/** * crypto_session_init(pub, priv, nonce, mkey, encr_write, auth_write, * encr_read, auth_read): * Compute K = ${pub}^(2^258 + ${priv}), mkey = MGF1(nonce || K, 48), and * return a CRYPTO_SESSION with encryption and authentication write and read * keys constructed from HMAC(mkey, (encr|auth)_(write|read)). */ CRYPTO_SESSION * crypto_session_init(uint8_t pub[CRYPTO_DH_PUBLEN], uint8_t priv[CRYPTO_DH_PRIVLEN], uint8_t nonce[32], uint8_t mkey[48], const char * encr_write, const char * auth_write, const char * encr_read, const char * auth_read) { struct crypto_session_internal * CS; uint8_t K[CRYPTO_DH_PUBLEN]; uint8_t MGFbuf[32 + CRYPTO_DH_PUBLEN]; uint8_t aes_write[32]; uint8_t aes_read[32]; /* Compute K = 2^(xy) mod p. */ if (crypto_dh_compute(pub, priv, K)) goto err0; /* Shared key is MGF1(nonce || K, 48). */ memcpy(MGFbuf, nonce, 32); memcpy(MGFbuf + 32, K, CRYPTO_DH_PUBLEN); crypto_MGF1(MGFbuf, 32 + CRYPTO_DH_PUBLEN, mkey, 48); /* Allocate space for session key structure. */ if ((CS = malloc(sizeof(struct crypto_session_internal))) == NULL) goto err0; /* Generate raw keys. */ crypto_hash_data_key(mkey, 48, (const uint8_t *)encr_write, strlen(encr_write), aes_write); crypto_hash_data_key(mkey, 48, (const uint8_t *)auth_write, strlen(auth_write), CS->auth_write); crypto_hash_data_key(mkey, 48, (const uint8_t *)encr_read, strlen(encr_read), aes_read); crypto_hash_data_key(mkey, 48, (const uint8_t *)auth_read, strlen(auth_read), CS->auth_read); /* Expand AES keys and set up streams. */ if (AES_set_encrypt_key(aes_write, 256, &CS->encr_write)) { warn0("error in AES_set_encrypt_key"); goto err1; } if (AES_set_encrypt_key(aes_read, 256, &CS->encr_read)) { warn0("error in AES_set_encrypt_key"); goto err1; } if ((CS->encr_write_stream = crypto_aesctr_init(&CS->encr_write, 0)) == NULL) goto err1; if ((CS->encr_read_stream = crypto_aesctr_init(&CS->encr_read, 0)) == NULL) goto err2; /* Initialize parameters. */ CS->auth_write_nonce = CS->auth_read_nonce = 0; /* Success! */ return (CS); err2: crypto_aesctr_free(CS->encr_write_stream); err1: free(CS); err0: /* Failure! */ return (NULL); }
/** * crypto_rsa_sign(key, data, len, sig, siglen): * Sign the provided data with the specified key, writing the signature * into ${sig}. */ int crypto_rsa_sign(int key, const uint8_t * data, size_t len, uint8_t * sig, size_t siglen) { RSA * rsa; /* RSA key used for signing. */ uint8_t mHash[32]; uint8_t salt[32]; uint8_t Mprime[72]; uint8_t H[32]; uint8_t DB[223]; uint8_t dbMask[223]; uint8_t maskedDB[223]; uint8_t EM[256]; size_t i; /* Find the required key. */ if ((rsa = crypto_keys_lookup_RSA(key)) == NULL) goto err0; /* Make sure the key and signature buffer are the correct size. */ if (!crypto_compat_RSA_valid_size(rsa)) { warn0("RSA key is incorrect size"); goto err0; } if (siglen != 256) { warn0("Programmer error: " "signature buffer is incorrect length"); goto err0; } /* Generate mHash as specified in EMSA-PSS-ENCODE from RFC 3447. */ if (crypto_hash_data(CRYPTO_KEY_HMAC_SHA256, data, len, mHash)) { warn0("Programmer error: " "SHA256 should never fail"); goto err0; } /* Generate random salt. */ if (crypto_entropy_read(salt, 32)) { warnp("Could not obtain sufficient entropy"); goto