key) using MESSAGE and SECRET_X. */
|
2011-01-05 17:33:17 -08:00
|
|
|
{
|
|
|
|
gcry_md_hd_t h;
|
|
|
|
int old_size;
|
|
|
|
|
2011-01-25 20:28:25 +01:00
|
|
|
err = gcry_md_open (&h, kdf_hash_algo, 0);
|
2011-04-28 10:51:14 +02:00
|
|
|
if (err)
|
|
|
|
{
|
|
|
|
log_error ("gcry_md_open failed for kdf_hash_algo %d: %s",
|
|
|
|
kdf_hash_algo, gpg_strerror (err));
|
|
|
|
xfree (secret_x);
|
|
|
|
return err;
|
|
|
|
}
|
2011-01-31 15:44:24 +01:00
|
|
|
gcry_md_write(h, "\x00\x00\x00\x01", 4); /* counter = 1 */
|
2016-10-25 13:43:08 +02:00
|
|
|
gcry_md_write(h, secret_x, secret_x_size); /* x of the point X */
|
|
|
|
gcry_md_write(h, message, message_size); /* KDF parameters */
|
2011-01-05 17:33:17 -08:00
|
|
|
|
|
|
|
gcry_md_final (h);
|
|
|
|
|
2016-04-29 11:05:24 +02:00
|
|
|
log_assert( gcry_md_get_algo_dlen (kdf_hash_algo) >= 32 );
|
2011-01-05 17:33:17 -08:00
|
|
|
|
2011-01-21 12:00:57 +01:00
|
|
|
memcpy (secret_x, gcry_md_read (h, kdf_hash_algo),
|
|
|
|
gcry_md_get_algo_dlen (kdf_hash_algo));
|
2011-01-05 17:33:17 -08:00
|
|
|
gcry_md_close (h);
|
|
|
|
|
|
|
|
old_size = secret_x_size;
|
2016-04-29 11:05:24 +02:00
|
|
|
log_assert( old_size >= gcry_cipher_get_algo_keylen( kdf_encr_algo ) );
|
2011-01-05 17:33:17 -08:00
|
|
|
secret_x_size = gcry_cipher_get_algo_keylen( kdf_encr_algo );
|
2016-04-29 11:05:24 +02:00
|
|
|
log_assert( secret_x_size <= gcry_md_get_algo_dlen (kdf_hash_algo) );
|
2011-01-05 17:33:17 -08:00
|
|
|
|
2011-01-21 12:00:57 +01:00
|
|
|
/* We could have allocated more, so clean the tail before returning. */
|
2015-01-05 15:03:12 +01:00
|
|
|
memset (secret_x+secret_x_size, 0, old_size - secret_x_size);
|
2015-04-06 13:07:09 +02:00
|
|
|
if (DBG_CRYPTO)
|
2020-05-12 18:51:47 +02:00
|
|
|
log_printhex (secret_x, secret_x_size, "ecdh KEK is:");
|
2011-01-21 12:00:57 +01:00
|
|
|
}
|
2011-02-02 15:48:54 +01:00
|
|
|
|
2011-01-21 12:00:57 +01:00
|
|
|
/* And, finally, aeswrap with key secret_x. */
|
2011-01-05 17:33:17 -08:00
|
|
|
{
|
|
|
|
gcry_cipher_hd_t hd;
|
|
|
|
size_t nbytes;
|
|
|
|
|
|
|
|
byte *data_buf;
|
|
|
|
int data_buf_size;
|
|
|
|
|
|
|
|
gcry_mpi_t result;
|
|
|
|
|
2011-01-25 20:28:25 +01:00
|
|
|
err = gcry_cipher_open (&hd, kdf_encr_algo, GCRY_CIPHER_MODE_AESWRAP, 0);
|
|
|
|
if (err)
|
