security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-05-19 09:02:22 +02:00
Code Activity

gpg: Accept GCM and v5 AEAD with v2 SEIPD packet.

Browse Source 
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
This commit is contained in:
NIIBE Yutaka 2022-03-30 22:18:20 +09:00
parent 51fe266705
commit c9315dada4
6 changed files with 151 additions and 98 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
common/openpgpdefs.h
View File

@ -152,7 +152,8 @@ typedef enum
{ {
AEAD_ALGO_NONE = 0, AEAD_ALGO_NONE = 0,
AEAD_ALGO_EAX = 1, AEAD_ALGO_EAX = 1,
AEAD_ALGO_OCB = 2 AEAD_ALGO_OCB = 2,
AEAD_ALGO_GCM = 3
} }
aead_algo_t; aead_algo_t;

83
g10/decrypt-data.c
View File

@ -141,6 +141,11 @@ aead_set_nonce_and_ad (decode_filter_ctx_t dfx, int final)
i = 7; i = 7;
break; break;
case AEAD_ALGO_GCM:
memcpy (nonce, dfx->startiv, 12);
i = 4;
break;
case AEAD_ALGO_EAX: case AEAD_ALGO_EAX:
memcpy (nonce, dfx->startiv, 16); memcpy (nonce, dfx->startiv, 16);
i = 8; i = 8;
@ -223,84 +228,6 @@ aead_checktag (decode_filter_ctx_t dfx, int final, const void *tagbuf)
} }
/* HKDF Extract and expand. */
static gpg_error_t
hkdf_derive (const byte *salt, int saltlen, const byte *key, int keylen,
const byte *info, int infolen, int outlen, byte *out)
{
int algo = GCRY_MD_SHA256;
gcry_md_hd_t hd;
unsigned char *t;
unsigned char *p;
int mdlen;
gpg_error_t err = 0;
int off = 0;
unsigned char n = 0;
mdlen = gcry_md_get_algo_dlen (algo);
if (salt && saltlen != mdlen)
return gpg_error (GPG_ERR_INV_LENGTH);
t = xtrymalloc (mdlen);
if (!t)
return gpg_error_from_syserror ();
err = gcry_md_open (&hd, algo, GCRY_MD_FLAG_HMAC);
if (err)
return err;
if (salt)
{
err = gcry_md_setkey (hd, salt, mdlen);
if (err)
{
xfree (t);
gcry_md_close (hd);
return err;
}
}
if (keylen)
gcry_md_write (hd, key, keylen);
p = gcry_md_read (hd, 0);
memcpy (t, p, mdlen);
gcry_md_reset (hd);
err = gcry_md_setkey (hd, t, mdlen);
if (err)
{
xfree (t);
gcry_md_close (hd);
return err;
}
while (1)
{
n++;
gcry_md_write (hd, info, infolen);
gcry_md_write (hd, &n, 1);
p = gcry_md_read (hd, 0);
memcpy (t, p, mdlen);
if ((outlen - off) / mdlen)
{
memcpy (out + off, t, mdlen);
off += mdlen;
}
else
{
memcpy (out + off, t, (outlen - off));
break;
}
gcry_md_reset (hd);
gcry_md_write (hd, t, mdlen);
}
xfree (t);
gcry_md_close (hd);
return 0;
}
/**************** /****************
* Decrypt the data, specified by ED with the key DEK. * Decrypt the data, specified by ED with the key DEK.
*/ */

