/* pkglue.c - public key operations glue code * Copyright (C) 2000, 2003, 2010 Free Software Foundation, Inc. * Copyright (C) 2014 Werner Koch * Copyright (C) 2024 g10 Code GmbH. * * This file is part of GnuPG. * * GnuPG is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation; either version 3 of the License, or * (at your option) any later version. * * GnuPG is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, see . * SPDX-License-Identifier: GPL-3.0-or-later */ #include #include #include #include #include #include "gpg.h" #include "../common/util.h" #include "pkglue.h" #include "main.h" #include "options.h" /* Maximum buffer sizes required for ECC KEM. */ #define ECC_POINT_LEN_MAX (1+2*64) #define ECC_HASH_LEN_MAX 64 /* FIXME: Better change the function name because mpi_ is used by gcrypt macros. */ gcry_mpi_t get_mpi_from_sexp (gcry_sexp_t sexp, const char *item, int mpifmt) { gcry_sexp_t list; gcry_mpi_t data; list = gcry_sexp_find_token (sexp, item, 0); log_assert (list); data = gcry_sexp_nth_mpi (list, 1, mpifmt); log_assert (data); gcry_sexp_release (list); return data; } /* * SOS (Simply, Octet String) is an attempt to handle opaque octet * string in OpenPGP, where well-formed MPI cannot represent octet * string with leading zero octets. * * To retain maximum compatibility to existing MPI handling, SOS * has same structure, but allows leading zero octets. When there * is no leading zero octets, SOS representation is as same as MPI one. * With leading zero octets, NBITS is 8*(length of octets), regardless * of leading zero bits. */ /* Extract SOS representation from SEXP for PARAM, return the result * in R_SOS. It is represented by opaque MPI with GCRYMPI_FLAG_USER2 * flag. */ gpg_error_t sexp_extract_param_sos (gcry_sexp_t sexp, const char *param, gcry_mpi_t *r_sos) { gpg_error_t err; gcry_sexp_t l2 = gcry_sexp_find_token (sexp, param, 0); *r_sos = NULL; if (!l2) err = gpg_error (GPG_ERR_NO_OBJ); else { size_t buflen; void *p0 = gcry_sexp_nth_buffer (l2, 1, &buflen); if (!p0) err = gpg_error_from_syserror (); else { gcry_mpi_t sos; unsigned int nbits = buflen*8; unsigned char *p = p0; if (*p && nbits >= 8 && !(*p & 0x80)) if (--nbits >= 7 && !(*p & 0x40)) if (--nbits >= 6 && !(*p & 0x20)) if (--nbits >= 5 && !(*p & 0x10)) if (--nbits >= 4 && !(*p & 0x08)) if (--nbits >= 3 && !(*p & 0x04)) if (--nbits >= 2 && !(*p & 0x02)) if (--nbits >= 1 && !(*p & 0x01)) --nbits; sos = gcry_mpi_set_opaque (NULL, p0, nbits); if (sos) { gcry_mpi_set_flag (sos, GCRYMPI_FLAG_USER2); *r_sos = sos; err = 0; } else err = gpg_error_from_syserror (); } gcry_sexp_release (l2); } return err; } /* "No leading zero octets" (nlz) version of the function above. * * This routine is used for backward compatibility to existing * implementation with the weird handling of little endian integer * representation with leading zero octets. For the sake of * "well-fomed" MPI, which is designed for big endian integer, leading * zero octets are removed when