2011-01-21 12:00:57 +01:00
|
|
|
{
|
|
|
|
log_error ("ecdh failed to initialize AESWRAP: %s\n",
|
2011-01-25 20:28:25 +01:00
|
|
|
gpg_strerror (err));
|
2011-04-28 10:51:14 +02:00
|
|
|
xfree (secret_x);
|
2011-01-25 20:28:25 +01:00
|
|
|
return err;
|
2011-01-21 12:00:57 +01:00
|
|
|
}
|
2011-01-05 17:33:17 -08:00
|
|
|
|
2011-01-25 20:28:25 +01:00
|
|
|
err = gcry_cipher_setkey (hd, secret_x, secret_x_size);
|
2011-04-28 10:51:14 +02:00
|
|
|
xfree (secret_x);
|
|
|
|
secret_x = NULL;
|
2011-01-25 20:28:25 +01:00
|
|
|
if (err)
|
2011-01-21 12:00:57 +01:00
|
|
|
{
|
2011-01-05 17:33:17 -08:00
|
|
|
gcry_cipher_close (hd);
|
2011-01-21 12:00:57 +01:00
|
|
|
log_error ("ecdh failed in gcry_cipher_setkey: %s\n",
|
2011-01-25 20:28:25 +01:00
|
|
|
gpg_strerror (err));
|
|
|
|
return err;
|
2011-01-05 17:33:17 -08:00
|
|
|
}
|
|
|
|
|
2011-01-21 12:00:57 +01:00
|
|
|
data_buf_size = (gcry_mpi_get_nbits(data)+7)/8;
|
2011-04-28 10:51:14 +02:00
|
|
|
if ((data_buf_size & 7) != (is_encrypt ? 0 : 1))
|
|
|
|
{
|
|
|
|
log_error ("can't use a shared secret of %d bytes for ecdh\n",
|
|
|
|
data_buf_size);
|
|
|
|
return gpg_error (GPG_ERR_BAD_DATA);
|
|
|
|
}
|
2011-01-05 17:33:17 -08:00
|
|
|
|
2011-01-21 12:00:57 +01:00
|
|
|
data_buf = xtrymalloc_secure( 1 + 2*data_buf_size + 8);
|
|
|
|
if (!data_buf)
|
2011-01-05 17:33:17 -08:00
|
|
|
{
|
2011-04-28 10:51:14 +02:00
|
|
|
err = gpg_error_from_syserror ();
|
2011-01-21 12:00:57 +01:00
|
|
|
gcry_cipher_close (hd);
|
2011-04-28 10:51:14 +02:00
|
|
|
return err;
|
2011-01-05 17:33:17 -08:00
|
|
|
}
|
|
|
|
|
2011-01-21 12:00:57 +01:00
|
|
|
if (is_encrypt)
|
2011-01-05 17:33:17 -08:00
|
|
|
{
|
2011-01-21 12:00:57 +01:00
|
|
|
byte *in = data_buf+1+data_buf_size+8;
|
2011-02-02 15:48:54 +01:00
|
|
|
|
2011-01-21 12:00:57 +01:00
|
|
|
/* Write data MPI into the end of data_buf. data_buf is size
|
|
|
|
aeswrap data. */
|
2011-01-25 20:28:25 +01:00
|
|
|
err = gcry_mpi_print (GCRYMPI_FMT_USG, in,
|
2011-01-21 12:00:57 +01:00
|
|
|
data_buf_size, &nbytes, data/*in*/);
|
2011-01-25 20:28:25 +01:00
|
|
|
if (err)
|
2011-01-21 12:00:57 +01:00
|
|
|
{
|
2011-01-25 20:28:25 +01:00
|
|
|
log_error ("ecdh failed to export DEK: %s\n", gpg_strerror (err));
|
2011-01-21 12:00:57 +01:00
|
|
|
gcry_cipher_close (hd);
|
|
|
|
xfree (data_buf);
