317 lines
8 KiB
Go
Vendored
317 lines
8 KiB
Go
Vendored
package ecdh
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto"
|
|
"crypto/aes"
|
|
"crypto/elliptic"
|
|
"encoding/binary"
|
|
"errors"
|
|
"github.com/keybase/go-crypto/curve25519"
|
|
"io"
|
|
"math/big"
|
|
)
|
|
|
|
type PublicKey struct {
|
|
elliptic.Curve
|
|
X, Y *big.Int
|
|
}
|
|
|
|
type PrivateKey struct {
|
|
PublicKey
|
|
X *big.Int
|
|
}
|
|
|
|
// KDF implements Key Derivation Function as described in
|
|
// https://tools.ietf.org/html/rfc6637#section-7
|
|
func (e *PublicKey) KDF(S []byte, kdfParams []byte, hash crypto.Hash) []byte {
|
|
sLen := (e.Curve.Params().P.BitLen() + 7) / 8
|
|
buf := new(bytes.Buffer)
|
|
buf.Write([]byte{0, 0, 0, 1})
|
|
if sLen > len(S) {
|
|
// zero-pad the S. If we got invalid S (bigger than curve's
|
|
// P), we are going to produce invalid key. Garbage in,
|
|
// garbage out.
|
|
buf.Write(make([]byte, sLen-len(S)))
|
|
}
|
|
buf.Write(S)
|
|
buf.Write(kdfParams)
|
|
|
|
hashw := hash.New()
|
|
|
|
hashw.Write(buf.Bytes())
|
|
key := hashw.Sum(nil)
|
|
|
|
return key
|
|
}
|
|
|
|
// AESKeyUnwrap implements RFC 3394 Key Unwrapping. See
|
|
// http://tools.ietf.org/html/rfc3394#section-2.2.1
|
|
// Note: The second described algorithm ("index-based") is implemented
|
|
// here.
|
|
func AESKeyUnwrap(key, cipherText []byte) ([]byte, error) {
|
|
if len(cipherText)%8 != 0 {
|
|
return nil, errors.New("cipherText must by a multiple of 64 bits")
|
|
}
|
|
|
|
cipher, err := aes.NewCipher(key)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
nblocks := len(cipherText)/8 - 1
|
|
|
|
// 1) Initialize variables.
|
|
// - Set A = C[0]
|
|
var A [aes.BlockSize]byte
|
|
copy(A[:8], cipherText[:8])
|
|
|
|
// For i = 1 to n
|
|
// Set R[i] = C[i]
|
|
R := make([]byte, len(cipherText)-8)
|
|
copy(R, cipherText[8:])
|
|
|
|
// 2) Compute intermediate values.
|
|
for j := 5; j >= 0; j-- {
|
|
for i := nblocks - 1; i >= 0; i-- {
|
|
// B = AES-1(K, (A ^ t) | R[i]) where t = n*j+i
|
|
// A = MSB(64, B)
|
|
t := uint64(nblocks*j + i + 1)
|
|
At := binary.BigEndian.Uint64(A[:8]) ^ t
|
|
binary.BigEndian.PutUint64(A[:8], At)
|
|
|
|
copy(A[8:], R[i*8:i*8+8])
|
|
cipher.Decrypt(A[:], A[:])
|
|
|
|
// R[i] = LSB(B, 64)
|
|
copy(R[i*8:i*8+8], A[8:])
|
|
}
|
|
}
|
|
|
|
// 3) Output results.
|
|
// If A is an appropriate initial value (see 2.2.3),
|
|
for i := 0; i < 8; i++ {
|
|
if A[i] != 0xA6 {
|
|
return nil, errors.New("Failed to unwrap key (A is not IV)")
|
|
}
|
|
}
|
|
|
|
return R, nil
|
|
}
|
|
|
|
// AESKeyWrap implements RFC 3394 Key Wrapping. See
|
|
// https://tools.ietf.org/html/rfc3394#section-2.2.2
|
|
// Note: The second described algorithm ("index-based") is implemented
|
|
// here.
|
|
func AESKeyWrap(key, plainText []byte) ([]byte, error) {
|
|
if len(plainText)%8 != 0 {
|
|
return nil, errors.New("plainText must be a multiple of 64 bits")
|
|
}
|
|
|
|
cipher, err := aes.NewCipher(key) // NewCipher checks key size
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
nblocks := len(plainText) / 8
|
|
|
|
// 1) Initialize variables.