err0; } /* Construct M'. */ memset(Mprime, 0, 8); memcpy(Mprime + 8, mHash, 32); memcpy(Mprime + 40, salt, 32); /* Construct H. */ if (crypto_hash_data(CRYPTO_KEY_HMAC_SHA256, Mprime, 72, H)) { warn0("Programmer error: " "SHA256 should never fail"); goto err0; } /* Construct DB. */ memset(DB, 0, 190); memset(DB + 190, 1, 1); memcpy(DB + 191, salt, 32); /* Construct dbMask and maskedDB. */ crypto_MGF1(H, 32, dbMask, 223); for (i = 0; i < 223; i++) maskedDB[i] = DB[i] ^ dbMask[i]; maskedDB[0] &= 0x7f; /* Construct EM. */ memcpy(EM, maskedDB, 223); memcpy(EM + 223, H, 32); memset(EM + 255, 0xbc, 1); /* Convert EM to a signature, via RSA. */ if (RSA_private_encrypt(256, EM, sig, rsa, RSA_NO_PADDING) != 256) { warn0("%s", ERR_error_string(ERR_get_error(), NULL)); goto err0; } /* Success! */ return (0); err0: /* Failure! */ return (-1); }
/** * crypto_rsa_encrypt(key, data, len, out, outlen): * Encrypt the provided data with the specified key, writing the ciphertext * into ${out} (of length ${outlen}). */ int crypto_rsa_encrypt(int key, const uint8_t * data, size_t len, uint8_t * out, size_t outlen) { RSA * rsa; uint8_t lHash[32]; uint8_t DB[223]; uint8_t seed[32]; uint8_t dbMask[223]; uint8_t maskedDB[223]; uint8_t seedMask[32]; uint8_t maskedSeed[32]; uint8_t EM[256]; size_t i; /* Find the required key. */ if ((rsa = crypto_keys_lookup_RSA(key)) == NULL) goto err0; /* Make sure the key and ciphertext buffer are the correct size. */ if (!crypto_compat_RSA_valid_size(rsa)) { warn0("RSA key is incorrect size"); goto err0; } if (outlen != 256) { warn0("Programmer error: " "ciphertext buffer is incorrect length"); goto err0; } /* Make sure the input is not too long. */ if (len > 190) { warn0("Programmer error: " "input to crypto_rsa_encrypt is too long"); goto err0; } /* Construct lHash as specified in RSAES-OAEP-ENCRYPT in RFC 3447. */ if (crypto_hash_data(CRYPTO_KEY_HMAC_SHA256, NULL, 0, lHash)) { warn0("Programmer error: " "SHA256 should never fail"); goto err0; } /* Construct DB. */ memcpy(DB, lHash, 32); memset(DB + 32, 0, 190 - len); memset(DB + 222 - len, 1, 1); memcpy(DB + 223 - len, data, len); /* Generate random seed. */ if (crypto_entropy_read(seed, 32)) { warnp("Could not obtain sufficient entropy"); goto err0; } /* Construct dbMask and maskedDB. */ crypto_MGF1(seed, 32, dbMask, 223); for (i = 0; i < 223; i++) maskedDB[i] = DB[i] ^ dbMask[i]; /* Construct seedMask and maskedSeed. */ crypto_MGF1(maskedDB, 223, seedMask, 32); for (i = 0; i < 32; i++) maskedSeed[i] = seed[i] ^ seedMask[i]; /* Construct EM. */ memset(EM, 0, 1); memcpy(EM + 1, maskedSeed, 32); memcpy(EM + 33, maskedDB, 223); /* Convert EM to ciphertext, via RSA. */ if (RSA_public_encrypt(256, EM, out, rsa, RSA_NO_PADDING) != 256) { warn0("%s", ERR_error_string(ERR_get_error(), NULL)); goto err0; } /* Success! */ return (0); err0: /* Failure! */ return (-1); }
