Почетна Преглед Помоћ
Пријавите се
phcoder
/
grub-savannah-mirror
огледало од https://git.savannah.gnu.org/git/grub.git
Прати 1
Волим 0
Креирај огранак 0
Датотеке Дискусије 0 Вики
Грана: master
Гране Ознаке
grub-savanna...
/
grub-core
/
lib
/
libgcrypt
/
cipher
/
ecc-ecdh.c

ecc-ecdh.c 8.8 KB
Пермалинк Историја Датотека

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358 
  1. /* ecc-ecdh.c  -  Elliptic Curve Diffie-Hellman key agreement
    2. 

  2.  * Copyright (C) 2019 g10 Code GmbH
    3. 

  3.  *
    4. 

  4.  * This file is part of Libgcrypt.
    5. 

  5.  *
    6. 

  6.  * Libgcrypt is free software; you can redistribute it and/or modify
    7. 

  7.  * it under the terms of the GNU Lesser General Public License as
    8. 

  8.  * published by the Free Software Foundation; either version 2.1 of
    9. 

  9.  * the License, or (at your option) any later version.
    10. 

  10.  *
    11. 

  11.  * Libgcrypt is distributed in the hope that it will be useful,
    12. 

  12.  * but WITHOUT ANY WARRANTY; without even the implied warranty of
    13. 

  13.  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    14. 

  14.  * GNU Lesser General Public License for more details.
    15. 

  15.  *
    16. 

  16.  * You should have received a copy of the GNU Lesser General Public License
    17. 

  17.  * along with this program; if not, see <https://www.gnu.org/licenses/>.
    18. 

  18.  * SPDX-License-Identifier: LGPL-2.1+
    19. 

  19.  */
    20. 

  20. 

  21. #include <config.h>
    22. 

  22. #include <stdio.h>
    23. 

  23. #include <stdlib.h>
    24. 

  24. #include <string.h>
    25. 

  25. #include <errno.h>
    26. 

  26. 

  27. #include "g10lib.h"
    28. 

  28. #include "mpi.h"
    29. 

  29. #include "cipher.h"
    30. 

  30. #include "context.h"
    31. 

  31. #include "ec-context.h"
    32. 

  32. #include "ecc-common.h"
    33. 

  33. 

  34. #define ECC_CURVE25519_BYTES 32
    35. 

  35. #define ECC_CURVE448_BYTES   56
    36. 

  36. 

  37. static gpg_err_code_t
    38. 

  38. prepare_ec (mpi_ec_t *r_ec, const char *name)
    39. 

  39. {
    40. 

  40.   int flags = 0;
    41. 

  41. 

  42.   if (!strcmp (name, "Curve25519"))
    43. 

  43.     flags = PUBKEY_FLAG_DJB_TWEAK;
    44. 

  44. 

  45.   return _gcry_mpi_ec_internal_new (r_ec, &flags, "ecc_mul_point", NULL, name);
    46. 

  46. }
    47. 

  47. 

  48. unsigned int
    49. 

  49. _gcry_ecc_get_algo_keylen (int curveid)
    50. 

  50. {
    51. 

  51.   unsigned int len = 0;
    52. 

  52. 

  53.   if (curveid == GCRY_ECC_CURVE25519)
    54. 

  54.     len = ECC_CURVE25519_BYTES;
    55. 

  55.   else if (curveid == GCRY_ECC_CURVE448)
    56. 

  56.     len = ECC_CURVE448_BYTES;
    57. 

  57. 

  58.   return len;
    59. 

  59. }
    60. 

  60. 

  61. /* For Curve25519 and X448, we need to mask the bits and enable the MSB.  */
    62. 

  62. static void
    63. 

  63. ecc_tweak_bits (unsigned char *seckey, size_t seckey_len)
    64. 

  64. {
    65. 

  65.   if (seckey_len == 32)
    66. 

  66.     {
    67. 

  67.       seckey[0] &= 0xf8;
    68. 

  68.       seckey[31] &= 0x7f;
    69. 

  69.       seckey[31] |= 0x40;
    70. 

  70.     }
    71. 

  71.   else
    72. 

  72.     {
    73. 

  73.       seckey[0] &= 0xfc;
    74. 

  74.       seckey[55] |= 0x80;
    75. 

  75.     }
    76. 

  76. }
    77. 

  77. 

  78. gpg_err_code_t
    79. 

  79. _gcry_ecc_curve_keypair (const char *curve,
    80. 

  80.                          unsigned char *pubkey, size_t pubkey_len,
    81. 

  81.                          unsigned char *seckey, size_t seckey_len)
    82. 

  82. {
    83. 