|
|
var A [aes.BlockSize]byte
|
|
// Section 2.2.3.1 -- Initial Value
|
|
// http://tools.ietf.org/html/rfc3394#section-2.2.3.1
|
|
for i := 0; i < 8; i++ {
|
|
A[i] = 0xA6
|
|
}
|
|
|
|
// For i = 1 to n
|
|
// Set R[i] = P[i]
|
|
R := make([]byte, len(plainText))
|
|
copy(R, plainText)
|
|
|
|
// 2) Calculate intermediate values.
|
|
for j := 0; j <= 5; j++ {
|
|
for i := 0; i < nblocks; i++ {
|
|
// B = AES(K, A | R[i])
|
|
copy(A[8:], R[i*8:i*8+8])
|
|
cipher.Encrypt(A[:], A[:])
|
|
|
|
// (Assume B = A)
|
|
// A = MSB(64, B) ^ t where t = (n*j)+1
|
|
t := uint64(j*nblocks + i + 1)
|
|
At := binary.BigEndian.Uint64(A[:8]) ^ t
|
|
binary.BigEndian.PutUint64(A[:8], At)
|
|
|
|
// R[i] = LSB(64, B)
|
|
copy(R[i*8:i*8+8], A[8:])
|
|
}
|
|
}
|
|
|
|
// 3) Output results.
|
|
// Set C[0] = A
|
|
// For i = 1 to n
|
|
// C[i] = R[i]
|
|
return append(A[:8], R...), nil
|
|
}
|
|
|
|
// PadBuffer pads byte buffer buf to a length being multiple of
|
|
// blockLen. Additional bytes appended to the buffer have value of the
|
|
// number padded bytes. E.g. if the buffer is 3 bytes short of being
|
|
// 40 bytes total, the appended bytes will be [03, 03, 03].
|
|
func PadBuffer(buf []byte, blockLen int) []byte {
|
|
padding := blockLen - (len(buf) % blockLen)
|
|
if padding == 0 {
|
|
return buf
|
|
}
|
|
|
|
padBuf := make([]byte, padding)
|
|
for i := 0; i < padding; i++ {
|
|
padBuf[i] = byte(padding)
|
|
}
|
|
|
|
return append(buf, padBuf...)
|
|
}
|
|
|
|
// UnpadBuffer verifies that buffer contains proper padding and
|
|
// returns buffer without the padding, or nil if the padding was
|
|
// invalid.
|
|
func UnpadBuffer(buf []byte, dataLen int) []byte {
|
|
padding := len(buf) - dataLen
|
|
outBuf := buf[:dataLen]
|
|
|
|
for i := dataLen; i < len(buf); i++ {
|
|
if buf[i] != byte(padding) {
|
|
// Invalid padding - bail out
|
|
return nil
|
|
}
|
|
}
|
|
|
|
return outBuf
|
|
}
|
|
|
|
func (e *PublicKey) Encrypt(random io.Reader, kdfParams []byte, plain []byte, hash crypto.Hash, kdfKeySize int) (Vx *big.Int, Vy *big.Int, C []byte, err error) {
|
|
// Vx, Vy - encryption key
|
|
|
|
// Note for Curve 25519 - curve25519 library already does key
|
|
// clamping in scalarMult, so we can use generic random scalar
|
|
// generation from elliptic.
|
|
priv, Vx, Vy, err := elliptic.GenerateKey(e.Curve, random)
|
|
if err != nil {
|
|
return nil, nil, nil, err
|
|
}
|
|
|
|
// Sx, Sy - shared secret
|
|
Sx, _ := e.Curve.ScalarMult(e.X, e.Y, priv)
|
|
|
|
// Encrypt the payload with KDF-ed S as the encryption key. Pass
|
|
// the ciphertext along with V to the recipient. Recipient can
|
|
// generate S using V and their priv key, and then KDF(S), on
|
|
// their own, to get encryption key and decrypt the ciphertext,
|
|
// revealing encryption key for symmetric encryption later.
