security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00
Code Activity

agent: Changes to the new KEM code in pkdecrypt.c

Browse Source 
* agent/pkdecrypt.c (agent_hybrid_pgp_kem_decrypt): Replace fixed-info
by an s-exp parameter.  Do not expect the algo and extra length octet.
--

This code needs more work, for example extracting the curve from the
s-expression and mapping it to a KEM algo.  It might even be better
top move parts of the code to common/.
This commit is contained in:
Werner Koch 2024-04-09 11:07:59 +02:00
parent 52c4b09080
commit 863fc3b2c5
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
1 changed files with 35 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
agent/pkdecrypt.c
View File

@ -177,12 +177,13 @@ reverse_buffer (unsigned char *buffer, unsigned int length)
First keygrip is for ECC, second keygrip is for PQC. CIPHERTEXT First keygrip is for ECC, second keygrip is for PQC. CIPHERTEXT
should follow the format of: should follow the format of:
(enc-val(pqc(s%m)(e%m)(k%m)))) (enc-val(pqc(e%m)(k%m)(s%m)(fixed-info&)))
s: encrypted session key
e: ECDH ciphertext e: ECDH ciphertext
k: ML-KEM ciphertext k: ML-KEM ciphertext
s: encrypted session key
fixed-info: A buffer with the fixed info.
FIXME: For now, possibile keys on smartcard are not supported. FIXME: For now, possible keys on smartcards are not supported.
*/ */
static gpg_error_t static gpg_error_t
agent_hybrid_pgp_kem_decrypt (ctrl_t ctrl, const char *desc_text, agent_hybrid_pgp_kem_decrypt (ctrl_t ctrl, const char *desc_text,
@ -226,7 +227,9 @@ agent_hybrid_pgp_kem_decrypt (ctrl_t ctrl, const char *desc_text,
gcry_cipher_hd_t hd; gcry_cipher_hd_t hd;
unsigned char sessionkey[256]; unsigned char sessionkey[256];
size_t sessionkey_len; size_t sessionkey_len;
const unsigned char fixedinfo[1] = { 105 };
memset (iov, 0, sizeof iov);
err = agent_key_from_file (ctrl, NULL, desc_text, err = agent_key_from_file (ctrl, NULL, desc_text,
ctrl->keygrip, &shadow_info, ctrl->keygrip, &shadow_info,
@ -248,33 +251,44 @@ agent_hybrid_pgp_kem_decrypt (ctrl_t ctrl, const char *desc_text,
/* Here assumes no smartcard, but private keys */ /* Here assumes no smartcard, but private keys */
gcry_sexp_extract_param (s_cipher, NULL, "/e/k/s", /* Note that we put the fixed-info already here into IOV[5]. Take
&ecc_ct_mpi, * care not to clear anymore. */
&mlkem_ct_mpi, err = gcry_sexp_extract_param (s_cipher, NULL, "/eks&'fixed-info'",
&encrypted_sessionkey_mpi, NULL); &ecc_ct_mpi,
&mlkem_ct_mpi,
&encrypted_sessionkey_mpi,
iov+5, NULL);
if (err)
goto leave;
encrypted_sessionkey = gcry_mpi_get_opaque (encrypted_sessionkey_mpi, &nbits); encrypted_sessionkey = gcry_mpi_get_opaque (encrypted_sessionkey_mpi, &nbits);
encrypted_sessionkey_len = (nbits+7)/8; encrypted_sessionkey_len = (nbits+7)/8;
if (encrypted_sessionkey_len < 1+1+8)
{
/* Fixme: This is a basic check but we should better test
* against the expected length and something which
* is required to avoid an underflow. */
err = gpg_error (GPG_ERR_INV_DATA);
goto leave;
}
encrypted_sessionkey_len--; encrypted_sessionkey_len--;
if (encrypted_sessionkey[0] != encrypted_sessionkey_len) if (encrypted_sessionkey[0] != encrypted_sessionkey_len)
{ {
err = GPG_ERR_INV_DATA; err = gpg_error (GPG_ERR_INV_DATA);
goto leave; goto leave;
} }
encrypted_sessionkey++; /* Skip the length. */ encrypted_sessionkey++; /* Skip the length. */
if (encrypted_sessionkey[0] != CIPHER_ALGO_AES256)
{
err = GPG_ERR_INV_DATA;
goto leave;
}
encrypted_sessionkey_len--;
encrypted_sessionkey++; /* Skip the sym algo */
/* Fistly, ECC part. FIXME: For now, we assume X25519. */ /* Fistly, ECC part. FIXME: For now, we assume X25519. We need to
gcry_sexp_extract_param (s_skey0, NULL, "/q/d", * take that info from s_key0 */
&ecc_pk_mpi, &ecc_sk_mpi, NULL); err = gcry_sexp_extract_param (s_skey0, NULL, "/q/d",
&ecc_pk_mpi, &ecc_sk_mpi, NULL);
if (err)
goto leave;
p = gcry_mpi_get_opaque (ecc_pk_mpi, &nbits); p = gcry_mpi_get_opaque (ecc_pk_mpi, &nbits);
len = (nbits+7)/8; len = (nbits+7)/8;
memcpy (ecc_pk, p+1, 32); /* Remove the 0x40 prefix */ memcpy (ecc_pk, p+1, 32); /* Remove the 0x40 prefix */
@ -359,9 +373,7 @@ agent_hybrid_pgp_kem_decrypt (ctrl_t ctrl, const char *desc_text,
iov[4].off = 0; iov[4].off = 0;
iov[4].len = GCRY_KEM_MLKEM768_ENCAPS_LEN; iov[4].len = GCRY_KEM_MLKEM768_ENCAPS_LEN;
iov[5].data = (unsigned char *)fixedinfo; /* Note: iov[5] has already been filled. */
iov[5].off = 0;
iov[5].len = 1;
err = compute_kmac256 (kekkey, kekkeylen, err = compute_kmac256 (kekkey, kekkeylen,
"OpenPGPCompositeKeyDerivationFunction", 37, "OpenPGPCompositeKeyDerivationFunction", 37,
@ -406,6 +418,7 @@ agent_hybrid_pgp_kem_decrypt (ctrl_t ctrl, const char *desc_text,
put_membuf (outbuf, ")", 2); put_membuf (outbuf, ")", 2);
leave: leave:
gcry_free (iov[5].data); /* The fixed-info. */
gcry_sexp_release (s_skey0); gcry_sexp_release (s_skey0);
gcry_sexp_release (s_skey1); gcry_sexp_release (s_skey1);
return err; return err;