nim-eth-p2p/eth_p2p/ecies.nim

#
#                 Ethereum P2P
#              (c) Copyright 2018
#       Status Research & Development GmbH
#
#            Licensed under either of
#  Apache License, version 2.0, (LICENSE-APACHEv2)
#            MIT license (LICENSE-MIT)
#

## This module implements ECIES method encryption/decryption.

import eth_keys, nimcrypto

const
  emptyMac* = array[0, byte]([])

type
  EciesException* = object of Exception
  EciesStatus* = enum
    Success,        ## Operation was successful
    BufferOverrun,  ## Output buffer size is too small
    RandomError,    ## Could not obtain random data
    EcdhError,      ## ECDH shared secret could not be calculated
    WrongHeader,    ## ECIES header is incorrect
    IncorrectKey,   ## Recovered public key is invalid
    IncorrectTag,   ## ECIES tag verification failed
    IncompleteError ## Decryption needs more data

  EciesHeader* = object {.packed.}
    version*: byte
    pubkey*: array[RawPublicKeySize, byte]
    iv*: array[aes128.sizeBlock, byte]
    data*: byte

template eciesOverheadLength*(): int =
  ## Return data overhead size for ECIES encrypted message
  1 + sizeof(PublicKey) + aes128.sizeBlock + sha256.sizeDigest

template eciesEncryptedLength*(size: int): int =
  ## Return size of encrypted message for message with size `size`.
  size + eciesOverheadLength()

template eciesDecryptedLength*(size: int): int =
  ## Return size of decrypted message for encrypted message with size `size`.
  size - eciesOverheadLength()

template eciesMacLength(size: int): int =
  ## Return size of authenticated data
  size + aes128.sizeBlock

template eciesMacPos(size: int): int =
  ## Return position of MAC code in encrypted block
  size - sha256.sizeDigest

template eciesDataPos(): int =
  ## Return position of encrypted data in block
  1 + sizeof(PublicKey) + aes128.sizeBlock

template eciesIvPos(): int =
  ## Return position of IV in block
  1 + sizeof(PublicKey)

template eciesTagPos(size: int): int =
  1 + sizeof(PublicKey) + aes128.sizeBlock + size

proc kdf*(data: openarray[byte]): array[KeyLength, byte] {.noInit.} =
  ## NIST SP 800-56a Concatenation Key Derivation Function (see section 5.8.1)
  var ctx: sha256
  var counter: uint32
  var counterLe: uint32
  let reps = ((KeyLength + 7) * 8) div (int(ctx.sizeBlock) * 8)
  var offset = 0
  var storage = newSeq[byte](int(ctx.sizeDigest) * (reps + 1))
  while counter <= uint32(reps):
    counter = counter + 1
    counterLe = LSWAP(counter)
    ctx.init()
    ctx.update(cast[ptr byte](addr counterLe), uint(sizeof(uint32)))
    ctx.update(unsafeAddr data[0], uint(len(data)))
    var hash = ctx.finish()
    copyMem(addr storage[offset], addr hash.data[0], ctx.sizeDigest)
    offset += int(ctx.sizeDigest)
  ctx.clear() # clean ctx
  copyMem(addr result[0], addr storage[0], KeyLength)

proc eciesEncrypt*(input: openarray[byte], output: var openarray[byte],
                   pubkey: PublicKey,
                   sharedmac: openarray[byte] = emptyMac): EciesStatus =
  ## Encrypt data with ECIES method using given public key `pubkey`.
  ## ``input``     - input data
  ## ``output``    - output data
  ## ``pubkey``    - ECC public key
  ## ``sharedmac`` - additional data used to calculate encrypted message MAC
  ## Length of output data can be calculated using ``eciesEncryptedLength()``
  ## template.
  var
    encKey: array[aes128.sizeKey, byte]
    cipher: CTR[aes128]
    ctx: HMAC[sha256]
    iv: array[aes128.sizeBlock, byte]
    secret: SharedSecret
    material: array[KeyLength, byte]

  if len(output) < eciesEncryptedLength(len(input)):
    return(BufferOverrun)
  if randomBytes(iv) != aes128.sizeBlock:
    return(RandomError)

  var ephemeral = newKeyPair()

  if ecdhAgree(ephemeral.seckey, pubkey, secret) != EthKeysStatus.Success:
    return(EcdhError)

  material = kdf(secret.data)
  burnMem(secret)