  83.   gpg_err_code_t err;
    84. 

  84.   unsigned int nbits;
    85. 

  85.   unsigned int nbytes;
    86. 

  86.   gcry_mpi_t mpi_k = NULL;
    87. 

  87.   mpi_ec_t ec = NULL;
    88. 

  88.   mpi_point_struct Q = { NULL, NULL, NULL };
    89. 

  89.   gcry_mpi_t x;
    90. 

  90.   unsigned int len;
    91. 

  91.   unsigned char *buf;
    92. 

  92. 

  93.   err = prepare_ec (&ec, curve);
    94. 

  94.   if (err)
    95. 

  95.     return err;
    96. 

  96. 

  97.   nbits = ec->nbits;
    98. 

  98.   nbytes = (nbits + 7)/8;
    99. 

  99. 

  100.   if (seckey_len != nbytes)
    101. 

  101.     return GPG_ERR_INV_ARG;
    102. 

  102. 

  103.   if (ec->model == MPI_EC_WEIERSTRASS)
    104. 

  104.     {
    105. 

  105.       if (pubkey_len != 1 + 2*nbytes)
    106. 

  106.         return GPG_ERR_INV_ARG;
    107. 

  107. 

  108.       do
    109. 

  109.         {
    110. 

  110.           mpi_free (mpi_k);
    111. 

  111.           mpi_k = mpi_new (nbytes*8);
    112. 

  112.           _gcry_randomize (seckey, nbytes, GCRY_STRONG_RANDOM);
    113. 

  113.           _gcry_mpi_set_buffer (mpi_k, seckey, nbytes, 0);
    114. 

  114.         }
    115. 

  115.       while (mpi_cmp (mpi_k, ec->n) >= 0);
    116. 

  116.     }
    117. 

  117.   else if (ec->model == MPI_EC_MONTGOMERY)
    118. 

  118.     {
    119. 

  119.       if (pubkey_len != nbytes)
    120. 

  120.         return GPG_ERR_INV_ARG;
    121. 

  121. 

  122.       _gcry_randomize (seckey, nbytes, GCRY_STRONG_RANDOM);
    123. 

  123.       /* Existing ECC applications with libgcrypt (like gpg-agent in
    124. 

  124.          GnuPG) assumes that scalar is tweaked at key generation time.
    125. 

  125.          For the possible use case where generated key with this routine
    126. 

  126.          may be used with those, we put compatibile behavior here.  */
    127. 

  127.       ecc_tweak_bits (seckey, nbytes);
    128. 

  128.       mpi_k = _gcry_mpi_set_opaque_copy (NULL, seckey, nbytes*8);
    129. 

  129.     }
    130. 

  130.   else
    131. 

  131.     return GPG_ERR_UNKNOWN_CURVE;
    132. 

  132. 

  133.   x = mpi_new (nbits);
    134. 

  134.   point_init (&Q);
    135. 

  135. 

  136.   _gcry_mpi_ec_mul_point (&Q, mpi_k, ec->G, ec);
    137. 

  137. 

  138.   if (ec->model == MPI_EC_WEIERSTRASS)
    139. 

  139.     {
    140. 

  140.       gcry_mpi_t y = mpi_new (nbits);
    141. 

  141.       gcry_mpi_t negative = mpi_new (nbits);
    142. 

  142. 

  143.       _gcry_mpi_ec_get_affine (x, y, &Q, ec);
    144. 

  144.       /* For the backward compatibility, we check if it's a
    145. 

  145.          "compliant key".  */
    146. 

  146. 

  147.       mpi_sub (negative, ec->p, y);
    148. 

  148.       if (mpi_cmp (negative, y) < 0)   /* p - y < p */
    149. 

  149.         {
    150. 

  150.           mpi_free (y);
    151. 

  151.           y = negative;
    152. 

  152.           mpi_sub (mpi_k, ec->n, mpi_k);
    153. 

  153.           buf = _gcry_mpi_get_buffer (mpi_k, 0, &len, NULL);
    154. 

  154.           memset (seckey, 0, nbytes - len);
    155. 

  155.           memcpy (seckey + nbytes - len, buf, len);
    156. 

  156.         }
    157. 

  157.       else /* p - y >= p */
    158. 

  158.         mpi_free (negative);
    159. 

  159. 

  160.       buf = _gcry_ecc_ec2os_buf (x, y, ec->p, &len);
    161. 

  161.       if (!buf)
    162. 

  162.         {
    163. 

  163.           err = gpg_err_code_from_syserror ();
    164. 

  164.           mpi_free (y);
    165. 

  165.         }
    166. 