/** * crypto_rsa_decrypt(key, data, len, out, outlen): * Decrypt the provided data with the specified key, writing the ciphertext * into ${out} (of length ${outlen}). Set ${*outlen} to the length of the * plaintext, and return 0 on success, 1 if the ciphertext is invalid, or * -1 on error. */ int crypto_rsa_decrypt(int key, const uint8_t * data, size_t len, uint8_t * out, size_t * outlen) { RSA * rsa; uint8_t EM[256]; uint8_t lHash[32]; uint8_t baddata, paddingmask; uint8_t maskedSeed[32]; uint8_t maskedDB[223]; uint8_t seedMask[32]; uint8_t seed[32]; uint8_t dbMask[223]; uint8_t DB[223]; size_t msglen; size_t i; unsigned long rsaerr; /* Sanity check. */ assert(len < INT_MAX); /* Find the required key. */ if ((rsa = crypto_keys_lookup_RSA(key)) == NULL) goto err0; /* Make sure the key and ciphertext buffer are the correct size. */ if (!crypto_compat_RSA_valid_size(rsa)) { warn0("RSA key is incorrect size"); goto err0; } if (len != 256) { warn0("Programmer error: " "ciphertext buffer is incorrect length"); goto err0; } /* Make sure the plaintext buffer is large enough. */ if (*outlen < 256) { warn0("Programmer error: " "plaintext buffer is too small"); goto err0; } /* Convert the ciphertext to EM, via RSA. */ if (RSA_private_decrypt((int)len, data, EM, rsa, RSA_NO_PADDING) != 256) { /* * We can only distinguish between bad ciphertext and an * internal error in OpenSSL by looking at the error code. */ rsaerr = ERR_get_error(); if (rsaerr == RSA_R_DATA_TOO_LARGE_FOR_MODULUS) goto bad; /* Anything else is an internal error in OpenSSL. */ warn0("%s", ERR_error_string(rsaerr, NULL)); goto err0; } /* Construct lHash as specified in RSAES-OAEP-DECRYPT in RFC 3447. */ if (crypto_hash_data(CRYPTO_KEY_HMAC_SHA256, NULL, 0, lHash)) { warn0("Programmer error: " "SHA256 should never fail"); goto err0; } /* * The high byte of EM must be zero. We test this later to avoid * timing side channel attacks. */ baddata = EM[0]; /* Construct maskedSeed and maskedDB. */ memcpy(maskedSeed, EM + 1, 32); memcpy(maskedDB, EM + 33, 223); /* Construct seedMask and seed. */ crypto_MGF1(maskedDB, 223, seedMask, 32); for (i = 0; i < 32; i++) seed[i] = maskedSeed[i] ^ seedMask[i]; /* Construct dbMask and DB. */ crypto_MGF1(seed, 32, dbMask, 223); for (i = 0; i < 223; i++) DB[i] = maskedDB[i] ^ dbMask[i]; /* * The leading 32 bytes of DB must be equal to lHash. Test them all * at once, simultaneous with other tests, in order to avoid timing * side channel attacks. */ baddata = baddata | crypto_verify_bytes(DB, lHash, 32); /* * Bytes 33 -- 223 of DB must be zero bytes followed by a one byte * followed by the real data. The following code will set baddata * to a non-zero value if there are non-{0, 1} bytes which are not * separated from the start by a 1 byte. */ paddingmask = 0xff; msglen = 191; for (i = 32; i < 223; i++) { /* If we're still doing padding, DB[i] should be 0 or 1. */ baddata = baddata | (paddingmask & DB[i] & 0xfe); /* * If baddata is still 0, paddingmask is either 0xff or 0x00 * depending upon whether the current byte is padding or not. * Treating it as a signed integer and adding it to msglen * will result in msglen holding the length of the message * after the padding is removed. */ msglen += (size_t)((int8_t)(paddingmask)); /*- * If baddata is still 0, there are 3 cases: * 1. We're no longer looking at padding, and paddingmask is * 0x00, so &ing it with something won't change it. * 2. We're looking at a 0 byte of padding, paddingmask is * 0xff, and we want it to remain 0xff. * 3. We're looking at a 1 byte of padding, paddingmask