output, and they are recovered at * input. * * Extract SOS representation from SEXP for PARAM, removing leading * zeros, return the result in R_SOS. */ gpg_error_t sexp_extract_param_sos_nlz (gcry_sexp_t sexp, const char *param, gcry_mpi_t *r_sos) { gpg_error_t err; gcry_sexp_t l2 = gcry_sexp_find_token (sexp, param, 0); *r_sos = NULL; if (!l2) err = gpg_error (GPG_ERR_NO_OBJ); else { size_t buflen; const void *p0 = gcry_sexp_nth_data (l2, 1, &buflen); if (!p0) err = gpg_error_from_syserror (); else { gcry_mpi_t sos; unsigned int nbits = buflen*8; const unsigned char *p = p0; /* Strip leading zero bits. */ for (; nbits >= 8 && !*p; p++, nbits -= 8) ; if (nbits >= 8 && !(*p & 0x80)) if (--nbits >= 7 && !(*p & 0x40)) if (--nbits >= 6 && !(*p & 0x20)) if (--nbits >= 5 && !(*p & 0x10)) if (--nbits >= 4 && !(*p & 0x08)) if (--nbits >= 3 && !(*p & 0x04)) if (--nbits >= 2 && !(*p & 0x02)) if (--nbits >= 1 && !(*p & 0x01)) --nbits; sos = gcry_mpi_set_opaque_copy (NULL, p, nbits); if (sos) { gcry_mpi_set_flag (sos, GCRYMPI_FLAG_USER2); *r_sos = sos; err = 0; } else err = gpg_error_from_syserror (); } gcry_sexp_release (l2); } return err; } static byte * get_data_from_sexp (gcry_sexp_t sexp, const char *item, size_t *r_size) { gcry_sexp_t list; size_t valuelen; const char *value; byte *v; if (DBG_CRYPTO) log_printsexp ("get_data_from_sexp:", sexp); list = gcry_sexp_find_token (sexp, item, 0); log_assert (list); value = gcry_sexp_nth_data (list, 1, &valuelen); log_assert (value); v = xtrymalloc (valuelen); memcpy (v, value, valuelen); gcry_sexp_release (list); *r_size = valuelen; return v; } /**************** * Emulate our old PK interface here - sometime in the future we might * change the internal design to directly fit to libgcrypt. */ int pk_verify (pubkey_algo_t pkalgo, gcry_mpi_t hash, gcry_mpi_t *data, gcry_mpi_t *pkey) { gcry_sexp_t s_sig, s_hash, s_pkey; int rc; /* Make a sexp from pkey. */ if (pkalgo == PUBKEY_ALGO_DSA) { rc = gcry_sexp_build (&s_pkey, NULL, "(public-key(dsa(p%m)(q%m)(g%m)(y%m)))", pkey[0], pkey[1], pkey[2], pkey[3]); } else if (pkalgo == PUBKEY_ALGO_ELGAMAL_E || pkalgo == PUBKEY_ALGO_ELGAMAL) { rc = gcry_sexp_build (&s_pkey, NULL, "(public-key(elg(p%m)(g%m)(y%m)))", pkey[0], pkey[1], pkey[2]); } else if (pkalgo == PUBKEY_ALGO_RSA || pkalgo == PUBKEY_ALGO_RSA_S) { rc = gcry_sexp_build (&s_pkey, NULL, "(public-key(rsa(n%m)(e%m)))", pkey[0], pkey[1]); } else if (pkalgo == PUBKEY_ALGO_ECDSA) { char *curve = openpgp_oid_to_str (pkey[0]); if (!curve) rc = gpg_error_from_syserror (); else { rc = gcry_sexp_build (&s_pkey, NULL, "(public-key(ecdsa(curve %s)(q%m)))", curve, pkey[1]); xfree (curve); } } else if (pkalgo == PUBKEY_ALGO_EDDSA) { char *curve = openpgp_oid_to_str (pkey[0]); if (!curve) rc = gpg_error_from_syserror (); else { const char *fmt; if (openpgp_oid_is_ed25519 (pkey[0])) fmt = "(public-key(ecc(curve %s)(flags eddsa)(q%m)))"; else fmt = "(public-key(ecc(curve %s)(q%m)))"; rc = gcry_sexp_build (&s_pkey, NULL, fmt, curve, pkey[1]); xfree (curve); } } else return GPG_ERR_PUBKEY_ALGO; if (rc) BUG (); /* gcry_sexp_build should never fail. */ /* Put hash into a S-Exp s_hash. */ if (pkalgo == PUBKEY_ALGO_EDDSA) { const char *fmt; if (openpgp_oid_is_ed25519 (pkey[0])) fmt = "(data(flags eddsa)(hash-algo sha512)(value %m))"; else fmt = "(data(value %m))"; if (gcry_sexp_build (&s_hash, NULL, fmt, hash)) BUG (); /* gcry_sexp_build should never fail. */ } else { if (gcry_sexp_build (&s_hash, NULL, "%m", hash)) BUG (); /* gcry_sexp_build should never fail. */ } /* Put data into a S-Exp s_sig. */ s_sig = NULL; if (pkalgo == PUBKEY_ALGO_DSA) { if (!data[0] || !data[1]) rc = gpg_error (GPG_ERR_BAD_MPI); else rc = gcry_sexp_build (&s_sig, NULL, "(sig-val(dsa(r%m)(s%m)))", data[0], data[1]); } else if (pkalgo == PUBKEY_ALGO_ECDSA) { if (!data[0] || !data[1]) rc = gpg_error (GPG_ERR_BAD_MPI); else rc = gcry_sexp_build (&s_sig, NULL, "(sig-val(ecdsa(r%m)(s%m)))", data[0], data[1]); } else if (pkalgo == PUBKEY_ALGO_EDDSA) { gcry_mpi_t r = data[0]; gcry_mpi_t s = data[1]; if (openpgp_oid_is_ed25519 (pkey[0])) { size_t rlen, slen, n; /* (bytes) */ char buf[64]; unsigned int nbits; unsigned int neededfixedlen = 256 / 8; log_assert (neededfixedlen <= sizeof buf); if (!r || !s) rc = gpg_error (GPG_ERR_BAD_MPI); else if ((rlen = (gcry_mpi_get_nbits (r)+7)/8) > neededfixedlen || !rlen) rc = gpg_error (GPG_ERR_BAD_MPI); else if ((slen = (gcry_mpi_get_nbits (s)+7)/8) > neededfixedlen || !slen) rc = gpg_error (GPG_ERR_BAD_MPI); else { /* We need to fixup the length in case of leading zeroes. * OpenPGP does not allow leading zeroes and the parser for * the signature packet has no information on the use curve, * thus we need to do it here. We won't do it for opaque * MPIs under the assumption that they are known to be fine; * we won't see them here anyway but the check is anyway * required. Fixme: A nifty feature for gcry_sexp_build * would be a format to left pad the value (e.g. "%*M"). */ rc = 0; if (rlen < neededfixedlen && !gcry_mpi_get_flag (r, GCRYMPI_FLAG_OPAQUE) && !(rc=gcry_mpi_print (GCRYMPI_FMT_USG, buf, sizeof buf, &n, r))) { log_assert (n < neededfixedlen); memmove (buf + (neededfixedlen - n), buf, n); memset (buf, 0, neededfixedlen - n); r = gcry_mpi_set_opaque_copy (NULL, buf, neededfixedlen * 8); } else if (rlen < neededfixedlen && gcry_mpi_get_flag (r, GCRYMPI_FLAG_OPAQUE)) { const unsigned char *p; p = gcry_mpi_get_opaque (r, &nbits); n = (nbits+7)/8; memcpy (buf + (neededfixedlen - n), p, n); memset (buf, 0, neededfixedlen - n); gcry_mpi_set_opaque_copy (r, buf, neededfixedlen * 8); } if (slen < neededfixedlen && !gcry_mpi_get_flag (s, GCRYMPI_FLAG_OPAQUE) && !