  166.       else
    167. 

  167.         {
    168. 

  168.           if (len != 1 + 2*nbytes)
    169. 

  169.             {
    170. 

  170.               err = GPG_ERR_INV_ARG;
    171. 

  171.               mpi_free (y);
    172. 

  172.             }
    173. 

  173.           else
    174. 

  174.             {
    175. 

  175.               /* (x,y) in SEC1 point encoding.  */
    176. 

  176.               memcpy (pubkey, buf, len);
    177. 

  177.               xfree (buf);
    178. 

  178.               mpi_free (y);
    179. 

  179.             }
    180. 

  180.         }
    181. 

  181.     }
    182. 

  182.   else /* MPI_EC_MONTGOMERY */
    183. 

  183.     {
    184. 

  184.       _gcry_mpi_ec_get_affine (x, NULL, &Q, ec);
    185. 

  185. 

  186.       buf = _gcry_mpi_get_buffer (x, nbytes, &len, NULL);
    187. 

  187.       if (!buf)
    188. 

  188.         err = gpg_err_code_from_syserror ();
    189. 

  189.       else
    190. 

  190.         {
    191. 

  191.           memcpy (pubkey, buf, nbytes);
    192. 

  192.           xfree (buf);
    193. 

  193.         }
    194. 

  194.     }
    195. 

  195. 

  196.   mpi_free (x);
    197. 

  197.   point_free (&Q);
    198. 

  198.   mpi_free (mpi_k);
    199. 

  199.   _gcry_mpi_ec_free (ec);
    200. 

  200.   return err;
    201. 

  201. }
    202. 

  202. 

  203. gpg_err_code_t
    204. 

  204. _gcry_ecc_curve_mul_point (const char *curve,
    205. 

  205.                            unsigned char *result, size_t result_len,
    206. 

  206.                            const unsigned char *scalar, size_t scalar_len,
    207. 

  207.                            const unsigned char *point, size_t point_len)
    208. 

  208. {
    209. 

  209.   unsigned int nbits;
    210. 

  210.   unsigned int nbytes;
    211. 

  211.   gpg_err_code_t err;
    212. 

  212.   gcry_mpi_t mpi_k = NULL;
    213. 

  213.   mpi_ec_t ec = NULL;
    214. 

  214.   mpi_point_struct Q = { NULL, NULL, NULL };
    215. 

  215.   gcry_mpi_t x = NULL;
    216. 

  216.   unsigned int len;
    217. 

  217.   unsigned char *buf;
    218. 

  218. 

  219.   err = prepare_ec (&ec, curve);
    220. 

  220.   if (err)
    221. 

  221.     return err;
    222. 

  222. 

  223.   nbits = ec->nbits;
    224. 

  224.   nbytes = (nbits + 7)/8;
    225. 

  225. 

  226.   if (ec->model == MPI_EC_WEIERSTRASS)
    227. 

  227.     {
    228. 

  228.       if (scalar_len != nbytes
    229. 

  229.           || result_len != 1 + 2*nbytes
    230. 

  230.           || point_len != 1 + 2*nbytes)
    231. 

  231.         {
    232. 

  232.           err = GPG_ERR_INV_ARG;
    233. 

  233.           goto leave;
    234. 

  234.         }
    235. 

  235. 

  236.       mpi_k = mpi_new (nbytes*8);
    237. 

  237.       _gcry_mpi_set_buffer (mpi_k, scalar, nbytes, 0);
    238. 

  238.     }
    239. 

  239.   else if (ec->model == MPI_EC_MONTGOMERY)
    240. 

  240.     {
    241. 

  241.       if (scalar_len != nbytes
    242. 

  242.           || result_len != nbytes
    243. 

  243.           || point_len != nbytes)
    244. 

  244.         {
    245. 

  245.           err = GPG_ERR_INV_ARG;
    246. 

  246.           goto leave;
    247. 

  247.         }
    248. 

  248. 

  249.       mpi_k = _gcry_mpi_set_opaque_copy (NULL, scalar, nbytes*8);
    250. 

  250.     }
    251. 

  251.   else
    252. 

  252.     {
    253. 

  253.       err = GPG_ERR_UNKNOWN_CURVE;
    254. 

  254.       goto leave;
    255. 

  255.     }
    256. 

  256. 

  257.   point_init (&Q);
    258. 

  258. 

  259.   if (point)
    260. 

  260.     {
    261. 

  261.       gcry_mpi_t mpi_u = _gcry_mpi_set_opaque_copy (NULL, point, point_len*8);
    262. 

  262.       mpi_point_struct P;
    263. 

  263. 

  264.       point_init (&P);
    265. 

