462ddce5b2
This removes a bunch of weird code around the counter overflow check in concatKDF and makes it actually work for different hash output sizes. The overflow check worked as follows: concatKDF applies the hash function N times, where N is roundup(kdLen, hashsize) / hashsize. N should not overflow 32 bits because that would lead to a repetition in the KDF output. A couple issues with the overflow check: - It used the hash.BlockSize, which is wrong because the block size is about the input of the hash function. Luckily, all standard hash functions have a block size that's greater than the output size, so concatKDF didn't crash, it just generated too much key material. - The check used big.Int to compare against 2^32-1. - The calculation could still overflow before reaching the check. The new code in concatKDF doesn't check for overflow. Instead, there is a new check on ECIESParams which ensures that params.KeyLen is < 512. This removes any possibility of overflow. There are a couple of miscellaneous improvements bundled in with this change: - The key buffer is pre-allocated instead of appending the hash output to an initially empty slice. - The code that uses concatKDF to derive keys is now shared between Encrypt and Decrypt. - There was a redundant invocation of IsOnCurve in Decrypt. This is now removed because elliptic.Unmarshal already checks whether the input is a valid curve point since Go 1.5. Co-authored-by: Felix Lange <fjl@twurst.com>
318 lines
8.8 KiB
Go
318 lines
8.8 KiB
Go
// Copyright (c) 2013 Kyle Isom <kyle@tyrfingr.is>
|
|
// Copyright (c) 2012 The Go Authors. All rights reserved.
|
|
//
|
|
// Redistribution and use in source and binary forms, with or without
|
|
// modification, are permitted provided that the following conditions are
|
|
// met:
|
|
//
|
|
// * Redistributions of source code must retain the above copyright
|
|
// notice, this list of conditions and the following disclaimer.
|
|
// * Redistributions in binary form must reproduce the above
|
|
// copyright notice, this list of conditions and the following disclaimer
|
|
// in the documentation and/or other materials provided with the
|
|
// distribution.
|
|
// * Neither the name of Google Inc. nor the names of its
|
|
// contributors may be used to endorse or promote products derived from
|
|
// this software without specific prior written permission.
|
|
//
|
|
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
|
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
|
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
|
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
|
// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
|
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
|
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
|
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
|
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
|
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
|
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
|
|
|
package ecies
|
|
|
|
import (
|
|
"crypto/cipher"
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/hmac"
|
|
"crypto/subtle"
|
|
"encoding/binary"
|
|
"fmt"
|
|
"hash"
|
|
"io"
|
|
"math/big"
|
|
)
|
|
|
|
var (
|
|
ErrImport = fmt.Errorf("ecies: failed to import key")
|
|
ErrInvalidCurve = fmt.Errorf("ecies: invalid elliptic curve")
|
|
ErrInvalidPublicKey = fmt.Errorf("ecies: invalid public key")
|
|
ErrSharedKeyIsPointAtInfinity = fmt.Errorf("ecies: shared key is point at infinity")
|
|
ErrSharedKeyTooBig = fmt.Errorf("ecies: shared key params are too big")
|
|
)
|
|
|
|
// PublicKey is a representation of an elliptic curve public key.
|
|
type PublicKey struct {
|
|
X *big.Int
|
|
Y *big.Int
|
|
elliptic.Curve
|
|
Params *ECIESParams
|
|
}
|
|
|
|
// Export an ECIES public key as an ECDSA public key.
|
|
func (pub *PublicKey) ExportECDSA() *ecdsa.PublicKey {
|
|
return &ecdsa.PublicKey{Curve: pub.Curve, X: pub.X, Y: pub.Y}
|
|
}
|
|
|
|
// Import an ECDSA public key as an ECIES public key.
|
|
func ImportECDSAPublic(pub *ecdsa.PublicKey) *PublicKey {
|
|
return &PublicKey{
|
|
X: pub.X,
|
|
Y: pub.Y,
|
|
Curve: pub.Curve,
|
|
Params: ParamsFromCurve(pub.Curve),
|
|
}
|
|
}
|
|
|
|
// PrivateKey is a representation of an elliptic curve private key.
|
|
type PrivateKey struct {
|
|
PublicKey
|
|
D *big.Int
|
|
}
|
|
|
|
// Export an ECIES private key as an ECDSA private key.
|
|
func (prv *PrivateKey) ExportECDSA() *ecdsa.PrivateKey {
|
|
pub := &prv.PublicKey
|
|
pubECDSA := pub.ExportECDSA()
|
|
return &ecdsa.PrivateKey{PublicKey: *pubECDSA, D: prv.D}
|
|
}
|
|
|
|
// Import an ECDSA private key as an ECIES private key.