(rc=gcry_mpi_print (GCRYMPI_FMT_USG, buf, sizeof buf, &n, s))) { log_assert (n < neededfixedlen); memmove (buf + (neededfixedlen - n), buf, n); memset (buf, 0, neededfixedlen - n); s = gcry_mpi_set_opaque_copy (NULL, buf, neededfixedlen * 8); } else if (slen < neededfixedlen && gcry_mpi_get_flag (s, GCRYMPI_FLAG_OPAQUE)) { const unsigned char *p; p = gcry_mpi_get_opaque (s, &nbits); n = (nbits+7)/8; memcpy (buf + (neededfixedlen - n), p, n); memset (buf, 0, neededfixedlen - n); gcry_mpi_set_opaque_copy (s, buf, neededfixedlen * 8); } } } else rc = 0; if (!rc) rc = gcry_sexp_build (&s_sig, NULL, "(sig-val(eddsa(r%M)(s%M)))", r, s); if (r != data[0]) gcry_mpi_release (r); if (s != data[1]) gcry_mpi_release (s); } else if (pkalgo == PUBKEY_ALGO_ELGAMAL || pkalgo == PUBKEY_ALGO_ELGAMAL_E) { if (!data[0] || !data[1]) rc = gpg_error (GPG_ERR_BAD_MPI); else rc = gcry_sexp_build (&s_sig, NULL, "(sig-val(elg(r%m)(s%m)))", data[0], data[1]); } else if (pkalgo == PUBKEY_ALGO_RSA || pkalgo == PUBKEY_ALGO_RSA_S) { if (!data[0]) rc = gpg_error (GPG_ERR_BAD_MPI); else rc = gcry_sexp_build (&s_sig, NULL, "(sig-val(rsa(s%m)))", data[0]); } else BUG (); if (!rc) rc = gcry_pk_verify (s_sig, s_hash, s_pkey); gcry_sexp_release (s_sig); gcry_sexp_release (s_hash); gcry_sexp_release (s_pkey); return rc; } #if GCRY_KEM_MLKEM1024_ENCAPS_LEN < GCRY_KEM_MLKEM768_ENCAPS_LEN \ || GCRY_KEM_MLKEM1024_SHARED_LEN < GCRY_KEM_MLKEM768_SHARED_LEN # error Bad Kyber constants in Libgcrypt #endif /* Core of the encryption for KEM algorithms. See pk_decrypt for a * description of the arguments. */ static gpg_error_t do_encrypt_kem (PKT_public_key *pk, gcry_mpi_t data, int seskey_algo, gcry_mpi_t *resarr) { gpg_error_t err; int i; unsigned int nbits, n; gcry_sexp_t s_data = NULL; gcry_cipher_hd_t hd = NULL; char *ecc_oid = NULL; enum gcry_kem_algos kyber_algo, ecc_algo; const unsigned char *ecc_pubkey; size_t ecc_pubkey_len; const unsigned char *kyber_pubkey; size_t kyber_pubkey_len; const unsigned char *seskey; size_t seskey_len; unsigned char *enc_seskey = NULL; size_t enc_seskey_len; int ecc_hash_algo; unsigned char ecc_ct[ECC_POINT_LEN_MAX]; unsigned char ecc_ecdh[ECC_POINT_LEN_MAX]; unsigned char ecc_ss[ECC_HASH_LEN_MAX]; size_t ecc_ct_len, ecc_ecdh_len, ecc_ss_len; unsigned char kyber_ct[GCRY_KEM_MLKEM1024_ENCAPS_LEN]; unsigned char kyber_ss[GCRY_KEM_MLKEM1024_SHARED_LEN]; size_t kyber_ct_len, kyber_ss_len; char fixedinfo[1+MAX_FINGERPRINT_LEN]; int fixedlen; unsigned char kek[32]; /* AES-256 is mandatory. */ size_t kek_len = 32; /* For later error checking we make sure the array is cleared. */ resarr[0] = resarr[1] = resarr[2] = NULL; /* As of now we use KEM only for the combined Kyber and thus a * second public key is expected. Right now we take the keys * directly from the PK->data elements. */ ecc_oid = openpgp_oid_to_str (pk->pkey[0]); if (!ecc_oid) { err = gpg_error_from_syserror (); log_error ("%s: error getting OID for ECC key\n", __func__); goto leave; } ecc_algo = openpgp_oid_to_kem_algo (ecc_oid); if (ecc_algo == GCRY_KEM_RAW_X25519) { if (!strcmp (ecc_oid, "1.3.6.1.4.1.3029.1.5.1")) log_info ("Warning: " "legacy OID for cv25519 accepted during development\n"); ecc_pubkey = gcry_mpi_get_opaque (pk->pkey[1], &nbits); ecc_pubkey_len = (nbits+7)/8; if (ecc_pubkey_len == 