|
|
|
|
plain = PadBuffer(plain, 8)
|
|
key := e.KDF(Sx.Bytes(), kdfParams, hash)
|
|
|
|
// Take only as many bytes from key as the key length (the hash
|
|
// result might be bigger)
|
|
encrypted, err := AESKeyWrap(key[:kdfKeySize], plain)
|
|
|
|
return Vx, Vy, encrypted, nil
|
|
}
|
|
|
|
func (e *PrivateKey) DecryptShared(X, Y *big.Int) []byte {
|
|
Sx, _ := e.Curve.ScalarMult(X, Y, e.X.Bytes())
|
|
return Sx.Bytes()
|
|
}
|
|
|
|
func countBits(buffer []byte) int {
|
|
var headerLen int
|
|
switch buffer[0] {
|
|
case 0x4:
|
|
headerLen = 3
|
|
case 0x40:
|
|
headerLen = 7
|
|
default:
|
|
// Unexpected header - but we can still count the bits.
|
|
val := buffer[0]
|
|
headerLen = 0
|
|
for val > 0 {
|
|
val = val / 2
|
|
headerLen++
|
|
}
|
|
}
|
|
|
|
return headerLen + (len(buffer)-1)*8
|
|
}
|
|
|
|
// elliptic.Marshal and elliptic.Unmarshal only marshals uncompressed
|
|
// 0x4 MPI types. These functions will check if the curve is cv25519,
|
|
// and if so, use 0x40 compressed type to (un)marshal. Otherwise,
|
|
// elliptic.(Un)marshal will be called.
|
|
|
|
// Marshal encodes point into either 0x4 uncompressed point form, or
|
|
// 0x40 compressed point for Curve 25519.
|
|
func Marshal(curve elliptic.Curve, x, y *big.Int) (buf []byte, bitSize int) {
|
|
// NOTE: Read more about MPI encoding in the RFC:
|
|
// https://tools.ietf.org/html/rfc4880#section-3.2
|
|
|
|
// We are required to encode size in bits, counting from the most-
|
|
// significant non-zero bit. So assuming that the buffer never
|
|
// starts with 0x00, we only need to count bits in the first byte
|
|
// - and in current implentation it will always be 0x4 or 0x40.
|
|
|
|
cv, ok := curve25519.ToCurve25519(curve)
|
|
if ok {
|
|
buf = cv.MarshalType40(x, y)
|
|
} else {
|
|
buf = elliptic.Marshal(curve, x, y)
|
|
}
|
|
|
|
return buf, countBits(buf)
|
|
}
|
|
|
|
// Unmarshal converts point, serialized by Marshal, into x, y pair.
|
|
// For 0x40 compressed points (for Curve 25519), y will always be 0.
|
|
// It is an error if point is not on the curve, On error, x = nil.
|
|
func Unmarshal(curve elliptic.Curve, data []byte) (x, y *big.Int) {
|
|
cv, ok := curve25519.ToCurve25519(curve)
|
|
if ok {
|
|
return cv.UnmarshalType40(data)
|
|
}
|
|
|
|
return elliptic.Unmarshal(curve, data)
|
|
}
|
|
|
|
func GenerateKey(curve elliptic.Curve, random io.Reader) (priv *PrivateKey, err error) {
|
|
var privBytes []byte
|
|
var Vx, Vy *big.Int
|
|
|
|
if _, ok := curve25519.ToCurve25519(curve); ok {
|
|
privBytes = make([]byte, 32)
|
|
_, err = io.ReadFull(random, privBytes)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// NOTE: PGP expect scalars in reverse order than Curve 25519
|
|
// go library. That's why this trimming is backwards compared
|
|
// to curve25519.go
|
|
privBytes[31] &= 248
|
|
privBytes[0] &= 127
|
|
privBytes[0] |= 64
|
|
|
|
Vx,Vy = curve.ScalarBaseMult(privBytes)
|
|
} else {
|
|
privBytes, Vx, Vy, err = elliptic.GenerateKey(curve, random)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
}
|
|
|
|
priv = &PrivateKey{}
|
|
priv.X = new(big.Int).SetBytes(privBytes)
|
|
priv.PublicKey.Curve = curve
|
|
priv.PublicKey.X = Vx
|
|
priv.PublicKey.Y = Vy
|
|
return priv, nil
|
|
}
|