gost2001_keyx.c revision 306195
11539Srgrimes/********************************************************************** 21539Srgrimes * gost_keyx.c * 31539Srgrimes * Copyright (c) 2005-2006 Cryptocom LTD * 41539Srgrimes * This file is distributed under the same license as OpenSSL * 51539Srgrimes * * 61539Srgrimes * VK0 34.10-2001 key exchange and GOST R 34.10-2001 * 71539Srgrimes * based PKCS7/SMIME support * 81539Srgrimes * Requires OpenSSL 0.9.9 for compilation * 91539Srgrimes **********************************************************************/ 101539Srgrimes#include <openssl/evp.h> 111539Srgrimes#include <openssl/rand.h> 121539Srgrimes#include <string.h> 13203964Simp#include <openssl/objects.h> 141539Srgrimes#include "gost89.h" 151539Srgrimes#include "gosthash.h" 161539Srgrimes#include "e_gost_err.h" 171539Srgrimes#include "gost_keywrap.h" 181539Srgrimes#include "gost_lcl.h" 191539Srgrimes#include "gost2001_keyx.h" 201539Srgrimes 211539Srgrimes/* Implementation of CryptoPro VKO 34.10-2001 algorithm */ 221539Srgrimesstatic int VKO_compute_key(unsigned char *shared_key, size_t shared_key_size, 231539Srgrimes const EC_POINT *pub_key, EC_KEY *priv_key, 241539Srgrimes const unsigned char *ukm) 251539Srgrimes{ 261539Srgrimes unsigned char ukm_be[8], databuf[64], hashbuf[64]; 271539Srgrimes BIGNUM *UKM = NULL, *p = NULL, *order = NULL, *X = NULL, *Y = NULL; 281539Srgrimes const BIGNUM *key = EC_KEY_get0_private_key(priv_key); 291539Srgrimes EC_POINT *pnt = EC_POINT_new(EC_KEY_get0_group(priv_key)); 30203964Simp int i; 31203964Simp gost_hash_ctx hash_ctx; 321539Srgrimes BN_CTX *ctx = BN_CTX_new(); 331539Srgrimes 341539Srgrimes for (i = 0; i < 8; i++) { 351539Srgrimes ukm_be[7 - i] = ukm[i]; 361539Srgrimes } 371539Srgrimes BN_CTX_start(ctx); 381539Srgrimes UKM = getbnfrombuf(ukm_be, 8); 391539Srgrimes p = BN_CTX_get(ctx); 401539Srgrimes order = BN_CTX_get(ctx); 411539Srgrimes X = BN_CTX_get(ctx); 421539Srgrimes Y = BN_CTX_get(ctx); 431539Srgrimes EC_GROUP_get_order(EC_KEY_get0_group(priv_key), order, ctx); 441539Srgrimes BN_mod_mul(p, key, UKM, order, ctx); 451539Srgrimes EC_POINT_mul(EC_KEY_get0_group(priv_key), pnt, NULL, pub_key, p, ctx); 461539Srgrimes EC_POINT_get_affine_coordinates_GFp(EC_KEY_get0_group(priv_key), 471539Srgrimes pnt, X, Y, ctx); 481539Srgrimes /* 49 * Serialize elliptic curve point same way as we do it when saving key 50 */ 51 store_bignum(Y, databuf, 32); 52 store_bignum(X, databuf + 32, 32); 53 /* And reverse byte order of whole buffer */ 54 for (i = 0; i < 64; i++) { 55 hashbuf[63 - i] = databuf[i]; 56 } 57 init_gost_hash_ctx(&hash_ctx, &GostR3411_94_CryptoProParamSet); 58 start_hash(&hash_ctx); 59 hash_block(&hash_ctx, hashbuf, 64); 60 finish_hash(&hash_ctx, shared_key); 61 done_gost_hash_ctx(&hash_ctx); 62 BN_free(UKM); 63 BN_CTX_end(ctx); 64 BN_CTX_free(ctx); 65 EC_POINT_free(pnt); 66 return 32; 67} 68 69/* 70 * EVP_PKEY_METHOD callback derive. Implements VKO R 34.10-2001 71 * algorithm 72 */ 73int pkey_gost2001_derive(EVP_PKEY_CTX *ctx, unsigned char *key, 74 size_t *keylen) 75{ 76 /* 77 * Public key of peer in the ctx field peerkey Our private key in the ctx 78 * pkey ukm is in the algorithm specific context data 79 */ 80 EVP_PKEY *my_key = EVP_PKEY_CTX_get0_pkey(ctx); 81 EVP_PKEY *peer_key = EVP_PKEY_CTX_get0_peerkey(ctx); 82 struct gost_pmeth_data *data = EVP_PKEY_CTX_get_data(ctx); 83 84 if (!data->shared_ukm) { 85 GOSTerr(GOST_F_PKEY_GOST2001_DERIVE, GOST_R_UKM_NOT_SET); 86 return 0; 87 } 88 89 if (key == NULL) { 90 *keylen = 32; 91 return 32; 92 } 93 94 *keylen = 95 VKO_compute_key(key, 32, 96 EC_KEY_get0_public_key(EVP_PKEY_get0(peer_key)), 97 (EC_KEY *)EVP_PKEY_get0(my_key), data->shared_ukm); 98 return 1; 99} 100 101/* 102 * EVP_PKEY_METHOD callback encrypt 103 * Implementation of GOST2001 key transport, cryptocom variation 104 */ 105/* 106 * Generates ephemeral key based on pubk algorithm computes shared key using 107 * VKO and returns filled up GOST_KEY_TRANSPORT structure 108 */ 109 110/* 111 * EVP_PKEY_METHOD callback encrypt 112 * Implementation of GOST2001 key transport, cryptopo variation 113 */ 114 115int pkey_GOST01cp_encrypt(EVP_PKEY_CTX *pctx, unsigned char *out, 116 size_t *out_len, const unsigned char *key, 117 size_t key_len) 118{ 119 GOST_KEY_TRANSPORT *gkt = NULL; 120 EVP_PKEY *pubk = EVP_PKEY_CTX_get0_pkey(pctx); 121 struct gost_pmeth_data *data = EVP_PKEY_CTX_get_data(pctx); 122 const struct gost_cipher_info *param = get_encryption_params(NULL); 123 unsigned char ukm[8], shared_key[32], crypted_key[44]; 124 int ret = 0; 125 int key_is_ephemeral = 1; 126 gost_ctx cctx; 127 EVP_PKEY *sec_key = EVP_PKEY_CTX_get0_peerkey(pctx); 128 if (data->shared_ukm) { 129 memcpy(ukm, data->shared_ukm, 8); 130 } else if (out) { 131 132 if (RAND_bytes(ukm, 8) <= 0) { 133 GOSTerr(GOST_F_PKEY_GOST01CP_ENCRYPT, 134 GOST_R_RANDOM_GENERATOR_FAILURE); 135 return 0; 136 } 137 } 138 /* Check for private key in the peer_key of context */ 139 if (sec_key) { 140 key_is_ephemeral = 0; 141 if (!gost_get0_priv_key(sec_key)) { 142 GOSTerr(GOST_F_PKEY_GOST01CP_ENCRYPT, 143 GOST_R_NO_PRIVATE_PART_OF_NON_EPHEMERAL_KEYPAIR); 144 goto err; 145 } 146 } else { 147 key_is_ephemeral = 1; 148 if (out) { 149 sec_key = EVP_PKEY_new(); 150 if (sec_key == NULL) 151 goto err; 152 EVP_PKEY_assign(sec_key, EVP_PKEY_base_id(pubk), EC_KEY_new()); 153 EVP_PKEY_copy_parameters(sec_key, pubk); 154 if (!gost2001_keygen(EVP_PKEY_get0(sec_key))) { 155 goto err; 156 } 157 } 158 } 159 if (!get_gost_engine_param(GOST_PARAM_CRYPT_PARAMS) 160 && param == gost_cipher_list) { 161 param = gost_cipher_list + 1; 162 } 163 if (out) { 164 VKO_compute_key(shared_key, 32, 165 EC_KEY_get0_public_key(EVP_PKEY_get0(pubk)), 166 EVP_PKEY_get0(sec_key), ukm); 167 gost_init(&cctx, param->sblock); 168 keyWrapCryptoPro(&cctx, shared_key, ukm, key, crypted_key); 169 } 170 gkt = GOST_KEY_TRANSPORT_new(); 171 if (!gkt) { 172 goto err; 173 } 174 if (!ASN1_OCTET_STRING_set(gkt->key_agreement_info->eph_iv, ukm, 8)) { 175 goto err; 176 } 177 if (!ASN1_OCTET_STRING_set(gkt->key_info->imit, crypted_key + 40, 4)) { 178 goto err; 179 } 180 if (!ASN1_OCTET_STRING_set 181 (gkt->key_info->encrypted_key, crypted_key + 8, 32)) { 182 goto err; 183 } 184 if (key_is_ephemeral) { 185 if (!X509_PUBKEY_set 186 (&gkt->key_agreement_info->ephem_key, out ? sec_key : pubk)) { 187 GOSTerr(GOST_F_PKEY_GOST01CP_ENCRYPT, 188 GOST_R_CANNOT_PACK_EPHEMERAL_KEY); 189 goto err; 190 } 191 } 192 