130
g10/mainproc.c
View File

@ -249,14 +249,109 @@ add_signature (CTX c, PACKET *pkt)
return 1; return 1;
} }
/* HKDF Extract and expand. */
gpg_error_t
hkdf_derive (const byte *salt, int saltlen, const byte *key, int keylen,
const byte *info, int infolen, int outlen, byte *out)
{
int algo = GCRY_MD_SHA256;
gcry_md_hd_t hd;
unsigned char *t;
unsigned char *p;
int mdlen;
gpg_error_t err = 0;
int off = 0;
unsigned char n = 0;
mdlen = gcry_md_get_algo_dlen (algo);
if (salt && saltlen != mdlen)
return gpg_error (GPG_ERR_INV_LENGTH);
t = xtrymalloc (mdlen);
if (!t)
return gpg_error_from_syserror ();
err = gcry_md_open (&hd, algo, GCRY_MD_FLAG_HMAC);
if (err)
return err;
err = gcry_md_setkey (hd, salt, salt? mdlen: 0);
if (err)
{
xfree (t);
gcry_md_close (hd);
return err;
}
if (keylen)
gcry_md_write (hd, key, keylen);
p = gcry_md_read (hd, 0);
memcpy (t, p, mdlen);
gcry_md_reset (hd);
err = gcry_md_setkey (hd, t, mdlen);
if (err)
{
xfree (t);
gcry_md_close (hd);
return err;
}
while (1)
{
n++;
gcry_md_write (hd, info, infolen);
gcry_md_write (hd, &n, 1);
p = gcry_md_read (hd, 0);
memcpy (t, p, mdlen);
if ((outlen - off) / mdlen)
{
memcpy (out + off, t, mdlen);
off += mdlen;
}
else
{
memcpy (out + off, t, (outlen - off));
break;
}
gcry_md_reset (hd);
gcry_md_write (hd, t, mdlen);
}
xfree (t);
gcry_md_close (hd);
return 0;
}
static gpg_error_t static gpg_error_t
symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen) symkey_decrypt_seskey (DEK *dek, PKT_symkey_enc *enc)
{ {
gpg_error_t err; gpg_error_t err;
gcry_cipher_hd_t hd; gcry_cipher_hd_t hd;
unsigned int noncelen, keylen; unsigned int noncelen, keylen;
enum gcry_cipher_modes ciphermode; enum gcry_cipher_modes ciphermode;
if (enc->use_hkdf)
{
unsigned char info[4];
keylen = openpgp_cipher_get_algo_keylen (enc->cipher_algo);
if (keylen > DIM (dek->key))
return gpg_error (GPG_ERR_TOO_LARGE);
info[0] = 0xc3;
info[1] = 0x05;
info[2] = enc->cipher_algo;
info[3] = enc->aead_algo;
hkdf_derive (NULL, 0, dek->key, dek->keylen, info, sizeof (info),
keylen, dek->key);
dek->keylen = keylen;
}
if (dek->use_aead) if (dek->use_aead)
{ {
err = openpgp_aead_algo_info (dek->use_aead, &ciphermode, &noncelen); err = openpgp_aead_algo_info (dek->use_aead, &ciphermode, &noncelen);
@ -270,12 +365,12 @@ symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen)
} }
/* Check that the session key has a size of 16 to 32 bytes. */ /* Check that the session key has a size of 16 to 32 bytes. */
if ((dek->use_aead && (slen < (noncelen + 16 + 16) if ((dek->use_aead && (enc->seskeylen < (noncelen + 16 + 16)
|| slen > (noncelen + 32 + 16))) || enc->seskeylen > (noncelen + 32 + 16)))
|| (!dek->use_aead && (slen < 17 || slen > 33))) || (!dek->use_aead && (enc->seskeylen < 17 || enc->seskeylen > 33)))
{ {
log_error ( _("weird size for an encrypted session key (%d)\n"), log_error ( _("weird size for an encrypted session key (%d)\n"),
(int)slen); (int)enc->seskeylen);
return gpg_error (GPG_ERR_BAD_KEY); return gpg_error (GPG_ERR_BAD_KEY);
} }
@ -283,7 +378,7 @@ symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen)
if (!err) if (!err)
err = gcry_cipher_setkey (hd, dek->key, dek->keylen); err = gcry_cipher_setkey (hd, dek->key, dek->keylen);
if (!err) if (!err)
err = gcry_cipher_setiv (hd, noncelen? seskey : NULL, noncelen); err = gcry_cipher_setiv (hd, noncelen? enc->seskey : NULL, noncelen);
if (err) if (err)
goto leave; goto leave;
@ -299,11 +394,11 @@ symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen)
if (err) if (err)
goto leave; goto leave;
gcry_cipher_final (hd); gcry_cipher_final (hd);
keylen = slen - noncelen - 16; keylen = enc->seskeylen - noncelen - 16;
err = gcry_cipher_decrypt (hd, seskey+noncelen, keylen, NULL, 0); err = gcry_cipher_decrypt (hd, enc->seskey+noncelen, keylen, NULL, 0);
if (err) if (err)
goto leave; goto leave;
err = gcry_cipher_checktag (hd, seskey+noncelen+keylen, 16); err = gcry_cipher_checktag (hd, enc->seskey+noncelen+keylen, 16);
if (err) if (err)
goto leave; goto leave;
/* Now we replace the dek components with the real session key to /* Now we replace the dek components with the real session key to
@ -314,11 +409,11 @@ symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen)
goto leave; goto leave;
} }
dek->keylen = keylen; dek->keylen = keylen;
memcpy (dek->key, seskey + noncelen, dek->keylen); memcpy (dek->key, enc->seskey + noncelen, dek->keylen);
} }
else else
{ {
gcry_cipher_decrypt (hd, seskey, slen, NULL, 0 ); gcry_cipher_decrypt (hd, enc->seskey, enc->seskeylen, NULL, 0 );
/* Here we can only test whether the algo given in decrypted /* Here we can only test whether the algo given in decrypted
* session key is a valid OpenPGP algo. With 11 defined * session key is a valid OpenPGP algo. With 11 defined
* symmetric algorithms we will miss 4.3% of wrong passphrases * symmetric algorithms we will miss 4.3% of wrong passphrases
@ -328,8 +423,8 @@ symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen)
* the gnupg < 2.2 bug compatible case which would terminate the * the gnupg < 2.2 bug compatible case which would terminate the
* process on GPG_ERR_CIPHER_ALGO. Note that with AEAD (above) * process on GPG_ERR_CIPHER_ALGO. Note that with AEAD (above)
* we will have a reliable test here. */ * we will have a reliable test here. */
if (openpgp_cipher_test_algo (seskey[0]) if (openpgp_cipher_test_algo (enc->seskey[0])
|| openpgp_cipher_get_algo_keylen (seskey[0]) != slen - 1) || openpgp_cipher_get_algo_keylen (enc->seskey[0]) != enc->seskeylen - 1)
{ {
err = gpg_error (GPG_ERR_CHECKSUM); err = gpg_error (GPG_ERR_CHECKSUM);
goto leave; goto leave;
@ -337,15 +432,15 @@ symkey_decrypt_seskey (DEK *dek, byte *seskey, size_t slen)
/* Now we replace the dek components with the real session key to /* Now we replace the dek components with the real session key to
* decrypt the contents of the sequencing packet. */ * decrypt the contents of the sequencing packet. */
keylen = slen-1; keylen = enc->seskeylen-1;
if (keylen > DIM(dek->key)) if (keylen > DIM(dek->key))
{ {
err = gpg_error (GPG_ERR_TOO_LARGE); err = gpg_error (GPG_ERR_TOO_LARGE);
goto leave; goto leave;
} }
dek->algo = seskey[0]; dek->algo = enc->seskey[0];
dek->keylen = keylen; dek->keylen = keylen;
memcpy (dek->key, seskey + 1, dek->keylen); memcpy (dek->key, enc->seskey + 1, dek->keylen);
} }
/*log_hexdump( "thekey", dek->key, dek->keylen );*/ /*log_hexdump( "thekey", dek->key, dek->keylen );*/
@ -426,8 +521,7 @@ proc_symkey_enc (CTX c, PACKET *pkt)
come later. */ come later. */
if (enc->seskeylen) if (enc->seskeylen)
{ {
err = symkey_decrypt_seskey (c->dek, err = symkey_decrypt_seskey (c->dek, enc);
enc->seskey, enc->seskeylen);
if (err) if (err)
{ {
log_info ("decryption of the symmetrically encrypted" log_info ("decryption of the symmetrically encrypted"