|
|
func ImportECDSA(prv *ecdsa.PrivateKey) *PrivateKey {
|
|
pub := ImportECDSAPublic(&prv.PublicKey)
|
|
return &PrivateKey{*pub, prv.D}
|
|
}
|
|
|
|
// Generate an elliptic curve public / private keypair. If params is nil,
|
|
// the recommended default parameters for the key will be chosen.
|
|
func GenerateKey(rand io.Reader, curve elliptic.Curve, params *ECIESParams) (prv *PrivateKey, err error) {
|
|
pb, x, y, err := elliptic.GenerateKey(curve, rand)
|
|
if err != nil {
|
|
return
|
|
}
|
|
prv = new(PrivateKey)
|
|
prv.PublicKey.X = x
|
|
prv.PublicKey.Y = y
|
|
prv.PublicKey.Curve = curve
|
|
prv.D = new(big.Int).SetBytes(pb)
|
|
if params == nil {
|
|
params = ParamsFromCurve(curve)
|
|
}
|
|
prv.PublicKey.Params = params
|
|
return
|
|
}
|
|
|
|
// MaxSharedKeyLength returns the maximum length of the shared key the
|
|
// public key can produce.
|
|
func MaxSharedKeyLength(pub *PublicKey) int {
|
|
return (pub.Curve.Params().BitSize + 7) / 8
|
|
}
|
|
|
|
// ECDH key agreement method used to establish secret keys for encryption.
|
|
func (prv *PrivateKey) GenerateShared(pub *PublicKey, skLen, macLen int) (sk []byte, err error) {
|
|
if prv.PublicKey.Curve != pub.Curve {
|
|
return nil, ErrInvalidCurve
|
|
}
|
|
if skLen+macLen > MaxSharedKeyLength(pub) {
|
|
return nil, ErrSharedKeyTooBig
|
|
}
|
|
|
|
x, _ := pub.Curve.ScalarMult(pub.X, pub.Y, prv.D.Bytes())
|
|
if x == nil {
|
|
return nil, ErrSharedKeyIsPointAtInfinity
|
|
}
|
|
|
|
sk = make([]byte, skLen+macLen)
|
|
skBytes := x.Bytes()
|
|
copy(sk[len(sk)-len(skBytes):], skBytes)
|
|
return sk, nil
|
|
}
|
|
|
|
var (
|
|
ErrSharedTooLong = fmt.Errorf("ecies: shared secret is too long")
|
|
ErrInvalidMessage = fmt.Errorf("ecies: invalid message")
|
|
)
|
|
|
|
// NIST SP 800-56 Concatenation Key Derivation Function (see section 5.8.1).
|
|
func concatKDF(hash hash.Hash, z, s1 []byte, kdLen int) []byte {
|
|
counterBytes := make([]byte, 4)
|
|
k := make([]byte, 0, roundup(kdLen, hash.Size()))
|
|
for counter := uint32(1); len(k) < kdLen; counter++ {
|
|
binary.BigEndian.PutUint32(counterBytes, counter)
|
|
hash.Reset()
|
|
hash.Write(counterBytes)
|
|
hash.Write(z)
|
|
hash.Write(s1)
|
|
k = hash.Sum(k)
|
|
}
|
|
return k[:kdLen]
|
|
}
|
|
|
|
// roundup rounds size up to the next multiple of blocksize.
|
|
func roundup(size, blocksize int) int {
|
|
return size + blocksize - (size % blocksize)
|
|
}
|
|
|
|
// deriveKeys creates the encryption and MAC keys using concatKDF.
|
|
func deriveKeys(hash hash.Hash, z, s1 []byte, keyLen int) (Ke, Km []byte) {
|
|
K := concatKDF(hash, z, s1, 2*keyLen)
|
|
Ke = K[:keyLen]
|
|
Km = K[keyLen:]
|
|
hash.Reset()
|
|
hash.Write(Km)
|
|
Km = hash.Sum(Km[:0])
|
|
return Ke, Km
|
|
}
|
|
|
|
// messageTag computes the MAC of a message (called the tag) as per
|
|
// SEC 1, 3.5.
|
|
func messageTag(hash func() hash.Hash, km, msg, shared []byte) []byte {
|
|
mac := hmac.New(hash, km)
|
|
mac.Write(msg)
|
|
mac.Write(shared)
|
|
tag := mac.Sum(nil)
|
|
return tag
|
|
}
|
|
|
|
// Generate an initialisation vector for CTR mode.