|
2011-01-25 20:28:25 +01:00
|
|
|
return err;
|
2011-01-21 12:00:57 +01:00
|
|
|
}
|
2011-02-02 15:48:54 +01:00
|
|
|
|
2015-04-06 13:07:09 +02:00
|
|
|
if (DBG_CRYPTO)
|
2020-05-12 18:51:47 +02:00
|
|
|
log_printhex (in, data_buf_size, "ecdh encrypting :");
|
2011-01-21 12:00:57 +01:00
|
|
|
|
2011-01-25 20:28:25 +01:00
|
|
|
err = gcry_cipher_encrypt (hd, data_buf+1, data_buf_size+8,
|
2011-04-28 10:51:14 +02:00
|
|
|
in, data_buf_size);
|
2011-01-21 12:00:57 +01:00
|
|
|
memset (in, 0, data_buf_size);
|
|
|
|
gcry_cipher_close (hd);
|
2011-01-25 20:28:25 +01:00
|
|
|
if (err)
|
2011-01-21 12:00:57 +01:00
|
|
|
{
|
|
|
|
log_error ("ecdh failed in gcry_cipher_encrypt: %s\n",
|
2011-01-25 20:28:25 +01:00
|
|
|
gpg_strerror (err));
|
2011-01-21 12:00:57 +01:00
|
|
|
xfree (data_buf);
|
2011-01-25 20:28:25 +01:00
|
|
|
return err;
|
2011-01-21 12:00:57 +01:00
|
|
|
}
|
|
|
|
data_buf[0] = data_buf_size+8;
|
|
|
|
|
2015-04-06 13:07:09 +02:00
|
|
|
if (DBG_CRYPTO)
|
2020-05-12 18:51:47 +02:00
|
|
|
log_printhex (data_buf+1, data_buf[0], "ecdh encrypted to:");
|
2011-01-05 17:33:17 -08:00
|
|
|
|
2011-01-31 15:44:24 +01:00
|
|
|
result = gcry_mpi_set_opaque (NULL, data_buf, 8 * (1+data_buf[0]));
|
|
|
|
if (!result)
|
2011-01-21 12:00:57 +01:00
|
|
|
{
|
2011-01-31 15:44:24 +01:00
|
|
|
err = gpg_error_from_syserror ();
|
|
|
|
xfree (data_buf);
|
|
|
|
log_error ("ecdh failed to create an MPI: %s\n",
|
|
|
|
gpg_strerror (err));
|
2011-01-25 20:28:25 +01:00
|
|
|
return err;
|
2011-01-21 12:00:57 +01:00
|
|
|
}
|
2011-02-02 15:48:54 +01:00
|
|
|
|
2011-01-25 20:28:25 +01:00
|
|
|
*r_result = result;
|
2011-01-05 17:33:17 -08:00
|
|
|
}
|
2011-01-21 12:00:57 +01:00
|
|
|
else
|
|
|
|
{
|
|
|
|
byte *in;
|
2011-01-31 15:44:24 +01:00
|
|
|
const void *p;
|
2011-02-02 15:48:54 +01:00
|
|
|
|
2011-01-31 15:44:24 +01:00
|
|
|
p = gcry_mpi_get_opaque (data, &nbits);
|
|
|
|
nbytes = (nbits+7)/8;
|
|
|
|
if (!p || nbytes > data_buf_size || !nbytes)
|
|
|
|
{
|
|
|
|
xfree (data_buf);
|
2011-04-28 10:51:14 +02:00
|
|
|
return gpg_error (GPG_ERR_BAD_MPI);
|
2011-01-31 15:44:24 +01:00
|
|
|
}
|
|
|
|
memcpy (data_buf, p, nbytes);
|
|
|
|
if (data_buf[0] != nbytes-1)
|
2011-04-28 10:51:14 +02:00
|
|
|
{
|
|
|
|
log_error ("ecdh inconsistent size\n");
|
|
|
|