33 && *ecc_pubkey == 0x40) { ecc_pubkey++; /* Remove the 0x40 prefix. */ ecc_pubkey_len--; } if (ecc_pubkey_len != 32) { if (opt.verbose) log_info ("%s: ECC public key length invalid (%zu)\n", __func__, ecc_pubkey_len); err = gpg_error (GPG_ERR_INV_DATA); goto leave; } ecc_ct_len = ecc_ecdh_len = 32; ecc_ss_len = 32; ecc_hash_algo = GCRY_MD_SHA3_256; } else if (ecc_algo == GCRY_KEM_RAW_X448) { ecc_pubkey = gcry_mpi_get_opaque (pk->pkey[1], &nbits); ecc_pubkey_len = (nbits+7)/8; if (ecc_pubkey_len != 56) { if (opt.verbose) log_info ("%s: ECC public key length invalid (%zu)\n", __func__, ecc_pubkey_len); err = gpg_error (GPG_ERR_INV_DATA); goto leave; } ecc_ct_len = ecc_ecdh_len = 56; ecc_ss_len = 64; ecc_hash_algo = GCRY_MD_SHA3_512; } else if (ecc_algo == GCRY_KEM_RAW_BP256) { ecc_pubkey = gcry_mpi_get_opaque (pk->pkey[1], &nbits); ecc_pubkey_len = (nbits+7)/8; if (ecc_pubkey_len != 65) { if (opt.verbose) log_info ("%s: ECC public key length invalid (%zu)\n", __func__, ecc_pubkey_len); err = gpg_error (GPG_ERR_INV_DATA); goto leave; } ecc_ct_len = ecc_ecdh_len = 65; ecc_ss_len = 32; ecc_hash_algo = GCRY_MD_SHA3_256; } else if (ecc_algo == GCRY_KEM_RAW_BP384) { ecc_pubkey = gcry_mpi_get_opaque (pk->pkey[1], &nbits); ecc_pubkey_len = (nbits+7)/8; if (ecc_pubkey_len != 97) { if (opt.verbose) log_info ("%s: ECC public key length invalid (%zu)\n", __func__, ecc_pubkey_len); err = gpg_error (GPG_ERR_INV_DATA); goto leave; } ecc_ct_len = ecc_ecdh_len = 97; ecc_ss_len = 64; ecc_hash_algo = GCRY_MD_SHA3_512; } else if (ecc_algo == GCRY_KEM_RAW_BP512) { ecc_pubkey = gcry_mpi_get_opaque (pk->pkey[1], &nbits); ecc_pubkey_len = (nbits+7)/8; if (ecc_pubkey_len != 129) { if (opt.verbose) log_info ("%s: ECC public key length invalid (%zu)\n", __func__, ecc_pubkey_len); err = gpg_error (GPG_ERR_INV_DATA); goto leave; } ecc_ct_len = ecc_ecdh_len = 129; ecc_ss_len = 64; ecc_hash_algo = GCRY_MD_SHA3_512; } else { if (opt.verbose) log_info ("%s: ECC curve %s not supported\n", __func__, ecc_oid); err = gpg_error (GPG_ERR_INV_DATA); goto leave; } if (DBG_CRYPTO) { log_debug ("ECC curve: %s\n", ecc_oid); log_printhex (ecc_pubkey, ecc_pubkey_len, "ECC pubkey:"); } err = gcry_kem_encap (ecc_algo, ecc_pubkey, ecc_pubkey_len, ecc_ct, ecc_ct_len, ecc_ecdh, ecc_ecdh_len, NULL, 0); if (err) { if (opt.verbose) log_info ("%s: gcry_kem_encap for ECC (%s) failed\n", __func__, ecc_oid); goto leave; } if (DBG_CRYPTO) { log_printhex (ecc_ct, ecc_ct_len, "ECC ephem:"); log_printhex (ecc_ecdh, ecc_ecdh_len, "ECC ecdh:"); } err = gnupg_ecc_kem_kdf (ecc_ss, ecc_ss_len, ecc_hash_algo, ecc_ecdh, ecc_ecdh_len, ecc_ct, ecc_ct_len, ecc_pubkey, ecc_pubkey_len); if (err) { if (opt.verbose) log_info ("%s: kdf for ECC failed\n", __func__); goto leave; } if (DBG_CRYPTO) log_printhex (ecc_ss, ecc_ss_len, "ECC shared:"); kyber_pubkey = gcry_mpi_get_opaque (pk->pkey[2], &nbits); kyber_pubkey_len = (nbits+7)/8; if (kyber_pubkey_len == GCRY_KEM_MLKEM768_PUBKEY_LEN) { kyber_algo = GCRY_KEM_MLKEM768; kyber_ct_len = GCRY_KEM_MLKEM768_ENCAPS_LEN; kyber_ss_len = GCRY_KEM_MLKEM768_SHARED_LEN; } else if (kyber_pubkey_len == GCRY_KEM_MLKEM1024_PUBKEY_LEN) { kyber_algo = GCRY_KEM_MLKEM1024; kyber_ct_len = GCRY_KEM_MLKEM1024_ENCAPS_LEN; kyber_ss_len = GCRY_KEM_MLKEM1024_SHARED_LEN; } else { if (opt.verbose) log_info ("%s: Kyber public key length invalid (%zu)\n", __func__, kyber_pubkey_len); err = gpg_error (GPG_ERR_INV_DATA); goto leave; } if (DBG_CRYPTO) log_printhex (kyber_pubkey, kyber_pubkey_len, "|!trunc|Kyber pubkey:"); err = gcry_kem_encap (kyber_algo, kyber_pubkey, kyber_pubkey_len, kyber_ct, kyber_ct_len, kyber_ss, kyber_ss_len, NULL, 0); if (err) { if (opt.verbose) log_info ("%s: gcry_kem_encap for ECC failed\n", __func__); goto leave; } if (DBG_CRYPTO) { log_printhex (kyber_ct, kyber_ct_len, "|!trunc|Kyber ephem:"); log_printhex (kyber_ss, kyber_ss_len, "Kyber shared:"); } fixedinfo[0] = seskey_algo; v5_fingerprint_from_pk (pk, fixedinfo+1, NULL); fixedlen = 33; err = gnupg_kem_combiner (kek, kek_len, ecc_ss, ecc_ss_len, ecc_ct, ecc_ct_len, kyber_ss, kyber_ss_len, kyber_ct, kyber_ct_len, fixedinfo, fixedlen); if (err) { if (opt.verbose) log_info ("%s: KEM combiner failed\n", __func__); goto leave; } if (DBG_CRYPTO) log_printhex (kek, kek_len, "KEK:"); err = gcry_cipher_open (&hd, GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_AESWRAP, 0); if (!err) err = gcry_cipher_setkey (hd, kek, kek_len); if (err) { if (opt.verbose) log_error ("%s: failed to initialize AESWRAP: %s\n", __func__, gpg_strerror (err)); goto leave; } err = gcry_sexp_build (&s_data, NULL, "%m", data); if (err) goto leave; n = gcry_cipher_get_algo_keylen (seskey_algo); seskey = gcry_mpi_get_opaque (data, &nbits); seskey_len = (nbits+7)/8; if (seskey_len != n) { if (opt.verbose) log_info ("%s: session key length %zu" " does not match the length for algo %d\n", __func__, seskey_len, seskey_algo); err = gpg_error (GPG_ERR_INV_DATA); goto leave; } if (DBG_CRYPTO) log_printhex (seskey, seskey_len, "seskey:"); enc_seskey_len = 1 + seskey_len + 8; enc_seskey = xtrymalloc (enc_seskey_len); if (!enc_seskey || enc_seskey_len > 254) { err = gpg_error_from_syserror (); goto leave; } enc_seskey[0] = enc_seskey_len - 1; err = gcry_cipher_encrypt (hd, enc_seskey+1, enc_seskey_len-1, seskey, seskey_len); if (err) { log_error ("%s: wrapping session key failed\n", __func__); goto leave; } if (DBG_CRYPTO) log_printhex (enc_seskey, enc_seskey_len, "enc_seskey:"); resarr[0] = gcry_mpi_set_opaque_copy (NULL, ecc_ct, 8 * ecc_ct_len); if (resarr[0]) resarr[1] = gcry_mpi_set_opaque_copy (NULL, kyber_ct, 8 * kyber_ct_len); if (resarr[1]) resarr[2] = gcry_mpi_set_opaque_copy (NULL, enc_seskey, 8 * enc_seskey_len); if (!resarr[0] || !resarr[1] || !resarr[2]) { err = gpg_error_from_syserror (); for (i=0; i < 3; i++) gcry_mpi_release (resarr[i]), resarr[i] = NULL; } leave: wipememory (ecc_ct, sizeof ecc_ct); wipememory (ecc_ecdh, sizeof ecc_ecdh); wipememory (ecc_ss, sizeof