9
g10/misc.c
View File

@ -630,6 +630,7 @@ openpgp_aead_test_algo (aead_algo_t algo)
case AEAD_ALGO_EAX: case AEAD_ALGO_EAX:
case AEAD_ALGO_OCB: case AEAD_ALGO_OCB:
case AEAD_ALGO_GCM:
return 0; return 0;
} }
@ -648,6 +649,7 @@ openpgp_aead_algo_name (aead_algo_t algo)
case AEAD_ALGO_NONE: break; case AEAD_ALGO_NONE: break;
case AEAD_ALGO_EAX: return "EAX"; case AEAD_ALGO_EAX: return "EAX";
case AEAD_ALGO_OCB: return "OCB"; case AEAD_ALGO_OCB: return "OCB";
case AEAD_ALGO_GCM: return "GCM";
} }
return "?"; return "?";
@ -674,6 +676,11 @@ openpgp_aead_algo_info (aead_algo_t algo, enum gcry_cipher_modes *r_mode,
*r_noncelen = 16; *r_noncelen = 16;
break; break;
case AEAD_ALGO_GCM:
*r_mode = GCRY_CIPHER_MODE_GCM;
*r_noncelen = 12;
break;
default: default:
log_error ("unsupported AEAD algo %d\n", algo); log_error ("unsupported AEAD algo %d\n", algo);
return gpg_error (GPG_ERR_INV_CIPHER_MODE); return gpg_error (GPG_ERR_INV_CIPHER_MODE);
@ -1241,6 +1248,8 @@ string_to_aead_algo (const char *string)
result = 1; result = 1;
else if (!ascii_strcasecmp (string, "OCB")) else if (!ascii_strcasecmp (string, "OCB"))
result = 2; result = 2;
else if (!ascii_strcasecmp (string, "GCM"))
result = 3;
else if ((string[0]=='A' || string[0]=='a')) else if ((string[0]=='A' || string[0]=='a'))
{ {
char *endptr; char *endptr;