xfree (data_buf);
|
|
|
|
return gpg_error (GPG_ERR_BAD_MPI);
|
|
|
|
}
|
2011-01-31 15:44:24 +01:00
|
|
|
in = data_buf+data_buf_size;
|
|
|
|
data_buf_size = data_buf[0];
|
2011-02-02 15:48:54 +01:00
|
|
|
|
2015-04-06 13:07:09 +02:00
|
|
|
if (DBG_CRYPTO)
|
2020-05-12 18:51:47 +02:00
|
|
|
log_printhex (data_buf+1, data_buf_size, "ecdh decrypting :");
|
2011-02-02 15:48:54 +01:00
|
|
|
|
2011-01-31 15:44:24 +01:00
|
|
|
err = gcry_cipher_decrypt (hd, in, data_buf_size, data_buf+1,
|
|
|
|
data_buf_size);
|
|
|
|
gcry_cipher_close (hd);
|
|
|
|
if (err)
|
|
|
|
{
|
|
|
|
log_error ("ecdh failed in gcry_cipher_decrypt: %s\n",
|
|
|
|
gpg_strerror (err));
|
|
|
|
xfree (data_buf);
|
|
|
|
return err;
|
|
|
|
}
|
2011-02-02 15:48:54 +01:00
|
|
|
|
2011-01-31 15:44:24 +01:00
|
|
|
data_buf_size -= 8;
|
2011-02-02 15:48:54 +01:00
|
|
|
|
2015-04-06 13:07:09 +02:00
|
|
|
if (DBG_CRYPTO)
|
2020-05-12 18:51:47 +02:00
|
|
|
log_printhex (in, data_buf_size, "ecdh decrypted to :");
|
2011-02-02 15:48:54 +01:00
|
|
|
|
2011-01-31 15:44:24 +01:00
|
|
|
/* Padding is removed later. */
|
|
|
|
/* if (in[data_buf_size-1] > 8 ) */
|
|
|
|
/* { */
|
2011-04-28 10:51:14 +02:00
|
|
|
/* log_error ("ecdh failed at decryption: invalid padding." */
|
|
|
|
/* " 0x%02x > 8\n", in[data_buf_size-1] ); */
|
|
|
|
/* return gpg_error (GPG_ERR_BAD_KEY); */
|
2011-01-31 15:44:24 +01:00
|
|
|
/* } */
|
2011-02-02 15:48:54 +01:00
|
|
|
|
2011-01-31 15:44:24 +01:00
|
|
|
err = gcry_mpi_scan (&result, GCRYMPI_FMT_USG, in, data_buf_size, NULL);
|
|
|
|
xfree (data_buf);
|
|
|
|
if (err)
|
|
|
|
{
|
|
|
|
log_error ("ecdh failed to create a plain text MPI: %s\n",
|
|
|
|
gpg_strerror (err));
|
|
|
|
return err;
|
|
|
|
}
|
2011-02-02 15:48:54 +01:00
|
|
|
|
2011-01-31 15:44:24 +01:00
|
|
|
*r_result = result;
|
2011-01-21 12:00:57 +01:00
|
|
|
}
|
2011-01-05 17:33:17 -08:00
|
|
|
}
|
2011-02-02 15:48:54 +01:00
|
|
|
|
2011-01-25 20:28:25 +01:00
|
|
|
return err;
|
2011-01-05 17:33:17 -08:00
|
|
|
}
|
|
|
|
|
2011-01-10 20:24:14 -08:00
|
|
|
|
|
|
|
static gcry_mpi_t
|
|
|
|
gen_k (unsigned nbits)
|
|
|
|
{
|
|
|
|
gcry_mpi_t k;
|
|
|
|
|
|
|
|
k = gcry_mpi_snew (nbits);
|
2015-04-06 13:07:09 +02:00
|
|
|
if (DBG_CRYPTO)
|
2011-01-10 20:24:14 -08:00
|
|
|
log_debug ("choosing a random k of %u bits\n", nbits);