  265.       if (ec->model == MPI_EC_WEIERSTRASS)
    266. 

  266.         err = _gcry_ecc_sec_decodepoint (mpi_u, ec, &P);
    267. 

  267.       else /* MPI_EC_MONTGOMERY */
    268. 

  268.         err = _gcry_ecc_mont_decodepoint (mpi_u, ec, &P);
    269. 

  269.       mpi_free (mpi_u);
    270. 

  270.       if (err)
    271. 

  271.         goto leave;
    272. 

  272.       _gcry_mpi_ec_mul_point (&Q, mpi_k, &P, ec);
    273. 

  273.       point_free (&P);
    274. 

  274.     }
    275. 

  275.   else
    276. 

  276.     _gcry_mpi_ec_mul_point (&Q, mpi_k, ec->G, ec);
    277. 

  277. 

  278.   x = mpi_new (nbits);
    279. 

  279.   if (ec->model == MPI_EC_WEIERSTRASS)
    280. 

  280.     {
    281. 

  281.       gcry_mpi_t y = mpi_new (nbits);
    282. 

  282. 

  283.       _gcry_mpi_ec_get_affine (x, y, &Q, ec);
    284. 

  284. 

  285.       buf = _gcry_ecc_ec2os_buf (x, y, ec->p, &len);
    286. 

  286.       if (!buf)
    287. 

  287.         {
    288. 

  288.           err = gpg_err_code_from_syserror ();
    289. 

  289.           mpi_free (y);
    290. 

  290.         }
    291. 

  291.       else
    292. 

  292.         {
    293. 

  293.           if (len != 1 + 2*nbytes)
    294. 

  294.             {
    295. 

  295.               err = GPG_ERR_INV_ARG;
    296. 

  296.               mpi_free (y);
    297. 

  297.             }
    298. 

  298.           else
    299. 

  299.             {
    300. 

  300.               /* (x,y) in SEC1 point encoding.  */
    301. 

  301.               memcpy (result, buf, len);
    302. 

  302.               xfree (buf);
    303. 

  303.               mpi_free (y);
    304. 

  304.             }
    305. 

  305.         }
    306. 

  306.     }
    307. 

  307.   else                          /* MPI_EC_MONTGOMERY */
    308. 

  308.     {
    309. 

  309.       _gcry_mpi_ec_get_affine (x, NULL, &Q, ec);
    310. 

  310.       buf = _gcry_mpi_get_buffer (x, nbytes, &len, NULL);
    311. 

  311.       if (!buf)
    312. 

  312.         err = gpg_err_code_from_syserror ();
    313. 

  313.       else
    314. 

  314.         {
    315. 

  315.           if (len != nbytes)
    316. 

  316.             err = GPG_ERR_INV_ARG;
    317. 

  317.           else
    318. 

  318.             {
    319. 

  319.               /* x in little endian.  */
    320. 

  320.               memcpy (result, buf, nbytes);
    321. 

  321.               xfree (buf);
    322. 

  322.             }
    323. 

  323.         }
    324. 

  324.     }
    325. 

  325.   mpi_free (x);
    326. 

  326. 

  327.  leave:
    328. 

  328.   point_free (&Q);
    329. 

  329.   mpi_free (mpi_k);
    330. 

  330.   _gcry_mpi_ec_free (ec);
    331. 

  331.   return err;
    332. 

  332. }
    333. 

  333. 

  334. gpg_err_code_t
    335. 

  335. _gcry_ecc_mul_point (int curveid, unsigned char *result,
    336. 

  336.                      const unsigned char *scalar, const unsigned char *point)
    337. 

  337. {
    338. 

  338.   const char *curve;
    339. 

  339.   size_t pubkey_len, seckey_len;
    340. 

  340. 

  341.   if (curveid == GCRY_ECC_CURVE25519)
    342. 

  342.     {
    343. 

  343.       curve = "Curve25519";
    344. 

  344.       pubkey_len = seckey_len = 32;
    345. 

  345.     }
    346. 

  346.   else if (curveid == GCRY_ECC_CURVE448)
    347. 

  347.     {
    348. 

  348.       curve = "X448";
    349. 

  349.       pubkey_len = seckey_len = 56;
    350. 

  350.     }
    351. 

  351.   else
    352. 

  352.     return gpg_error (GPG_ERR_UNKNOWN_CURVE);
    353. 

  353. 

  354.   return _gcry_ecc_curve_mul_point (curve, result, pubkey_len,
    355. 

  355.                                     scalar, seckey_len,
    356. 

  356.                                     point, pubkey_len);
    357. 

  357. }
    358. 

  358.