ASN1_OBJECT_free(gkt->key_agreement_info->cipher); 193 gkt->key_agreement_info->cipher = OBJ_nid2obj(param->nid); 194 if (key_is_ephemeral && sec_key) 195 EVP_PKEY_free(sec_key); 196 if (!key_is_ephemeral) { 197 /* Set control "public key from client certificate used" */ 198 if (EVP_PKEY_CTX_ctrl(pctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 3, NULL) 199 <= 0) { 200 GOSTerr(GOST_F_PKEY_GOST01CP_ENCRYPT, GOST_R_CTRL_CALL_FAILED); 201 goto err; 202 } 203 } 204 if ((*out_len = i2d_GOST_KEY_TRANSPORT(gkt, out ? &out : NULL)) > 0) 205 ret = 1; 206 GOST_KEY_TRANSPORT_free(gkt); 207 return ret; 208 err: 209 if (key_is_ephemeral && sec_key) 210 EVP_PKEY_free(sec_key); 211 GOST_KEY_TRANSPORT_free(gkt); 212 return -1; 213} 214 215/* 216 * EVP_PKEY_METHOD callback decrypt 217 * Implementation of GOST2001 key transport, cryptopo variation 218 */ 219int pkey_GOST01cp_decrypt(EVP_PKEY_CTX *pctx, unsigned char *key, 220 size_t *key_len, const unsigned char *in, 221 size_t in_len) 222{ 223 const unsigned char *p = in; 224 EVP_PKEY *priv = EVP_PKEY_CTX_get0_pkey(pctx); 225 GOST_KEY_TRANSPORT *gkt = NULL; 226 int ret = 0; 227 unsigned char wrappedKey[44]; 228 unsigned char sharedKey[32]; 229 gost_ctx ctx; 230 const struct gost_cipher_info *param = NULL; 231 EVP_PKEY *eph_key = NULL, *peerkey = NULL; 232 233 if (!key) { 234 *key_len = 32; 235 return 1; 236 } 237 gkt = d2i_GOST_KEY_TRANSPORT(NULL, (const unsigned char **)&p, in_len); 238 if (!gkt) { 239 GOSTerr(GOST_F_PKEY_GOST01CP_DECRYPT, 240 GOST_R_ERROR_PARSING_KEY_TRANSPORT_INFO); 241 return -1; 242 } 243 244 /* If key transport structure contains public key, use it */ 245 eph_key = X509_PUBKEY_get(gkt->key_agreement_info->ephem_key); 246 if (eph_key) { 247 if (EVP_PKEY_derive_set_peer(pctx, eph_key) <= 0) { 248 GOSTerr(GOST_F_PKEY_GOST01CP_DECRYPT, 249 GOST_R_INCOMPATIBLE_PEER_KEY); 250 goto err; 251 } 252 } else { 253 /* Set control "public key from client certificate used" */ 254 if (EVP_PKEY_CTX_ctrl(pctx, -1, -1, EVP_PKEY_CTRL_PEER_KEY, 3, NULL) 255 <= 0) { 256 GOSTerr(GOST_F_PKEY_GOST01CP_DECRYPT, GOST_R_CTRL_CALL_FAILED); 257 goto err; 258 } 259 } 260 peerkey = EVP_PKEY_CTX_get0_peerkey(pctx); 261 if (!peerkey) { 262 GOSTerr(GOST_F_PKEY_GOST01CP_DECRYPT, GOST_R_NO_PEER_KEY); 263 goto err; 264 } 265 266 param = get_encryption_params(gkt->key_agreement_info->cipher); 267 if (!param) { 268 goto err; 269 } 270 271 gost_init(&ctx, param->sblock); 272 OPENSSL_assert(gkt->key_agreement_info->eph_iv->length == 8); 273 memcpy(wrappedKey, gkt->key_agreement_info->eph_iv->data, 8); 274 OPENSSL_assert(gkt->key_info->encrypted_key->length == 32); 275 memcpy(wrappedKey + 8, gkt->key_info->encrypted_key->data, 32); 276 OPENSSL_assert(gkt->key_info->imit->length == 4); 277 memcpy(wrappedKey + 40, gkt->key_info->imit->data, 4); 278 VKO_compute_key(sharedKey, 32, 279 EC_KEY_get0_public_key(EVP_PKEY_get0(peerkey)), 280 EVP_PKEY_get0(priv), wrappedKey); 281 if (!keyUnwrapCryptoPro(&ctx, sharedKey, wrappedKey, key)) { 282 GOSTerr(GOST_F_PKEY_GOST01CP_DECRYPT, 283 GOST_R_ERROR_COMPUTING_SHARED_KEY); 284 goto err; 285 } 286 287 ret = 1; 288 err: 289 if (eph_key) 290 EVP_PKEY_free(eph_key); 291 if (gkt) 292 GOST_KEY_TRANSPORT_free(gkt); 293 return ret; 294} 295