|
|
|
|
|
|
|
|
gcry_mpi_randomize (k, nbits-1, GCRY_STRONG_RANDOM);
|
|
|
|
|
2015-04-06 13:07:09 +02:00
|
|
|
if (DBG_CRYPTO)
|
2011-01-21 12:00:57 +01:00
|
|
|
{
|
|
|
|
unsigned char *buffer;
|
|
|
|
if (gcry_mpi_aprint (GCRYMPI_FMT_HEX, &buffer, NULL, k))
|
|
|
|
BUG ();
|
2011-01-31 09:27:06 +01:00
|
|
|
log_debug ("ephemeral scalar MPI #0: %s\n", buffer);
|
|
|
|
gcry_free (buffer);
|
2011-01-21 12:00:57 +01:00
|
|
|
}
|
2011-01-10 20:24:14 -08:00
|
|
|
|
|
|
|
return k;
|
|
|
|
}
|
|
|
|
|
2011-01-05 17:33:17 -08:00
|
|
|
|
2011-01-25 20:28:25 +01:00
|
|
|
/* Generate an ephemeral key for the public ECDH key in PKEY. On
|
|
|
|
success the generated key is stored at R_K; on failure NULL is
|
|
|
|
stored at R_K and an error code returned. */
|
|
|
|
gpg_error_t
|
|
|
|
pk_ecdh_generate_ephemeral_key (gcry_mpi_t *pkey, gcry_mpi_t *r_k)
|
|
|
|
{
|
|
|
|
unsigned int nbits;
|
2011-01-10 20:24:14 -08:00
|
|
|
gcry_mpi_t k;
|
2011-01-05 17:33:17 -08:00
|
|
|
|
2011-01-25 20:28:25 +01:00
|
|
|
*r_k = NULL;
|
2011-01-10 20:24:14 -08:00
|
|
|
|
2011-01-25 20:28:25 +01:00
|
|
|
nbits = pubkey_nbits (PUBKEY_ALGO_ECDH, pkey);
|
|
|
|
if (!nbits)
|
|
|
|
return gpg_error (GPG_ERR_TOO_SHORT);
|
2011-01-10 20:24:14 -08:00
|
|
|
k = gen_k (nbits);
|
2011-01-25 20:28:25 +01:00
|
|
|
if (!k)
|
2011-01-10 20:24:14 -08:00
|
|
|
BUG ();
|
2011-01-05 17:33:17 -08:00
|
|
|
|
2011-01-25 20:28:25 +01:00
|
|
|
*r_k = k;
|
|
|
|
return 0;
|
2011-01-05 17:33:17 -08:00
|
|
|
}
|
|
|
|
|
2011-01-21 12:00:57 +01:00
|
|
|
|
2011-01-25 20:28:25 +01:00
|
|
|
|
2011-01-21 12:00:57 +01:00
|
|
|
/* Perform ECDH decryption. */
|
2011-01-05 17:33:17 -08:00
|
|
|
int
|
2021-05-04 11:51:34 +02:00
|
|
|
pk_ecdh_decrypt (gcry_mpi_t *result, const byte sk_fp[MAX_FINGERPRINT_LEN],
|
|
|
|
gcry_mpi_t data,
|
|
|
|
const char *shared, size_t nshared,
|
|
|
|
gcry_mpi_t *skey)
|
2011-01-21 12:00:57 +01:00
|
|
|
{
|
2011-01-10 20:24:14 -08:00
|
|
|
if (!data)
|
2011-01-05 17:33:17 -08:00
|
|
|
return gpg_error (GPG_ERR_BAD_MPI);
|
2021-05-04 11:51:34 +02:00
|
|
|
return pk_ecdh_encrypt_with_shared_point (0 /*=decryption*/,
|
|
|
|
shared, nshared,
|
2011-01-21 12:00:57 +01:00
|
|
|
sk_fp, data/*encr data as an MPI*/,
|
|
|
|
skey, result);
|
2011-01-05 17:33:17 -08:00
|
|
|
}
|