security-and-privacy/gnupg
security-and-privacy/gnupg
1
0
Fork 0
mirror of git://git.gnupg.org/gnupg.git synced 2025-05-24 16:43:28 +02:00
Code Activity

Fix computation of PQC KEM.

Browse Source 
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
This commit is contained in:
NIIBE Yutaka 2024-03-20 16:19:14 +09:00
parent c53abc8ffe
commit f901b38cd0
No known key found for this signature in database
GPG Key ID: 640114AF89DE6054
1 changed files with 19 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
agent/pkdecrypt.c
View File

@ -207,8 +207,8 @@ agent_hybrid_kem_decap (ctrl_t ctrl, const char *desc_text, int kemid,
gcry_buffer_t iov[13]; gcry_buffer_t iov[13];
unsigned char head136[2]; unsigned char head136[2];
unsigned char headK[2]; unsigned char headK[3];
const unsigned char pad[95] = { 0 }; const unsigned char pad[94] = { 0 };
unsigned char right_encode_L[3]; unsigned char right_encode_L[3];
unsigned char kekkey[32]; unsigned char kekkey[32];
@ -280,7 +280,7 @@ agent_hybrid_kem_decap (ctrl_t ctrl, const char *desc_text, int kemid,
&ecc_pk_mpi, &ecc_sk_mpi, NULL); &ecc_pk_mpi, &ecc_sk_mpi, NULL);
p = gcry_mpi_get_opaque (ecc_pk_mpi, &nbits); p = gcry_mpi_get_opaque (ecc_pk_mpi, &nbits);
len = (nbits+7)/8; len = (nbits+7)/8;
memcpy (ecc_pk, p+1, 32); memcpy (ecc_pk, p+1, 32); /* Remove 0x40 prefix */
p = gcry_mpi_get_opaque (ecc_sk_mpi, &nbits); p = gcry_mpi_get_opaque (ecc_sk_mpi, &nbits);
len = (nbits+7)/8; len = (nbits+7)/8;
memset (ecc_sk, 0, 32); memset (ecc_sk, 0, 32);
@ -298,7 +298,7 @@ agent_hybrid_kem_decap (ctrl_t ctrl, const char *desc_text, int kemid,
ecc_ct, ecc_ct_len, ecc_ct, ecc_ct_len,
ecc_ecdh, 32, ecc_ecdh, 32,
NULL, 0); NULL, 0);
mpi_release (ecc_ct_mpi); log_printhex (ecc_ecdh, 32, "ecc ECDH: ");
iov[0].data = ecc_ecdh; iov[0].data = ecc_ecdh;
iov[0].off = 0; iov[0].off = 0;
@ -310,6 +310,7 @@ agent_hybrid_kem_decap (ctrl_t ctrl, const char *desc_text, int kemid,
iov[2].off = 0; iov[2].off = 0;
iov[2].len = 32; iov[2].len = 32;
gcry_md_hash_buffers (GCRY_MD_SHA3_256, 0, ecc_ss, iov, 3); gcry_md_hash_buffers (GCRY_MD_SHA3_256, 0, ecc_ss, iov, 3);
log_printhex (ecc_ss, 32, "eccKeyShare: ");
/* Secondly, ML-KEM */ /* Secondly, ML-KEM */
gcry_sexp_extract_param (s_skey1, NULL, "/s", &mlkem_sk_mpi, NULL); gcry_sexp_extract_param (s_skey1, NULL, "/s", &mlkem_sk_mpi, NULL);
@ -325,8 +326,8 @@ agent_hybrid_kem_decap (ctrl_t ctrl, const char *desc_text, int kemid,
NULL, 0); NULL, 0);
mpi_release (mlkem_sk_mpi); mpi_release (mlkem_sk_mpi);
mpi_release (mlkem_ct_mpi);
log_printhex (mlkem_ss, GCRY_KEM_MLKEM768_SHARED_LEN, "mlkemKeyShare: ");
/* Then, combine two shared secrets into one */ /* Then, combine two shared secrets into one */
// multiKeyCombine(eccKeyShare, eccCipherText, // multiKeyCombine(eccKeyShare, eccCipherText,
@ -347,12 +348,12 @@ agent_hybrid_kem_decap (ctrl_t ctrl, const char *desc_text, int kemid,
// counter - the 4 byte value 00 00 00 01 // counter - the 4 byte value 00 00 00 01
// customizationString - the UTF-8 encoding of the string "KDF" // customizationString - the UTF-8 encoding of the string "KDF"
// //
// eccData = eccKeyShare || eccCipherText // eccData = eccKeyShare || eccCipherText
// mlkemData = mlkemKeyShare || mlkemCipherText // mlkemData = mlkemKeyShare || mlkemCipherText
// encData = counter || eccData || mlkemData || fixedInfo // encData = counter || eccData || mlkemData || fixedInfo
// //
// KEK = KMAC256(domSeparation, encData, oBits, customizationString) // KEK = KMAC256(domSeparation, encData, oBits, customizationString)
// return KEK // return KEK
// //
// fixedInfo = algID (105 for ML-KEM-768-x25519kem) // fixedInfo = algID (105 for ML-KEM-768-x25519kem)
// //
@ -375,11 +376,12 @@ agent_hybrid_kem_decap (ctrl_t ctrl, const char *desc_text, int kemid,
iov[2].off = 0; iov[2].off = 0;
iov[2].len = 2; iov[2].len = 2;
headK[0] = 1; headK[0] = 2;
headK[1] = 37; headK[1] = (37*8)>>8;
headK[2] = (37*8)&0xff;
iov[3].data = headK; iov[3].data = headK;
iov[3].off = 0; iov[3].off = 0;
iov[3].len = 2; iov[3].len = 3;
iov[4].data = "OpenPGPCompositeKeyDerivationFunction"; iov[4].data = "OpenPGPCompositeKeyDerivationFunction";
iov[4].off = 0; iov[4].off = 0;
@ -420,9 +422,11 @@ agent_hybrid_kem_decap (ctrl_t ctrl, const char *desc_text, int kemid,
iov[12].off = 0; iov[12].off = 0;
iov[12].len = 3; iov[12].len = 3;
gcry_md_hash_buffers_extract (GCRY_MD_CSHAKE256, 0, kekkey, kekkeylen, mpi_release (ecc_ct_mpi);
iov, DIM (iov)); mpi_release (mlkem_ct_mpi);
gcry_md_hash_buffers_extract (GCRY_MD_CSHAKE256, 0, kekkey, kekkeylen,
iov, 13);
if (DBG_CRYPTO) if (DBG_CRYPTO)
{ {
log_printhex (kekkey, kekkeylen, "KEK key: "); log_printhex (kekkey, kekkeylen, "KEK key: ");