1 /*-
2 * Copyright (c) 2017 Ribose Inc.
3 * All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 *
14 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
15 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
16 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
17 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS
18 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
19 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
20 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
21 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
22 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
23 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
24 * POSSIBILITY OF SUCH DAMAGE.
25 */
26
27 #include <string.h>
28 #include <botan/ffi.h>
29 #include "ecdh.h"
30 #include "ecdh_utils.h"
31 #include "hash.h"
32 #include "symmetric.h"
33 #include "types.h"
34 #include "utils.h"
35 #include "mem.h"
36 #include "bn.h"
37
38 // Produces kek of size kek_len which corresponds to length of wrapping key
39 static bool
compute_kek(uint8_t * kek,size_t kek_len,const uint8_t * other_info,size_t other_info_size,const ec_curve_desc_t * curve_desc,const pgp_mpi_t * ec_pubkey,const botan_privkey_t ec_prvkey,const pgp_hash_alg_t hash_alg)40 compute_kek(uint8_t * kek,
41 size_t kek_len,
42 const uint8_t * other_info,
43 size_t other_info_size,
44 const ec_curve_desc_t *curve_desc,
45 const pgp_mpi_t * ec_pubkey,
46 const botan_privkey_t ec_prvkey,
47 const pgp_hash_alg_t hash_alg)
48 {
49 const uint8_t *p = ec_pubkey->mpi;
50 uint8_t p_len = ec_pubkey->len;
51
52 if (curve_desc->rnp_curve_id == PGP_CURVE_25519) {
53 if ((p_len != 33) || (p[0] != 0x40)) {
54 return false;
55 }
56 p++;
57 p_len--;
58 }
59
60 rnp::secure_array<uint8_t, MAX_CURVE_BYTELEN * 2 + 1> s;
61
62 botan_pk_op_ka_t op_key_agreement = NULL;
63 bool ret = false;
64 char kdf_name[32] = {0};
65 size_t s_len = s.size();
66
67 if (botan_pk_op_key_agreement_create(&op_key_agreement, ec_prvkey, "Raw", 0) ||
68 botan_pk_op_key_agreement(op_key_agreement, s.data(), &s_len, p, p_len, NULL, 0)) {
69 goto end;
70 }
71
72 snprintf(kdf_name, sizeof(kdf_name), "SP800-56A(%s)", rnp::Hash::name_backend(hash_alg));
73 ret = !botan_kdf(
74 kdf_name, kek, kek_len, s.data(), s_len, NULL, 0, other_info, other_info_size);
75 end:
76 return ret && !botan_pk_op_key_agreement_destroy(op_key_agreement);
77 }
78
79 static bool
ecdh_load_public_key(botan_pubkey_t * pubkey,const pgp_ec_key_t * key)80 ecdh_load_public_key(botan_pubkey_t *pubkey, const pgp_ec_key_t *key)
81 {
82 bool res = false;
83
84 const ec_curve_desc_t *curve = get_curve_desc(key->curve);
85 if (!curve) {
86 RNP_LOG("unknown curve");
87 return false;
88 }
89
90 if (curve->rnp_curve_id == PGP_CURVE_25519) {
91 if ((key->p.len != 33) || (key->p.mpi[0] != 0x40)) {
92 return false;
93 }
94 rnp::secure_array<uint8_t, 32> pkey;
95 memcpy(pkey.data(), key->p.mpi + 1, 32);
96 return !botan_pubkey_load_x25519(pubkey, pkey.data());
97 }
98
99 if (!mpi_bytes(&key->p) || (key->p.mpi[0] != 0x04)) {
100 RNP_LOG("Failed to load public key");
101 return false;
102 }
103
104 botan_mp_t px = NULL;
105 botan_mp_t py = NULL;
106 const size_t curve_order = BITS_TO_BYTES(curve->bitlen);
107
108 if (botan_mp_init(&px) || botan_mp_init(&py) ||
109 botan_mp_from_bin(px, &key->p.mpi[1], curve_order) ||
110 botan_mp_from_bin(py, &key->p.mpi[1 + curve_order], curve_order)) {
111 goto end;
112 }
113
114 if (!(res = !botan_pubkey_load_ecdh(pubkey, px, py, curve->botan_name))) {
115 RNP_LOG("failed to load ecdh public key");
116 }
117 end:
118 botan_mp_destroy(px);
119 botan_mp_destroy(py);
120 return res;
121 }
122
123 static bool