is * 0xff, and we want it to become 0x00. * In all three cases, &ing the byte minus one does what we * want. */ paddingmask = paddingmask & (DB[i] - 1); } /* Once we hit the end, the padding should be over. */ baddata = baddata | paddingmask; /* Is the data bad? */ if (baddata) goto bad; /* Sanity check the message length. */ if (msglen > *outlen) { warn0("Programmer error: " "decrypted message length is insane"); goto err0; } /* Copy the message into the output buffer. */ memcpy(out, DB + 223 - msglen, msglen); *outlen = msglen; /* Success! */ return (0); bad: /* Bad signature. */ return (1); err0: /* Failure! */ return (-1); }
/** * crypto_rsa_verify(key, data, len, sig, siglen): * Verify that the provided signature matches the provided data. Return 0 * if the signature is valid, 1 if the signature is invalid, or -1 on error. */ int crypto_rsa_verify(int key, const uint8_t * data, size_t len, const uint8_t * sig, size_t siglen) { RSA * rsa; uint8_t EM[256]; uint8_t mHash[32]; uint8_t maskedDB[223]; uint8_t H[32]; uint8_t dbMask[223]; uint8_t DB[223]; uint8_t salt[32]; uint8_t Mprime[72]; uint8_t Hprime[32]; size_t i; unsigned long rsaerr; /* Sanity check. */ assert(siglen < INT_MAX); /* Find the required key. */ if ((rsa = crypto_keys_lookup_RSA(key)) == NULL) goto err0; /* Make sure the key and signature buffer are the correct size. */ if (!crypto_compat_RSA_valid_size(rsa)) { warn0("RSA key is incorrect size"); goto err0; } if (siglen != 256) { warn0("Programmer error: " "signature buffer is incorrect length"); goto err0; } /* Convert the signature to EM, via RSA. */ if (RSA_public_decrypt((int)siglen, sig, EM, rsa, RSA_NO_PADDING) != 256) { /* * We can only distinguish between a bad signature and an * internal error in OpenSSL by looking at the error code. */ rsaerr = ERR_get_error(); if (rsaerr == RSA_R_DATA_TOO_LARGE_FOR_MODULUS) goto bad; /* Anything else is an internal error in OpenSSL. */ warn0("%s", ERR_error_string(rsaerr, NULL)); goto err0; } /* Generate mHash as specified in EMSA-PSS-VERIFY from RFC 3447. */ if (crypto_hash_data(CRYPTO_KEY_HMAC_SHA256, data, len, mHash)) { warn0("Programmer error: " "SHA256 should never fail"); goto err0; } /* Verify rightmost octet of EM. */ if (EM[255] != 0xbc) goto bad; /* Construct maskedDB and H. */ memcpy(maskedDB, EM, 223); memcpy(H, EM + 223, 32); /* Verify high bit of leftmost octet of maskedDB. */ if (maskedDB[0] & 0x80) goto bad; /* Construct dbMask and DB. */ crypto_MGF1(H, 32, dbMask, 223); for (i = 0; i < 223; i++) DB[i] = maskedDB[i] ^ dbMask[i]; /* Set high bit of leftmost octet of DB to zero. */ DB[0] &= 0x7f; /* Verify padding in DB. */ for (i = 0; i < 190; i++) if (DB[i] != 0) goto bad; if (DB[190] != 1) goto bad; /* Construct salt. */ memcpy(salt, DB + 191, 32); /* Construct M'. */ memset(Mprime, 0, 8); memcpy(Mprime + 8, mHash, 32); memcpy(Mprime + 40, salt, 32); /* Construct H'. */ if (crypto_hash_data(CRYPTO_KEY_HMAC_SHA256, Mprime, 72, Hprime)) { warn0("Programmer error: " "SHA256 should never fail"); goto err0; } /* Verify that H' == H. */ if (crypto_verify_bytes(H, Hprime, 32)) goto bad; /* Success! */ return (0); bad: /* Bad signature. */ return (1); err0: /* Failure! */ return (-1); }