  copyMem(addr encKey[0], addr material[0], aes128.sizeKey)
  var macKey = sha256.digest(material, ostart = KeyLength div 2)
  burnMem(material)

  var header = cast[ptr EciesHeader](addr output[0])
  header.version = 0x04
  header.pubkey = ephemeral.pubkey.getRaw()
  header.iv = iv

  var so = eciesDataPos()
  var eo = so + len(input)
  cipher.init(encKey, iv)
  cipher.encrypt(input, toOpenArray(output, so, eo))
  burnMem(encKey)
  cipher.clear()

  so = eciesIvPos()
  eo = so + aes128.sizeBlock + len(input) - 1
  ctx.init(macKey.data)
  ctx.update(toOpenArray(output, so, eo))
  if len(sharedmac) > 0:
    ctx.update(sharedmac)
  var tag = ctx.finish()

  so = eciesTagPos(len(input))
  # ctx.sizeDigest() crash compiler
  copyMem(addr output[so], addr tag.data[0], sha256.sizeDigest)
  ctx.clear()

  result = Success

proc eciesDecrypt*(input: openarray[byte],
                   output: var openarray[byte],
                   seckey: PrivateKey,
                   sharedmac: openarray[byte] = emptyMac): EciesStatus =
  ## Decrypt data with ECIES method using given private key `seckey`.
  ## ``input``     - input data
  ## ``output``    - output data
  ## ``pubkey``    - ECC private key
  ## ``sharedmac`` - additional data used to calculate encrypted message MAC
  ## Length of output data can be calculated using ``eciesDecryptedLength()``
  ## template.
  var
    pubkey: PublicKey
    encKey: array[aes128.sizeKey, byte]
    cipher: CTR[aes128]
    ctx: HMAC[sha256]
    secret: SharedSecret

  if len(input) <= 0:
    return(IncompleteError)

  var header = cast[ptr EciesHeader](unsafeAddr input[0])
  if header.version != 0x04:
    return(WrongHeader)
  if len(input) <= eciesOverheadLength():
    return(IncompleteError)
  if len(input) - eciesOverheadLength() > len(output):
    return(BufferOverrun)
  if recoverPublicKey(header.pubkey, pubkey) != EthKeysStatus.Success:
    return(IncorrectKey)
  if ecdhAgree(seckey, pubkey, secret) != EthKeysStatus.Success:
    return(EcdhError)

  var material = kdf(secret.data)
  burnMem(secret)
  copyMem(addr encKey[0], addr material[0], aes128.sizeKey)
  var macKey = sha256.digest(material, ostart = KeyLength div 2)
  burnMem(material)

  let macsize = eciesMacLength(len(input) - eciesOverheadLength())
  ctx.init(macKey.data)
  burnMem(macKey)
  ctx.update(toOpenArray(input, eciesIvPos(), eciesIvPos() + macsize - 1))
  if len(sharedmac) > 0:
    ctx.update(sharedmac)
  var tag = ctx.finish()
  ctx.clear()

  if not equalMem(addr tag.data[0], unsafeAddr input[eciesMacPos(len(input))],
                  sha256.sizeDigest):
    return(IncorrectTag)

  let datsize = eciesDecryptedLength(len(input))
  cipher.init(encKey, header.iv)
  burnMem(encKey)
  cipher.decrypt(toOpenArray(input, eciesDataPos(),
                             eciesDataPos() + datsize - 1), output)
  cipher.clear()
  result = Success
Initial commit 2018-03-28 00:17:01 +00:00			`#`
			`# Ethereum P2P`
			`# (c) Copyright 2018`
			`# Status Research & Development GmbH`
			`#`
Add ENode type/procedures/tests. Fixed header with proper licenses. Fixed nimble to allow ENode tests. 2018-04-30 17:40:04 +00:00			`# Licensed under either of`
			`# Apache License, version 2.0, (LICENSE-APACHEv2)`
			`# MIT license (LICENSE-MIT)`
Initial commit 2018-03-28 00:17:01 +00:00			`#`

			`## This module implements ECIES method encryption/decryption.`

Moved eth_p2p to asyncdispatch2. Fix some warnings at rlpx.nim. Commented debug echo in rlpx.nim. 2018-06-17 10:21:06 +00:00			`import eth_keys, nimcrypto`
Initial commit 2018-03-28 00:17:01 +00:00
first attempt 2018-03-29 20:53:19 +00:00			`const`
			`emptyMac* = array[0, byte]([])`