ecdh_load_secret_key(botan_privkey_t * seckey,const pgp_ec_key_t * key)124 ecdh_load_secret_key(botan_privkey_t *seckey, const pgp_ec_key_t *key)
125 {
126 const ec_curve_desc_t *curve = get_curve_desc(key->curve);
127
128 if (!curve) {
129 return false;
130 }
131
132 if (curve->rnp_curve_id == PGP_CURVE_25519) {
133 if (key->x.len != 32) {
134 RNP_LOG("wrong x25519 key");
135 return false;
136 }
137 /* need to reverse byte order since in mpi we have big-endian */
138 rnp::secure_array<uint8_t, 32> prkey;
139 for (int i = 0; i < 32; i++) {
140 prkey[i] = key->x.mpi[31 - i];
141 }
142 return !botan_privkey_load_x25519(seckey, prkey.data());
143 }
144
145 bignum_t *x = NULL;
146 if (!(x = mpi2bn(&key->x))) {
147 return false;
148 }
149 bool res = !botan_privkey_load_ecdh(seckey, BN_HANDLE_PTR(x), curve->botan_name);
150 bn_free(x);
151 return res;
152 }
153
154 rnp_result_t
ecdh_validate_key(rnp::RNG * rng,const pgp_ec_key_t * key,bool secret)155 ecdh_validate_key(rnp::RNG *rng, const pgp_ec_key_t *key, bool secret)
156 {
157 botan_pubkey_t bpkey = NULL;
158 botan_privkey_t bskey = NULL;
159 rnp_result_t ret = RNP_ERROR_BAD_PARAMETERS;
160
161 const ec_curve_desc_t *curve_desc = get_curve_desc(key->curve);
162 if (!curve_desc) {
163 return RNP_ERROR_NOT_SUPPORTED;
164 }
165
166 if (!ecdh_load_public_key(&bpkey, key) ||
167 botan_pubkey_check_key(bpkey, rng->handle(), 0)) {
168 goto done;
169 }
170 if (!secret) {
171 ret = RNP_SUCCESS;
172 goto done;
173 }
174
175 if (!ecdh_load_secret_key(&bskey, key) ||
176 botan_privkey_check_key(bskey, rng->handle(), 0)) {
177 goto done;
178 }
179 ret = RNP_SUCCESS;
180 done:
181 botan_privkey_destroy(bskey);
182 botan_pubkey_destroy(bpkey);
183 return ret;
184 }
185
186 rnp_result_t
ecdh_encrypt_pkcs5(rnp::RNG * rng,pgp_ecdh_encrypted_t * out,const uint8_t * const in,size_t in_len,const pgp_ec_key_t * key,const pgp_fingerprint_t & fingerprint)187 ecdh_encrypt_pkcs5(rnp::RNG * rng,
188 pgp_ecdh_encrypted_t * out,
189 const uint8_t *const in,
190 size_t in_len,
191 const pgp_ec_key_t * key,
192 const pgp_fingerprint_t &fingerprint)
193 {
194 botan_privkey_t eph_prv_key = NULL;
195 rnp_result_t ret = RNP_ERROR_GENERIC;
196 uint8_t other_info[MAX_SP800_56A_OTHER_INFO];
197 uint8_t kek[32] = {0}; // Size of SHA-256 or smaller
198 // 'm' is padded to the 8-byte granularity
199 uint8_t m[MAX_SESSION_KEY_SIZE];
200 const size_t m_padded_len = ((in_len / 8) + 1) * 8;
201
202 if (!key || !out || !in || (in_len > sizeof(m))) {
203 return RNP_ERROR_BAD_PARAMETERS;
204 }
205 #if !defined(ENABLE_SM2)
206 if (key->curve == PGP_CURVE_SM2_P_256) {
207 RNP_LOG("SM2 curve support is disabled.");
208 return RNP_ERROR_NOT_IMPLEMENTED;
209 }
210 #endif
211 const ec_curve_desc_t *curve_desc = get_curve_desc(key->curve);
212 if (!curve_desc) {
213 RNP_LOG("unsupported curve");
214 return RNP_ERROR_NOT_SUPPORTED;
215 }
216
217 // +8 because of AES-wrap adds 8 bytes
218 if (ECDH_WRAPPED_KEY_SIZE < (m_padded_len + 8)) {
219 return RNP_ERROR_BAD_PARAMETERS;
220 }
221
222 // See 13.5 of RFC 4880 for definition of other_info_size
223 const size_t other_info_size = curve_desc->OIDhex_len + 46;
224 const size_t kek_len = pgp_key_size(key->key_wrap_alg);
225 size_t tmp_len = kdf_other_info_serialize(
226 other_info, curve_desc, fingerprint, key->kdf_hash_alg, key->key_wrap_alg);
227
228 if (tmp_len != other_info_size) {
229 RNP_LOG("Serialization of other info failed");
230 return RNP_ERROR_GENERIC;
231 }
232
233 if (!strcmp(curve_desc->botan_name, "curve25519")) {
234 if (botan_privkey_create(&eph_prv_key, "Curve25519", "", rng->handle())) {
235 goto end;
236 }
237 } else {
238 if (botan_privkey_create(
239 &eph_prv_key, "ECDH", curve_desc->botan_name, rng->handle())) {
