462ddce5b2
This removes a bunch of weird code around the counter overflow check in concatKDF and makes it actually work for different hash output sizes. The overflow check worked as follows: concatKDF applies the hash function N times, where N is roundup(kdLen, hashsize) / hashsize. N should not overflow 32 bits because that would lead to a repetition in the KDF output. A couple issues with the overflow check: - It used the hash.BlockSize, which is wrong because the block size is about the input of the hash function. Luckily, all standard hash functions have a block size that's greater than the output size, so concatKDF didn't crash, it just generated too much key material. - The check used big.Int to compare against 2^32-1. - The calculation could still overflow before reaching the check. The new code in concatKDF doesn't check for overflow. Instead, there is a new check on ECIESParams which ensures that params.KeyLen is < 512. This removes any possibility of overflow. There are a couple of miscellaneous improvements bundled in with this change: - The key buffer is pre-allocated instead of appending the hash output to an initially empty slice. - The code that uses concatKDF to derive keys is now shared between Encrypt and Decrypt. - There was a redundant invocation of IsOnCurve in Decrypt. This is now removed because elliptic.Unmarshal already checks whether the input is a valid curve point since Go 1.5. Co-authored-by: Felix Lange <fjl@twurst.com>
137 lines
4.4 KiB
Go
137 lines
4.4 KiB
Go
// Copyright (c) 2013 Kyle Isom <kyle@tyrfingr.is>
|
|
// Copyright (c) 2012 The Go Authors. All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are
|
|
// met:
|
|
//
|
|
// * Redistributions of source code must retain the above copyright
|
|
// notice, this list of conditions and the following disclaimer.
|
|
// * Redistributions in binary form must reproduce the above
|
|
// copyright notice, this list of conditions and the following disclaimer
|
|
// in the documentation and/or other materials provided with the
|
|
// distribution.
|
|
// * Neither the name of Google Inc. nor the names of its
|
|
// contributors may be used to endorse or promote products derived from
|
|
// this software without specific prior written permission.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
package ecies
|
|
|
|
// This file contains parameters for ECIES encryption, specifying the
|
|
// symmetric encryption and HMAC parameters.
|
|
|
|
import (
|
|
"crypto"
|
|
"crypto/aes"
|
|
"crypto/cipher"
|
|
"crypto/elliptic"
|
|
"crypto/sha256"
|
|
"crypto/sha512"
|
|
"fmt"
|
|
"hash"
|
|
|
|
ethcrypto "github.com/ethereum/go-ethereum/crypto"
|
|
)
|
|
|
|
var (
|
|
DefaultCurve = ethcrypto.S256()
|
|
ErrUnsupportedECDHAlgorithm = fmt.Errorf("ecies: unsupported ECDH algorithm")
|
|
ErrUnsupportedECIESParameters = fmt.Errorf("ecies: unsupported ECIES parameters")
|
|
ErrInvalidKeyLen = fmt.Errorf("ecies: invalid key size (> %d) in ECIESParams", maxKeyLen)
|
|
)
|
|
|
|
// KeyLen is limited to prevent overflow of the counter
|
|
// in concatKDF. While the theoretical limit is much higher,
|
|
// no known cipher uses keys larger than 512 bytes.
|
|
const maxKeyLen = 512
|
|
|
|
type ECIESParams struct {
|
|
Hash func() hash.Hash // hash function
|
|
hashAlgo crypto.Hash
|
|
Cipher func([]byte) (cipher.Block, error) // symmetric cipher
|
|
BlockSize int // block size of symmetric cipher
|
|
KeyLen int // length of symmetric key
|
|
}
|
|
|
|
// Standard ECIES parameters:
|
|
// * ECIES using AES128 and HMAC-SHA-256-16
|
|
// * ECIES using AES256 and HMAC-SHA-256-32
|
|
// * ECIES using AES256 and HMAC-SHA-384-48
|
|
// * ECIES using AES256 and HMAC-SHA-512-64
|
|
|
|
var (
|
|
ECIES_AES128_SHA256 = &ECIESParams{
|
|
Hash: sha256.New,
|
|
hashAlgo: crypto.SHA256,
|
|
Cipher: aes.NewCipher,
|
|
BlockSize: aes.BlockSize,
|
|
KeyLen: 16,
|
|
}
|
|
|
|
ECIES_AES256_SHA256 = &ECIESParams{
|
|
Hash: sha256.New,
|
|
hashAlgo: crypto.SHA256,
|
|
Cipher: aes.NewCipher,
|
|
BlockSize: aes.BlockSize,
|
|
KeyLen: 32,
|
|
}
|
|
|
|
ECIES_AES256_SHA384 = &ECIESParams{
|
|
Hash: sha512.New384,
|
|
hashAlgo: crypto.SHA384,
|
|
Cipher: aes.NewCipher,
|
|
BlockSize: aes.BlockSize,
|
|
KeyLen: 32,
|
|
}
|
|
|
|
ECIES_AES256_SHA512 = &ECIESParams{
|
|
Hash: sha512.New,
|
|
hashAlgo: crypto.SHA512,
|
|
Cipher: aes.NewCipher,
|
|
BlockSize: aes.BlockSize,
|
|
KeyLen: 32,
|
|
}
|
|
)
|
|
|
|
var paramsFromCurve = map[elliptic.Curve]*ECIESParams{
|
|
ethcrypto.S256(): ECIES_AES128_SHA256,
|
|
elliptic.P256(): ECIES_AES128_SHA256,
|
|
elliptic.P384(): ECIES_AES256_SHA384,
|
|
elliptic.P521(): ECIES_AES256_SHA512,
|
|
}
|
|
|
|
func AddParamsForCurve(curve elliptic.Curve, params *ECIESParams) {
|
|
paramsFromCurve[curve] = params
|
|
}
|
|
|
|
// ParamsFromCurve selects parameters optimal for the selected elliptic curve.
|
|
// Only the curves P256, P384, and P512 are supported.
|
|
func ParamsFromCurve(curve elliptic.Curve) (params *ECIESParams) {
|
|
return paramsFromCurve[curve]
|
|
}
|
|
|
|
func pubkeyParams(key *PublicKey) (*ECIESParams, error) {
|
|
params := key.Params
|
|
if params == nil {
|
|
if params = ParamsFromCurve(key.Curve); params == nil {
|
|
return nil, ErrUnsupportedECIESParameters
|
|
}
|
|
}
|
|
if params.KeyLen > maxKeyLen {
|
|
return nil, ErrInvalidKeyLen
|
|
}
|
|
return params, nil
|
|
}
|