Initial commit 2018-03-28 00:17:01 +00:00			`type`
			`EciesException* = object of Exception`
			`EciesStatus* = enum`
			`Success, ## Operation was successful`
			`BufferOverrun, ## Output buffer size is too small`
			`RandomError, ## Could not obtain random data`
			`EcdhError, ## ECDH shared secret could not be calculated`
			`WrongHeader, ## ECIES header is incorrect`
			`IncorrectKey, ## Recovered public key is invalid`
first attempt 2018-03-29 20:53:19 +00:00			`IncorrectTag, ## ECIES tag verification failed`
			`IncompleteError ## Decryption needs more data`
Reviewed the ecies module and a little bit of auth 2018-03-28 14:29:41 +00:00
first attempt 2018-03-29 20:53:19 +00:00			`EciesHeader* = object {.packed.}`
			`version*: byte`
Remove ecc.nim. Remove testecc.nim. Switch auth/ecies to use eth_keys instead of ecc.nim. Fix tests according to new API. 2018-04-10 21:29:46 +00:00			`pubkey*: array[RawPublicKeySize, byte]`
first attempt 2018-03-29 20:53:19 +00:00			`iv*: array[aes128.sizeBlock, byte]`
			`data*: byte`
Reviewed the ecies module and a little bit of auth 2018-03-28 14:29:41 +00:00
Initial commit 2018-03-28 00:17:01 +00:00			`template eciesOverheadLength*(): int =`
			`## Return data overhead size for ECIES encrypted message`
			`1 + sizeof(PublicKey) + aes128.sizeBlock + sha256.sizeDigest`

			`template eciesEncryptedLength*(size: int): int =`
			## Return size of encrypted message for message with size `size`.
			`size + eciesOverheadLength()`

			`template eciesDecryptedLength*(size: int): int =`
			## Return size of decrypted message for encrypted message with size `size`.
			`size - eciesOverheadLength()`

			`template eciesMacLength(size: int): int =`
			`## Return size of authenticated data`
			`size + aes128.sizeBlock`

			`template eciesMacPos(size: int): int =`
			`## Return position of MAC code in encrypted block`
			`size - sha256.sizeDigest`

			`template eciesDataPos(): int =`
			`## Return position of encrypted data in block`
first attempt 2018-03-29 20:53:19 +00:00			`1 + sizeof(PublicKey) + aes128.sizeBlock`

			`template eciesIvPos(): int =`
			`## Return position of IV in block`
			`1 + sizeof(PublicKey)`

			`template eciesTagPos(size: int): int =`
			`1 + sizeof(PublicKey) + aes128.sizeBlock + size`
Initial commit 2018-03-28 00:17:01 +00:00
			`proc kdf*(data: openarray[byte]): array[KeyLength, byte] {.noInit.} =`
			`## NIST SP 800-56a Concatenation Key Derivation Function (see section 5.8.1)`
			`var ctx: sha256`
			`var counter: uint32`
			`var counterLe: uint32`
Finished with ECIES review and adopted tests. 2018-03-30 07:03:32 +00:00			`let reps = ((KeyLength + 7) * 8) div (int(ctx.sizeBlock) * 8)`
Initial commit 2018-03-28 00:17:01 +00:00			`var offset = 0`
Finished with ECIES review and adopted tests. 2018-03-30 07:03:32 +00:00			`var storage = newSeq[byte](int(ctx.sizeDigest) * (reps + 1))`
Initial commit 2018-03-28 00:17:01 +00:00			`while counter <= uint32(reps):`
			`counter = counter + 1`
			`counterLe = LSWAP(counter)`
			`ctx.init()`
			`ctx.update(cast[ptr byte](addr counterLe), uint(sizeof(uint32)))`
			`ctx.update(unsafeAddr data[0], uint(len(data)))`
first attempt 2018-03-29 20:53:19 +00:00			`var hash = ctx.finish()`
			`copyMem(addr storage[offset], addr hash.data[0], ctx.sizeDigest)`
Reviewed the ecies module and a little bit of auth 2018-03-28 14:29:41 +00:00			`offset += int(ctx.sizeDigest)`
first attempt 2018-03-29 20:53:19 +00:00			`ctx.clear() # clean ctx`
Initial commit 2018-03-28 00:17:01 +00:00			`copyMem(addr result[0], addr storage[0], KeyLength)`