240 goto end;
241 }
242 }
243
244 if (!compute_kek(kek,
245 kek_len,
246 other_info,
247 other_info_size,
248 curve_desc,
249 &key->p,
250 eph_prv_key,
251 key->kdf_hash_alg)) {
252 RNP_LOG("KEK computation failed");
253 goto end;
254 }
255
256 memcpy(m, in, in_len);
257 if (!pad_pkcs7(m, m_padded_len, in_len)) {
258 // Should never happen
259 goto end;
260 }
261
262 out->mlen = sizeof(out->m);
263 if (botan_key_wrap3394(m, m_padded_len, kek, kek_len, out->m, &out->mlen)) {
264 goto end;
265 }
266
267 /* we need to prepend 0x40 for the x25519 */
268 if (key->curve == PGP_CURVE_25519) {
269 out->p.len = sizeof(out->p.mpi) - 1;
270 if (botan_pk_op_key_agreement_export_public(
271 eph_prv_key, out->p.mpi + 1, &out->p.len)) {
272 goto end;
273 }
274 out->p.mpi[0] = 0x40;
275 out->p.len++;
276 } else {
277 out->p.len = sizeof(out->p.mpi);
278 if (botan_pk_op_key_agreement_export_public(eph_prv_key, out->p.mpi, &out->p.len)) {
279 goto end;
280 }
281 }
282
283 // All OK
284 ret = RNP_SUCCESS;
285 end:
286 botan_privkey_destroy(eph_prv_key);
287 return ret;
288 }
289
290 rnp_result_t
ecdh_decrypt_pkcs5(uint8_t * out,size_t * out_len,const pgp_ecdh_encrypted_t * in,const pgp_ec_key_t * key,const pgp_fingerprint_t & fingerprint)291 ecdh_decrypt_pkcs5(uint8_t * out,
292 size_t * out_len,
293 const pgp_ecdh_encrypted_t *in,
294 const pgp_ec_key_t * key,
295 const pgp_fingerprint_t & fingerprint)
296 {
297 if (!out_len || !in || !key || !mpi_bytes(&key->x)) {
298 return RNP_ERROR_BAD_PARAMETERS;
299 }
300
301 const ec_curve_desc_t *curve_desc = get_curve_desc(key->curve);
302 if (!curve_desc) {
303 RNP_LOG("unknown curve");
304 return RNP_ERROR_NOT_SUPPORTED;
305 }
306
307 const pgp_symm_alg_t wrap_alg = key->key_wrap_alg;
308 const pgp_hash_alg_t kdf_hash = key->kdf_hash_alg;
309 /* Ensure that AES is used for wrapping */
310 if ((wrap_alg != PGP_SA_AES_128) && (wrap_alg != PGP_SA_AES_192) &&
311 (wrap_alg != PGP_SA_AES_256)) {
312 RNP_LOG("non-aes wrap algorithm");
313 return RNP_ERROR_NOT_SUPPORTED;
314 }
315
316 // See 13.5 of RFC 4880 for definition of other_info_size
317 uint8_t other_info[MAX_SP800_56A_OTHER_INFO];
318 const size_t other_info_size = curve_desc->OIDhex_len + 46;
319 const size_t tmp_len =
320 kdf_other_info_serialize(other_info, curve_desc, fingerprint, kdf_hash, wrap_alg);
321
322 if (other_info_size != tmp_len) {
323 RNP_LOG("Serialization of other info failed");
324 return RNP_ERROR_GENERIC;
325 }
326
327 botan_privkey_t prv_key = NULL;
328 if (!ecdh_load_secret_key(&prv_key, key)) {
329 RNP_LOG("failed to load ecdh secret key");
330 return RNP_ERROR_GENERIC;
331 }
332
333 // Size of SHA-256 or smaller
334 rnp::secure_array<uint8_t, MAX_SYMM_KEY_SIZE> kek;
335 rnp::secure_array<uint8_t, MAX_SESSION_KEY_SIZE> deckey;
336
337 size_t deckey_len = deckey.size();
338 size_t offset = 0;
339 rnp_result_t ret = RNP_ERROR_GENERIC;
340
341 /* Security: Always return same error code in case compute_kek,
342 * botan_key_unwrap3394 or unpad_pkcs7 fails
343 */
344 size_t kek_len = pgp_key_size(wrap_alg);
345 if (!compute_kek(kek.data(),
346 kek_len,
347 other_info,
348 other_info_size,
349 curve_desc,
350 &in->p,
351 prv_key,
352 kdf_hash)) {
353 goto end;
354 }
355
356 if (botan_key_unwrap3394(
357 in->m, in->mlen, kek.data(), kek_len, deckey.data(), &deckey_len)) {
358 goto end;
359 }
360
361 if (!unpad_pkcs7(deckey.data(), deckey_len, &offset)) {
362 goto end;
363 }
364
365 if (*out_len < offset) {
366 ret = RNP_ERROR_SHORT_BUFFER;
367 goto end;
368 }
369
370 *out_len = offset;
371 memcpy(out, deckey.data(), *out_len);
372 ret = RNP_SUCCESS;
373 end:
374 botan_privkey_destroy(prv_key);
375 return ret;
376 }
377