From d5c6b52e597491b30044b6eaef4d15af8182d654 Mon Sep 17 00:00:00 2001 From: NIIBE Yutaka Date: Tue, 23 Apr 2024 14:23:27 +0900 Subject: [PATCH] agent:kem: Support other ECC curves. * agent/pkdecrypt.c (ecc_table): New. (get_ecc_params): New. (composite_pgp_kem_decrypt): Support other curves. -- Signed-off-by: NIIBE Yutaka --- agent/pkdecrypt.c | 126 ++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 105 insertions(+), 21 deletions(-) diff --git a/agent/pkdecrypt.c b/agent/pkdecrypt.c index ba42a265d..4a93fd95f 100644 --- a/agent/pkdecrypt.c +++ b/agent/pkdecrypt.c @@ -173,6 +173,64 @@ reverse_buffer (unsigned char *buffer, unsigned int length) } } +struct ecc_params +{ + int name_len; + const char *curve; + size_t pubkey_len; /* Pubkey in the SEXP representation. */ + size_t scalar_len; + size_t point_len; + size_t shared_len; + int hash_algo; + int algo; + int scalar_reverse; +}; + +static const struct ecc_params ecc_table[] = + { + { + 10, "Curve25519", + 33, 32, 32, 32, + GCRY_MD_SHA3_256, GCRY_KEM_RAW_X25519, + 1 + }, + { + 4, "X448", + 56, 56, 56, 64, + GCRY_MD_SHA3_512, GCRY_KEM_RAW_X448, + 0 + }, + { + 15, "brainpoolP256r1", + 65, 32, 65, 32, + GCRY_MD_SHA3_256, GCRY_KEM_RAW_BP256, + 0 + }, + { + 15, "brainpoolP384r1", + 97, 48, 97, 64, + GCRY_MD_SHA3_512, GCRY_KEM_RAW_BP384, + 0 + }, + { 0, NULL, 0, 0, 0, 0, 0, 0, 0 } +}; + +static const struct ecc_params * +get_ecc_params (const char *curve, size_t curve_len) +{ + int i, name_len; + + for (i = 0; (name_len = ecc_table[i].name_len); i++) + if (name_len == curve_len && !memcmp (ecc_table[i].curve, curve, name_len)) + return &ecc_table[i]; + + return NULL; +} + +#define ECC_SCALAR_LEN_MAX 64 +#define ECC_POINT_LEN_MAX (1+2*64) +#define ECC_HASH_LEN_MAX 64 + /* For composite PGP KEM (ECC+ML-KEM), decrypt CIPHERTEXT using KEM API. First keygrip is for ECC, second keygrip is for PQC. CIPHERTEXT should follow the format of: @@ -195,6 +253,7 @@ composite_pgp_kem_decrypt (ctrl_t ctrl, const char *desc_text, gcry_sexp_t s_skey1 = NULL; unsigned char *shadow_info = NULL; gpg_error_t err = 0; + const struct ecc_params *ecc; unsigned int nbits; const unsigned char *p; @@ -206,14 +265,13 @@ composite_pgp_kem_decrypt (ctrl_t ctrl, const char *desc_text, size_t encrypted_sessionkey_len; gcry_mpi_t ecc_sk_mpi = NULL; - unsigned char ecc_sk[32]; + unsigned char ecc_sk[ECC_SCALAR_LEN_MAX]; gcry_mpi_t ecc_pk_mpi = NULL; - unsigned char ecc_pk[32]; + unsigned char ecc_pk[ECC_POINT_LEN_MAX]; gcry_mpi_t ecc_ct_mpi = NULL; const unsigned char *ecc_ct; - size_t ecc_ct_len; - unsigned char ecc_ecdh[32]; - unsigned char ecc_ss[32]; + unsigned char ecc_ecdh[ECC_POINT_LEN_MAX]; + unsigned char ecc_ss[ECC_HASH_LEN_MAX]; gcry_mpi_t mlkem_sk_mpi = NULL; gcry_mpi_t mlkem_ct_mpi = NULL; @@ -275,7 +333,7 @@ composite_pgp_kem_decrypt (ctrl_t ctrl, const char *desc_text, goto leave; } - /* Fistly, ECC part. FIXME: For now, we assume X25519. */ + /* Firstly, ECC part. */ curve = gcry_sexp_find_token (s_skey0, "curve", 0); if (!curve) { @@ -286,7 +344,8 @@ composite_pgp_kem_decrypt (ctrl_t ctrl, const char *desc_text, } curve_name = gcry_sexp_nth_data (curve, 1, &len); - if (len != 10 || memcmp (curve_name, "Curve25519", len)) + ecc = get_ecc_params (curve_name, len); + if (!ecc) { if (opt.verbose) log_info ("%s: curve '%s' not supported\n", __func__, curve_name); @@ -305,45 +364,63 @@ composite_pgp_kem_decrypt (ctrl_t ctrl, const char *desc_text, p = gcry_mpi_get_opaque (ecc_pk_mpi, &nbits); len = (nbits+7)/8; - if (len != 33) + if (len != ecc->pubkey_len) { if (opt.verbose) log_info ("%s: ECC public key length invalid (%zu)\n", __func__, len); err = gpg_error (GPG_ERR_INV_DATA); goto leave; } - memcpy (ecc_pk, p+1, 32); /* Remove the 0x40 prefix */ + else if (len == ecc->point_len) + memcpy (ecc_pk, p, ecc->point_len); + else if (len == ecc->point_len + 1 && p[0] == 0x40) + /* Remove the 0x40 prefix (for Curve25519) */ + memcpy (ecc_pk, p+1, ecc->point_len); + else + { + err = gpg_error (GPG_ERR_BAD_SECKEY); + goto leave; + } + mpi_release (ecc_pk_mpi); + ecc_pk_mpi = NULL; p = gcry_mpi_get_opaque (ecc_sk_mpi, &nbits); len = (nbits+7)/8; - if (len > 32) + if (len > ecc->scalar_len) { if (opt.verbose) log_info ("%s: ECC secret key too long (%zu)\n", __func__, len); err = gpg_error (GPG_ERR_INV_DATA); goto leave; } - memset (ecc_sk, 0, 32); - memcpy (ecc_sk + 32 - len, p, len); - reverse_buffer (ecc_sk, 32); + memset (ecc_sk, 0, ecc->scalar_len - len); + memcpy (ecc_sk + ecc->scalar_len - len, p, len); + if (ecc->scalar_reverse) + reverse_buffer (ecc_sk, ecc->scalar_len); mpi_release (ecc_sk_mpi); - ecc_pk_mpi = NULL; ecc_sk_mpi = NULL; ecc_ct = gcry_mpi_get_opaque (ecc_ct_mpi, &nbits); - ecc_ct_len = (nbits+7)/8; - if (ecc_ct_len != 32) + if (ecc->point_len != (nbits+7)/8) { if (opt.verbose) log_info ("%s: ECC cipher text length invalid (%zu)\n", - __func__, ecc_ct_len); + __func__, ecc->point_len); err = gpg_error (GPG_ERR_INV_DATA); goto leave; } - err = gcry_kem_decap (GCRY_KEM_RAW_X25519, ecc_sk, 32, ecc_ct, ecc_ct_len, - ecc_ecdh, 32, NULL, 0); + if (DBG_CRYPTO) + { + log_debug ("ECC curve: %s\n", curve_name); + log_printhex (ecc_pk, ecc->pubkey_len, "ECC pubkey:"); + log_printhex (ecc_sk, ecc->scalar_len, "ECC seckey:"); + log_printhex (ecc_ct, ecc->point_len, "ECC ephem:"); + } + + err = gcry_kem_decap (ecc->algo, ecc_sk, ecc->scalar_len, + ecc_ct, ecc->point_len, ecc_ecdh, ecc->point_len, NULL, 0); if (err) { if (opt.verbose) @@ -351,8 +428,12 @@ composite_pgp_kem_decrypt (ctrl_t ctrl, const char *desc_text, goto leave; } - err = gnupg_ecc_kem_kdf (ecc_ss, 32, GCRY_MD_SHA3_256, - ecc_ecdh, 32, ecc_ct, 32, ecc_pk, 32); + if (DBG_CRYPTO) + log_printhex (ecc_ecdh, ecc->point_len, "ECC ecdh:"); + + err = gnupg_ecc_kem_kdf (ecc_ss, ecc->shared_len, ecc->hash_algo, + ecc_ecdh, ecc->scalar_len, ecc_ct, ecc->point_len, + ecc_pk, ecc->point_len); if (err) { if (opt.verbose) @@ -360,6 +441,9 @@ composite_pgp_kem_decrypt (ctrl_t ctrl, const char *desc_text, goto leave; } + if (DBG_CRYPTO) + log_printhex (ecc_ss, ecc->shared_len, "ECC shared:"); + /* Secondly, PQC part. For now, we assume ML-KEM. */ err = gcry_sexp_extract_param (s_skey1, NULL, "/s", &mlkem_sk_mpi, NULL); if (err)