first attempt 2018-03-29 20:53:19 +00:00			`proc eciesEncrypt*(input: openarray[byte], output: var openarray[byte],`
			`pubkey: PublicKey,`
Finished with ECIES review and adopted tests. 2018-03-30 07:03:32 +00:00			`sharedmac: openarray[byte] = emptyMac): EciesStatus =`
first attempt 2018-03-29 20:53:19 +00:00			## Encrypt data with ECIES method using given public key `pubkey`.
			## ``input`` - input data
			## ``output`` - output data
			## ``pubkey`` - ECC public key
			## ``sharedmac`` - additional data used to calculate encrypted message MAC
			## Length of output data can be calculated using ``eciesEncryptedLength()``
Finished with ECIES review and adopted tests. 2018-03-30 07:03:32 +00:00			`## template.`
Initial commit 2018-03-28 00:17:01 +00:00			`var`
first attempt 2018-03-29 20:53:19 +00:00			`encKey: array[aes128.sizeKey, byte]`
Initial commit 2018-03-28 00:17:01 +00:00			`cipher: CTR[aes128]`
			`ctx: HMAC[sha256]`
			`iv: array[aes128.sizeBlock, byte]`
			`secret: SharedSecret`
			`material: array[KeyLength, byte]`

first attempt 2018-03-29 20:53:19 +00:00			`if len(output) < eciesEncryptedLength(len(input)):`
Initial commit 2018-03-28 00:17:01 +00:00			`return(BufferOverrun)`
first attempt 2018-03-29 20:53:19 +00:00			`if randomBytes(iv) != aes128.sizeBlock:`
Initial commit 2018-03-28 00:17:01 +00:00			`return(RandomError)`

			`var ephemeral = newKeyPair()`

Remove ecc.nim. Remove testecc.nim. Switch auth/ecies to use eth_keys instead of ecc.nim. Fix tests according to new API. 2018-04-10 21:29:46 +00:00			`if ecdhAgree(ephemeral.seckey, pubkey, secret) != EthKeysStatus.Success:`
Initial commit 2018-03-28 00:17:01 +00:00			`return(EcdhError)`

Remove ecc.nim. Remove testecc.nim. Switch auth/ecies to use eth_keys instead of ecc.nim. Fix tests according to new API. 2018-04-10 21:29:46 +00:00			`material = kdf(secret.data)`
first attempt 2018-03-29 20:53:19 +00:00			`burnMem(secret)`

			`copyMem(addr encKey[0], addr material[0], aes128.sizeKey)`
			`var macKey = sha256.digest(material, ostart = KeyLength div 2)`
			`burnMem(material)`

			`var header = cast[ptr EciesHeader](addr output[0])`
			`header.version = 0x04`
Remove ecc.nim. Remove testecc.nim. Switch auth/ecies to use eth_keys instead of ecc.nim. Fix tests according to new API. 2018-04-10 21:29:46 +00:00			`header.pubkey = ephemeral.pubkey.getRaw()`
first attempt 2018-03-29 20:53:19 +00:00			`header.iv = iv`

			`var so = eciesDataPos()`
			`var eo = so + len(input)`
			`cipher.init(encKey, iv)`
			`cipher.encrypt(input, toOpenArray(output, so, eo))`
			`burnMem(encKey)`
			`cipher.clear()`

			`so = eciesIvPos()`
Finished with ECIES review and adopted tests. 2018-03-30 07:03:32 +00:00			`eo = so + aes128.sizeBlock + len(input) - 1`
first attempt 2018-03-29 20:53:19 +00:00			`ctx.init(macKey.data)`
			`ctx.update(toOpenArray(output, so, eo))`
			`if len(sharedmac) > 0:`
			`ctx.update(sharedmac)`
			`var tag = ctx.finish()`

			`so = eciesTagPos(len(input))`
Finished with ECIES review and adopted tests. 2018-03-30 07:03:32 +00:00			`# ctx.sizeDigest() crash compiler`
			`copyMem(addr output[so], addr tag.data[0], sha256.sizeDigest)`
first attempt 2018-03-29 20:53:19 +00:00			`ctx.clear()`
Reviewed the ecies module and a little bit of auth 2018-03-28 14:29:41 +00:00
Initial commit 2018-03-28 00:17:01 +00:00			`result = Success`

