1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
|
/* Copyright 2016 The Chromium OS Authors. All rights reserved.
* Use of this source code is governed by a BSD-style license that can be
* found in the LICENSE file.
*/
#include "internal.h"
#include "dcrypto.h"
#include "trng.h"
#include "util.h"
#include "cryptoc/p256.h"
#include "cryptoc/sha256.h"
#define AES_KEY_BYTES 16
#define HMAC_KEY_BYTES 32
#define AES_BLOCK_BYTES 16
/* P256 based hybrid encryption. The output format is:
*
* 0x04 || PUBKEY || AUTH_DATA || AES128_CTR(PLAINTEXT) ||
* HMAC_SHA256(AUTH_DATA || CIPHERTEXT)
*/
size_t DCRYPTO_ecies_encrypt(
void *out, size_t out_len, const void *in, size_t in_len,
size_t auth_data_len, const uint8_t *iv,
const p256_int *pub_x, const p256_int *pub_y,
const uint8_t *salt, size_t salt_len,
const uint8_t *info, size_t info_len)
{
p256_int eph_d;
p256_int eph_x;
p256_int eph_y;
uint8_t seed[P256_NBYTES];
p256_int secret_x;
p256_int secret_y;
/* Key bytes to be extracted from HKDF. */
uint8_t key[AES_KEY_BYTES + HMAC_KEY_BYTES];
const uint8_t *aes_key;
const uint8_t *hmac_key;
LITE_HMAC_CTX ctx;
uint8_t *outp = out;
uint8_t *ciphertext;
if (auth_data_len > in_len)
return 0;
if (out_len < 1 + P256_NBYTES + P256_NBYTES +
in_len + SHA256_DIGEST_SIZE)
return 0;
/* Generate emphemeral EC key. */
rand_bytes(seed, sizeof(seed));
if (!DCRYPTO_p256_key_from_bytes(&eph_x, &eph_y, &eph_d, seed))
return 0;
/* Compute DH point. */
if (!DCRYPTO_p256_point_mul(&secret_x, &secret_y,
&eph_d, pub_x, pub_y))
return 0;
/* Check for computational errors. */
if (!dcrypto_p256_is_valid_point(&secret_x, &secret_y))
return 0;
/* Convert secret to big-endian. */
reverse(&secret_x, sizeof(secret_x));
/* Derive shared secret. */
if (!DCRYPTO_hkdf(key, sizeof(key), salt, salt_len,
(uint8_t *) &secret_x, sizeof(secret_x),
info, info_len))
return 0;
aes_key = &key[0];
hmac_key = &key[AES_KEY_BYTES];
if (out == in)
ciphertext = out + auth_data_len; /* In place encrypt. */
else
ciphertext = out + 1 + P256_NBYTES + P256_NBYTES +
auth_data_len;
/* Compute ciphertext. */
if (!DCRYPTO_aes_ctr(ciphertext, aes_key, AES_KEY_BYTES * 8, iv,
in + auth_data_len, in_len - auth_data_len))
return 0;
/* Write out auth_data / ciphertext. */
outp = out + 1 + P256_NBYTES + P256_NBYTES;
if (out == in)
memmove(outp, in, in_len);
else
memcpy(outp, in, auth_data_len);
/* Write out ephemeral pub key. */
outp = out;
*outp++ = 0x04; /* uncompressed EC public key. */
p256_to_bin(&eph_x, outp);
outp += P256_NBYTES;
p256_to_bin(&eph_y, outp);
outp += P256_NBYTES;
/* Calculate HMAC(auth_data || ciphertext). */
DCRYPTO_HMAC_SHA256_init(&ctx, hmac_key, HMAC_KEY_BYTES);
HASH_update(&ctx.hash, outp, in_len);
outp += in_len;
memcpy(outp, DCRYPTO_HMAC_final(&ctx), SHA256_DIGEST_SIZE);
outp += SHA256_DIGEST_SIZE;
return outp - (uint8_t *) out;
}
size_t DCRYPTO_ecies_decrypt(
void *out, size_t out_len, const void *in, size_t in_len,
size_t auth_data_len, const uint8_t *iv,
const p256_int *d,
const uint8_t *salt, size_t salt_len,
const uint8_t *info, size_t info_len)
{
p256_int eph_x;
p256_int eph_y;
p256_int secret_x;
p256_int secret_y;
uint8_t key[AES_KEY_BYTES + HMAC_KEY_BYTES];
const uint8_t *aes_key;
const uint8_t *hmac_key;
LITE_HMAC_CTX ctx;
const uint8_t *inp = in;
uint8_t *outp = out;
if (in_len < 1 + P256_NBYTES + P256_NBYTES + auth_data_len +
SHA256_DIGEST_SIZE)
return 0;
if (inp[0] != 0x04)
return 0;
in_len -= 1 + P256_NBYTES + P256_NBYTES + SHA256_DIGEST_SIZE;
inp++;
p256_from_bin(inp, &eph_x);
inp += P256_NBYTES;
p256_from_bin(inp, &eph_y);
inp += P256_NBYTES;
/* Verify that the public point is on the curve. */
if (!dcrypto_p256_is_valid_point(&eph_x, &eph_y))
return 0;
/* Compute the DH point. */
if (!DCRYPTO_p256_point_mul(&secret_x, &secret_y,
d, &eph_x, &eph_y))
return 0;
/* Check for computational errors. */
if (!dcrypto_p256_is_valid_point(&secret_x, &secret_y))
return 0;
/* Convert secret to big-endian. */
reverse(&secret_x, sizeof(secret_x));
/* Derive shared secret. */
if (!DCRYPTO_hkdf(key, sizeof(key), salt, salt_len,
(uint8_t *) &secret_x, sizeof(secret_x),
info, info_len))
return 0;
aes_key = &key[0];
hmac_key = &key[AES_KEY_BYTES];
DCRYPTO_HMAC_SHA256_init(&ctx, hmac_key, HMAC_KEY_BYTES);
HASH_update(&ctx.hash, inp, in_len);
if (!DCRYPTO_equals(inp + in_len, DCRYPTO_HMAC_final(&ctx),
SHA256_DIGEST_SIZE))
return 0;
memmove(outp, inp, auth_data_len);
inp += auth_data_len;
outp += auth_data_len;
if (!DCRYPTO_aes_ctr(outp, aes_key, AES_KEY_BYTES * 8, iv,
inp, in_len - auth_data_len))
return 0;
return in_len;
}
|