7
g10/packet.h
View File

@ -115,6 +115,8 @@ typedef struct
typedef struct { typedef struct {
/* We support version 4 (rfc4880) and 5 (rfc4880bis). */ /* We support version 4 (rfc4880) and 5 (rfc4880bis). */
byte version; byte version;
/* If we use hkdf or not. */
byte use_hkdf;
/* The cipher algorithm used to encrypt the session key. Note that /* The cipher algorithm used to encrypt the session key. Note that
* this may be different from the algorithm that is used to encrypt * this may be different from the algorithm that is used to encrypt
* bulk data. */ * bulk data. */
@ -646,6 +648,9 @@ int list_packets( iobuf_t a );
const byte *issuer_fpr_raw (PKT_signature *sig, size_t *r_len); const byte *issuer_fpr_raw (PKT_signature *sig, size_t *r_len);
char *issuer_fpr_string (PKT_signature *sig); char *issuer_fpr_string (PKT_signature *sig);
gpg_error_t hkdf_derive (const byte *salt, int saltlen, const byte *key,
int keylen, const byte *info, int infolen,
int outlen, byte *out);
/*-- parse-packet.c --*/ /*-- parse-packet.c --*/
@ -928,7 +933,7 @@ gpg_error_t get_override_session_key (DEK *dek, const char *string);
int handle_compressed (ctrl_t ctrl, void *ctx, PKT_compressed *cd, int handle_compressed (ctrl_t ctrl, void *ctx, PKT_compressed *cd,
int (*callback)(iobuf_t, void *), void *passthru ); int (*callback)(iobuf_t, void *), void *passthru );
/*-- encr-data.c --*/ /*-- decrypt-data.c --*/
int decrypt_data (ctrl_t ctrl, void *ctx, PKT_encrypted *ed, DEK *dek ); int decrypt_data (ctrl_t ctrl, void *ctx, PKT_encrypted *ed, DEK *dek );
/*-- plaintext.c --*/ /*-- plaintext.c --*/

17
g10/parse-packet.c
View File

@ -1203,6 +1203,8 @@ parse_symkeyenc (IOBUF inp, int pkttype, unsigned long pktlen,
PKT_symkey_enc *k; PKT_symkey_enc *k;
int rc = 0; int rc = 0;
int i, version, s2kmode, cipher_algo, aead_algo, hash_algo, seskeylen, minlen; int i, version, s2kmode, cipher_algo, aead_algo, hash_algo, seskeylen, minlen;
int v5_cr05_five_field_len = 0;
int v5_cr05_s2k_len = 0;
if (pktlen < 4) if (pktlen < 4)
goto too_short; goto too_short;
@ -1232,8 +1234,22 @@ parse_symkeyenc (IOBUF inp, int pkttype, unsigned long pktlen,
pktlen--; pktlen--;
if (version == 5) if (version == 5)
{ {
if (cipher_algo > 13)
{
v5_cr05_five_field_len = cipher_algo;
cipher_algo = iobuf_get_noeof (inp);
pktlen--;
}
aead_algo = iobuf_get_noeof (inp); aead_algo = iobuf_get_noeof (inp);
pktlen--; pktlen--;
if (v5_cr05_five_field_len)
{
if (pktlen < 1)
goto too_short;
v5_cr05_s2k_len = iobuf_get_noeof (inp);
pktlen--;
}
} }
else else
aead_algo = 0; aead_algo = 0;
@ -1280,6 +1296,7 @@ parse_symkeyenc (IOBUF inp, int pkttype, unsigned long pktlen,
k = packet->pkt.symkey_enc = xmalloc_clear (sizeof *packet->pkt.symkey_enc k = packet->pkt.symkey_enc = xmalloc_clear (sizeof *packet->pkt.symkey_enc
+ seskeylen - 1); + seskeylen - 1);
k->version = version; k->version = version;
k->use_hkdf = (v5_cr05_five_field_len != 0);
k->cipher_algo = cipher_algo; k->cipher_algo = cipher_algo;
k->aead_algo = aead_algo; k->aead_algo = aead_algo;
k->s2k.mode = s2kmode; k->s2k.mode = s2kmode;