first attempt 2018-03-29 20:53:19 +00:00			`proc eciesDecrypt*(input: openarray[byte],`
			`output: var openarray[byte],`
			`seckey: PrivateKey,`
Finished with ECIES review and adopted tests. 2018-03-30 07:03:32 +00:00			`sharedmac: openarray[byte] = emptyMac): EciesStatus =`
first attempt 2018-03-29 20:53:19 +00:00			## Decrypt data with ECIES method using given private key `seckey`.
			## ``input`` - input data
			## ``output`` - output data
			## ``pubkey`` - ECC private key
			## ``sharedmac`` - additional data used to calculate encrypted message MAC
			## Length of output data can be calculated using ``eciesDecryptedLength()``
Finished with ECIES review and adopted tests. 2018-03-30 07:03:32 +00:00			`## template.`
Initial commit 2018-03-28 00:17:01 +00:00			`var`
			`pubkey: PublicKey`
first attempt 2018-03-29 20:53:19 +00:00			`encKey: array[aes128.sizeKey, byte]`
Initial commit 2018-03-28 00:17:01 +00:00			`cipher: CTR[aes128]`
			`ctx: HMAC[sha256]`
			`secret: SharedSecret`

Some fixes and tests for ECIES. 2018-03-30 15:42:23 +00:00			`if len(input) <= 0:`
first attempt 2018-03-29 20:53:19 +00:00			`return(IncompleteError)`
Initial commit 2018-03-28 00:17:01 +00:00
first attempt 2018-03-29 20:53:19 +00:00			`var header = cast[ptr EciesHeader](unsafeAddr input[0])`
			`if header.version != 0x04:`
Initial commit 2018-03-28 00:17:01 +00:00			`return(WrongHeader)`
first attempt 2018-03-29 20:53:19 +00:00			`if len(input) <= eciesOverheadLength():`
			`return(IncompleteError)`
			`if len(input) - eciesOverheadLength() > len(output):`
			`return(BufferOverrun)`
Remove ecc.nim. Remove testecc.nim. Switch auth/ecies to use eth_keys instead of ecc.nim. Fix tests according to new API. 2018-04-10 21:29:46 +00:00			`if recoverPublicKey(header.pubkey, pubkey) != EthKeysStatus.Success:`
Initial commit 2018-03-28 00:17:01 +00:00			`return(IncorrectKey)`
Remove ecc.nim. Remove testecc.nim. Switch auth/ecies to use eth_keys instead of ecc.nim. Fix tests according to new API. 2018-04-10 21:29:46 +00:00			`if ecdhAgree(seckey, pubkey, secret) != EthKeysStatus.Success:`
Initial commit 2018-03-28 00:17:01 +00:00			`return(EcdhError)`

Remove ecc.nim. Remove testecc.nim. Switch auth/ecies to use eth_keys instead of ecc.nim. Fix tests according to new API. 2018-04-10 21:29:46 +00:00			`var material = kdf(secret.data)`
first attempt 2018-03-29 20:53:19 +00:00			`burnMem(secret)`
			`copyMem(addr encKey[0], addr material[0], aes128.sizeKey)`
			`var macKey = sha256.digest(material, ostart = KeyLength div 2)`
			`burnMem(material)`

			`let macsize = eciesMacLength(len(input) - eciesOverheadLength())`
			`ctx.init(macKey.data)`
			`burnMem(macKey)`
Finished with ECIES review and adopted tests. 2018-03-30 07:03:32 +00:00			`ctx.update(toOpenArray(input, eciesIvPos(), eciesIvPos() + macsize - 1))`
first attempt 2018-03-29 20:53:19 +00:00			`if len(sharedmac) > 0:`
			`ctx.update(sharedmac)`
			`var tag = ctx.finish()`
			`ctx.clear()`

			`if not equalMem(addr tag.data[0], unsafeAddr input[eciesMacPos(len(input))],`
			`sha256.sizeDigest):`
Initial commit 2018-03-28 00:17:01 +00:00			`return(IncorrectTag)`

Some fixes and tests for ECIES. 2018-03-30 15:42:23 +00:00			`let datsize = eciesDecryptedLength(len(input))`
first attempt 2018-03-29 20:53:19 +00:00			`cipher.init(encKey, header.iv)`
			`burnMem(encKey)`
Finished with ECIES review and adopted tests. 2018-03-30 07:03:32 +00:00			`cipher.decrypt(toOpenArray(input, eciesDataPos(),`
			`eciesDataPos() + datsize - 1), output)`
first attempt 2018-03-29 20:53:19 +00:00			`cipher.clear()`
Initial commit 2018-03-28 00:17:01 +00:00			`result = Success`