ecc_ss); wipememory (kyber_ct, sizeof kyber_ct); wipememory (kyber_ss, sizeof kyber_ss); wipememory (kek, kek_len); xfree (enc_seskey); gcry_cipher_close (hd); xfree (ecc_oid); return err; } /* Core of the encryption for the ECDH algorithms. See pk_decrypt for * a description of the arguments. */ static gpg_error_t do_encrypt_ecdh (PKT_public_key *pk, gcry_mpi_t data, gcry_mpi_t *resarr) { gcry_mpi_t *pkey = pk->pkey; gcry_sexp_t s_ciph = NULL; gcry_sexp_t s_data = NULL; gcry_sexp_t s_pkey = NULL; gpg_error_t err; gcry_mpi_t k = NULL; char *curve = NULL; int with_djb_tweak_flag; gcry_mpi_t public = NULL; gcry_mpi_t result = NULL; byte fp[MAX_FINGERPRINT_LEN]; byte *shared = NULL; byte *p; size_t nshared; unsigned int nbits; err = pk_ecdh_generate_ephemeral_key (pkey, &k); if (err) goto leave; curve = openpgp_oid_to_str (pkey[0]); if (!curve) { err = gpg_error_from_syserror (); goto leave; } with_djb_tweak_flag = openpgp_oid_is_cv25519 (pkey[0]); /* Now use the ephemeral secret to compute the shared point. */ err = gcry_sexp_build (&s_pkey, NULL, with_djb_tweak_flag ? "(public-key(ecdh(curve%s)(flags djb-tweak)(q%m)))" : "(public-key(ecdh(curve%s)(q%m)))", curve, pkey[1]); if (err) goto leave; /* Put K into a simplified S-expression. */ err = gcry_sexp_build (&s_data, NULL, "%m", k); if (err) goto leave; /* Run encryption. */ err = gcry_pk_encrypt (&s_ciph, s_data, s_pkey); if (err) goto leave; gcry_sexp_release (s_data); s_data = NULL; gcry_sexp_release (s_pkey); s_pkey = NULL; /* Get the shared point and the ephemeral public key. */ shared = get_data_from_sexp (s_ciph, "s", &nshared); if (!shared) { err = gpg_error_from_syserror (); goto leave; } err = sexp_extract_param_sos (s_ciph, "e", &public); gcry_sexp_release (s_ciph); s_ciph = NULL; if (DBG_CRYPTO) { log_debug ("ECDH ephemeral key:"); gcry_mpi_dump (public); log_printf ("\n"); } fingerprint_from_pk (pk, fp, NULL); p = gcry_mpi_get_opaque (data, &nbits); result = NULL; err = pk_ecdh_encrypt_with_shared_point (shared, nshared, fp, p, (nbits+7)/8, pkey, &result); if (err) goto leave; resarr[0] = public; public = NULL; resarr[1] = result; result = NULL; leave: gcry_mpi_release (public); gcry_mpi_release (result); xfree (shared); gcry_sexp_release (s_ciph); gcry_sexp_release (s_data); gcry_sexp_release (s_pkey); xfree (curve); gcry_mpi_release (k); return err; } /* Core of the encryption for RSA and Elgamal algorithms. See * pk_decrypt for a description of the arguments. */ static gpg_error_t do_encrypt_rsa_elg (PKT_public_key *pk, gcry_mpi_t data, gcry_mpi_t *resarr) { pubkey_algo_t algo = pk->pubkey_algo; gcry_mpi_t *pkey = pk->pkey; gcry_sexp_t s_ciph = NULL; gcry_sexp_t s_data = NULL; gcry_sexp_t s_pkey = NULL; gpg_error_t err; if (algo == PUBKEY_ALGO_ELGAMAL || algo == PUBKEY_ALGO_ELGAMAL_E) err = gcry_sexp_build (&s_pkey, NULL, "(public-key(elg(p%m)(g%m)(y%m)))", pkey[0], pkey[1], pkey[2]); else err = gcry_sexp_build (&s_pkey, NULL, "(public-key(rsa(n%m)(e%m)))", pkey[0], pkey[1]); if (err) goto leave; err = gcry_sexp_build (&s_data, NULL, "%m", data); if (err) goto leave; err = gcry_pk_encrypt (&s_ciph, s_data, s_pkey); if (err) goto leave; gcry_sexp_release (s_data); s_data = NULL; gcry_sexp_release (s_pkey); s_pkey = NULL; resarr[0] = get_mpi_from_sexp (s_ciph, "a", GCRYMPI_FMT_USG); if (!is_RSA (algo)) resarr[1] = get_mpi_from_sexp (s_ciph, "b", GCRYMPI_FMT_USG); leave: gcry_sexp_release (s_data); gcry_sexp_release (s_pkey); gcry_sexp_release (s_ciph); return err; } /* * Emulate our old PK interface here - sometime in the future we might * change the internal design to directly fit to libgcrypt. PK is is * the OpenPGP public key packet, DATA is an MPI with the to be * encrypted data, and RESARR receives the encrypted data. RESARRAY * is expected to be an two item array which will be filled with newly * allocated MPIs. SESKEY_ALGO is required for public key algorithms * which do not encode it in DATA. */ gpg_error_t pk_encrypt (PKT_public_key *pk, gcry_mpi_t data, int seskey_algo, gcry_mpi_t *resarr) { pubkey_algo_t algo = pk->pubkey_algo; if (algo == PUBKEY_ALGO_KYBER) return do_encrypt_kem (pk, data, seskey_algo, resarr); else if (algo == PUBKEY_ALGO_ECDH) return do_encrypt_ecdh (pk, data, resarr); else if (algo == PUBKEY_ALGO_ELGAMAL || algo == PUBKEY_ALGO_ELGAMAL_E) return do_encrypt_rsa_elg (pk, data, resarr); else if (algo == PUBKEY_ALGO_RSA || algo == PUBKEY_ALGO_RSA_E) return do_encrypt_rsa_elg (pk, data, resarr); else return gpg_error (GPG_ERR_PUBKEY_ALGO); } /* Check whether SKEY is a suitable secret key. */ int pk_check_secret_key (pubkey_algo_t pkalgo, gcry_mpi_t *skey) { gcry_sexp_t s_skey; int rc; if (pkalgo == PUBKEY_ALGO_DSA) { rc = gcry_sexp_build (&s_skey, NULL, "(private-key(dsa(p%m)(q%m)(g%m)(y%m)(x%m)))", skey[0], skey[1], skey[2], skey[3], skey[4]); } else if (pkalgo == PUBKEY_ALGO_ELGAMAL || pkalgo == PUBKEY_ALGO_ELGAMAL_E) { rc = gcry_sexp_build (&s_skey, NULL, "(private-key(elg(p%m)(g%m)(y%m)(x%m)))", skey[0], skey[1], skey[2], skey[3]); } else if (is_RSA (pkalgo)) { rc = gcry_sexp_build (&s_skey, NULL, "(private-key(rsa(n%m)(e%m)(d%m)(p%m)(q%m)(u%m)))", skey[0], skey[1], skey[2], skey[3], skey[4], skey[5]); } else if (pkalgo == PUBKEY_ALGO_ECDSA || pkalgo == PUBKEY_ALGO_ECDH) { char *curve = openpgp_oid_to_str (skey[0]); if (!curve) rc = gpg_error_from_syserror (); else { rc = gcry_sexp_build (&s_skey, NULL, "(private-key(ecc(curve%s)(q%m)(d%m)))", curve, skey[1], skey[2]); xfree (curve); } } else if (pkalgo == PUBKEY_ALGO_EDDSA) { char *curve = openpgp_oid_to_str (skey[0]); if (!curve) rc = gpg_error_from_syserror (); else { const char *fmt; if (openpgp_oid_is_ed25519 (skey[0])) fmt = "(private-key(ecc(curve %s)(flags eddsa)(q%m)(d%m)))"; else fmt = "(private-key(ecc(curve %s)(q%m)(d%m)))"; rc = gcry_sexp_build (&s_skey, NULL, fmt, curve, skey[1], skey[2]); xfree (curve); } } else return GPG_ERR_PUBKEY_ALGO; if (!rc) { rc = gcry_pk_testkey (s_skey); gcry_sexp_release (s_skey); } return rc; }