158 lines
4.3 KiB
Go
158 lines
4.3 KiB
Go
// Copyright 2017 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
// Package ecdh implements ECDH encryption, suitable for OpenPGP,
|
|
// as specified in RFC 6637, section 8.
|
|
package ecdh
|
|
|
|
import (
|
|
"errors"
|
|
"io"
|
|
"math/big"
|
|
|
|
"github.com/ProtonMail/go-crypto/openpgp/aes/keywrap"
|
|
"github.com/ProtonMail/go-crypto/openpgp/internal/ecc"
|
|
"golang.org/x/crypto/curve25519"
|
|
)
|
|
|
|
// Generates a private-public key-pair.
|
|
// 'priv' is a private key; a scalar belonging to the set
|
|
// 2^{254} + 8 * [0, 2^{251}), in order to avoid the small subgroup of the
|
|
// curve. 'pub' is simply 'priv' * G where G is the base point.
|
|
// See https://cr.yp.to/ecdh.html and RFC7748, sec 5.
|
|
func x25519GenerateKeyPairBytes(rand io.Reader) (priv [32]byte, pub [32]byte, err error) {
|
|
var n, helper = new(big.Int), new(big.Int)
|
|
n.SetUint64(1)
|
|
n.Lsh(n, 252)
|
|
helper.SetString("27742317777372353535851937790883648493", 10)
|
|
n.Add(n, helper)
|
|
|
|
for true {
|
|
_, err = io.ReadFull(rand, priv[:])
|
|
if err != nil {
|
|
return
|
|
}
|
|
// The following ensures that the private key is a number of the form
|
|
// 2^{254} + 8 * [0, 2^{251}), in order to avoid the small subgroup of
|
|
// of the curve.
|
|
priv[0] &= 248
|
|
priv[31] &= 127
|
|
priv[31] |= 64
|
|
|
|
// If the scalar is out of range, sample another random number.
|
|
if new(big.Int).SetBytes(priv[:]).Cmp(n) >= 0 {
|
|
continue
|
|
}
|
|
|
|
curve25519.ScalarBaseMult(&pub, &priv)
|
|
return
|
|
}
|
|
return
|
|
}
|
|
|
|
// X25519GenerateKey samples the key pair according to the correct distribution.
|
|
// It also sets the given key-derivation function and returns the *PrivateKey
|
|
// object along with an error.
|
|
func X25519GenerateKey(rand io.Reader, kdf KDF) (priv *PrivateKey, err error) {
|
|
ci := ecc.FindByName("Curve25519")
|
|
priv = new(PrivateKey)
|
|
priv.PublicKey.Curve = ci.Curve
|
|
d, pubKey, err := x25519GenerateKeyPairBytes(rand)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
priv.PublicKey.KDF = kdf
|
|
priv.D = make([]byte, 32)
|
|
copyReversed(priv.D, d[:])
|
|
priv.PublicKey.CurveType = ci.CurveType
|
|
priv.PublicKey.Curve = ci.Curve
|
|
/*
|
|
* Note that ECPoint.point differs from the definition of public keys in
|
|
* [Curve25519] in two ways: (1) the byte-ordering is big-endian, which is
|
|
* more uniform with how big integers are represented in TLS, and (2) there
|
|
* is an additional length byte (so ECpoint.point is actually 33 bytes),
|
|
* again for uniformity (and extensibility).
|
|
*/
|
|
var encodedKey = make([]byte, 33)
|
|
encodedKey[0] = 0x40
|
|
copy(encodedKey[1:], pubKey[:])
|
|
priv.PublicKey.X = new(big.Int).SetBytes(encodedKey[:])
|
|
priv.PublicKey.Y = new(big.Int)
|
|
return priv, nil
|
|
}
|
|
|
|
func X25519Encrypt(random io.Reader, pub *PublicKey, msg, curveOID, fingerprint []byte) (vsG, c []byte, err error) {
|
|
d, ephemeralKey, err := x25519GenerateKeyPairBytes(random)
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
var pubKey [32]byte
|
|
|
|
if pub.X.BitLen() > 33*264 {
|
|
return nil, nil, errors.New("ecdh: invalid key")
|
|
}
|
|
copy(pubKey[:], pub.X.Bytes()[1:])
|
|
|
|
var zb [32]byte
|
|
curve25519.ScalarBaseMult(&zb, &d)
|
|
curve25519.ScalarMult(&zb, &d, &pubKey)
|
|
z, err := buildKey(pub, zb[:], curveOID, fingerprint, false, false)
|
|
|
|
if err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
if c, err = keywrap.Wrap(z, msg); err != nil {
|
|
return nil, nil, err
|
|
}
|
|
|
|
var vsg [33]byte
|
|
vsg[0] = 0x40
|
|
copy(vsg[1:], ephemeralKey[:])
|
|
|
|
return vsg[:], c, nil
|
|
}
|
|
|
|
func X25519Decrypt(priv *PrivateKey, vsG, m, curveOID, fingerprint []byte) (msg []byte, err error) {
|
|
var zb, d, ephemeralKey [32]byte
|
|
if len(vsG) != 33 || vsG[0] != 0x40 {
|
|
return nil, errors.New("ecdh: invalid key")
|
|
}
|
|
copy(ephemeralKey[:], vsG[1:33])
|
|
|
|
copyReversed(d[:], priv.D)
|
|
curve25519.ScalarBaseMult(&zb, &d)
|
|
curve25519.ScalarMult(&zb, &d, &ephemeralKey)
|
|
|
|
var c []byte
|
|
|
|
for i := 0; i < 3; i++ {
|
|
// Try buildKey three times for compat, see comments in buildKey.
|
|
z, err := buildKey(&priv.PublicKey, zb[:], curveOID, fingerprint, i == 1, i == 2)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
res, err := keywrap.Unwrap(z, m)
|
|
if i == 2 && err != nil {
|
|
// Only return an error after we've tried all variants of buildKey.
|
|
return nil, err
|
|
}
|
|
|
|
c = res
|
|
if err == nil {
|
|
break
|
|
}
|
|
}
|
|
|
|
return c[:len(c)-int(c[len(c)-1])], nil
|
|
}
|
|
|
|
func copyReversed(out []byte, in []byte) {
|
|
l := len(in)
|
|
for i := 0; i < l; i++ {
|
|
out[i] = in[l-i-1]
|
|
}
|
|
}
|