|
|
func generateIV(params *ECIESParams, rand io.Reader) (iv []byte, err error) {
|
|
iv = make([]byte, params.BlockSize)
|
|
_, err = io.ReadFull(rand, iv)
|
|
return
|
|
}
|
|
|
|
// symEncrypt carries out CTR encryption using the block cipher specified in the
|
|
func symEncrypt(rand io.Reader, params *ECIESParams, key, m []byte) (ct []byte, err error) {
|
|
c, err := params.Cipher(key)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
iv, err := generateIV(params, rand)
|
|
if err != nil {
|
|
return
|
|
}
|
|
ctr := cipher.NewCTR(c, iv)
|
|
|
|
ct = make([]byte, len(m)+params.BlockSize)
|
|
copy(ct, iv)
|
|
ctr.XORKeyStream(ct[params.BlockSize:], m)
|
|
return
|
|
}
|
|
|
|
// symDecrypt carries out CTR decryption using the block cipher specified in
|
|
// the parameters
|
|
func symDecrypt(params *ECIESParams, key, ct []byte) (m []byte, err error) {
|
|
c, err := params.Cipher(key)
|
|
if err != nil {
|
|
return
|
|
}
|
|
|
|
ctr := cipher.NewCTR(c, ct[:params.BlockSize])
|
|
|
|
m = make([]byte, len(ct)-params.BlockSize)
|
|
ctr.XORKeyStream(m, ct[params.BlockSize:])
|
|
return
|
|
}
|
|
|
|
// Encrypt encrypts a message using ECIES as specified in SEC 1, 5.1.
|
|
//
|
|
// s1 and s2 contain shared information that is not part of the resulting
|
|
// ciphertext. s1 is fed into key derivation, s2 is fed into the MAC. If the
|
|
// shared information parameters aren't being used, they should be nil.
|
|
func Encrypt(rand io.Reader, pub *PublicKey, m, s1, s2 []byte) (ct []byte, err error) {
|
|
params, err := pubkeyParams(pub)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
R, err := GenerateKey(rand, pub.Curve, params)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
z, err := R.GenerateShared(pub, params.KeyLen, params.KeyLen)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
hash := params.Hash()
|
|
Ke, Km := deriveKeys(hash, z, s1, params.KeyLen)
|
|
|
|
em, err := symEncrypt(rand, params, Ke, m)
|
|
if err != nil || len(em) <= params.BlockSize {
|
|
return nil, err
|
|
}
|
|
|
|
d := messageTag(params.Hash, Km, em, s2)
|
|
|
|
Rb := elliptic.Marshal(pub.Curve, R.PublicKey.X, R.PublicKey.Y)
|
|
ct = make([]byte, len(Rb)+len(em)+len(d))
|
|
copy(ct, Rb)
|
|
copy(ct[len(Rb):], em)
|
|
copy(ct[len(Rb)+len(em):], d)
|
|
return ct, nil
|
|
}
|
|
|
|
// Decrypt decrypts an ECIES ciphertext.
|
|
func (prv *PrivateKey) Decrypt(c, s1, s2 []byte) (m []byte, err error) {
|
|
if len(c) == 0 {
|
|
return nil, ErrInvalidMessage
|
|
}
|
|
params, err := pubkeyParams(&prv.PublicKey)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
hash := params.Hash()
|
|
|
|
var (
|
|
rLen int
|
|
hLen int = hash.Size()
|
|
mStart int
|
|
mEnd int
|
|
)
|
|
|
|
switch c[0] {
|
|
case 2, 3, 4:
|
|
rLen = (prv.PublicKey.Curve.Params().BitSize + 7) / 4
|
|
if len(c) < (rLen + hLen + 1) {
|
|
return nil, ErrInvalidMessage
|
|
}
|
|
default:
|
|
return nil, ErrInvalidPublicKey
|
|
}
|
|
|
|
mStart = rLen
|
|
mEnd = len(c) - hLen
|
|
|
|
R := new(PublicKey)
|
|
R.Curve = prv.PublicKey.Curve
|
|
R.X, R.Y = elliptic.Unmarshal(R.Curve, c[:rLen])
|
|
if R.X == nil {
|
|
return nil, ErrInvalidPublicKey
|
|
}
|
|
|
|
z, err := prv.GenerateShared(R, params.KeyLen, params.KeyLen)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
Ke, Km := deriveKeys(hash, z, s1, params.KeyLen)
|
|
|
|
d := messageTag(params.Hash, Km, c[mStart:mEnd], s2)
|
|
if subtle.ConstantTimeCompare(c[mEnd:], d) != 1 {
|
|
return nil, ErrInvalidMessage
|
|
}
|
|
|
|
return symDecrypt(params, Ke, c[mStart:mEnd])
|
|
}
|