2019-02-05 15:40:29 +00:00
|
|
|
#
|
|
|
|
# Ethereum P2P
|
|
|
|
# (c) Copyright 2018
|
|
|
|
# Status Research & Development GmbH
|
|
|
|
#
|
|
|
|
# Licensed under either of
|
|
|
|
# Apache License, version 2.0, (LICENSE-APACHEv2)
|
|
|
|
# MIT license (LICENSE-MIT)
|
|
|
|
#
|
|
|
|
|
|
|
|
## This module implements ECIES method encryption/decryption.
|
|
|
|
|
2020-04-06 16:24:15 +00:00
|
|
|
{.push raises: [Defect].}
|
|
|
|
|
2021-04-06 11:33:24 +00:00
|
|
|
import
|
|
|
|
bearssl, stew/[results, endians2],
|
|
|
|
nimcrypto/[rijndael, bcmode, hash, hmac, sha2, utils],
|
|
|
|
../keys
|
2020-04-06 16:24:15 +00:00
|
|
|
|
2020-04-07 09:56:25 +00:00
|
|
|
export results
|
2019-02-05 15:40:29 +00:00
|
|
|
|
|
|
|
const
|
|
|
|
emptyMac* = array[0, byte]([])
|
|
|
|
|
|
|
|
type
|
2020-04-06 16:24:15 +00:00
|
|
|
EciesError* = enum
|
|
|
|
BufferOverrun = "ecies: output buffer size is too small"
|
|
|
|
EcdhError = "ecies: ECDH shared secret could not be calculated"
|
|
|
|
WrongHeader = "ecies: header is incorrect"
|
|
|
|
IncorrectKey = "ecies: recovered public key is invalid"
|
|
|
|
IncorrectTag = "ecies: tag verification failed"
|
|
|
|
IncompleteError = "ecies: decryption needs more data"
|
|
|
|
|
|
|
|
EciesHeader* {.packed.} = object
|
2019-02-05 15:40:29 +00:00
|
|
|
version*: byte
|
|
|
|
pubkey*: array[RawPublicKeySize, byte]
|
|
|
|
iv*: array[aes128.sizeBlock, byte]
|
|
|
|
data*: byte
|
|
|
|
|
2020-04-06 16:24:15 +00:00
|
|
|
EciesResult*[T] = Result[T, EciesError]
|
|
|
|
|
|
|
|
proc mapErrTo[T](r: SkResult[T], v: static EciesError): EciesResult[T] =
|
|
|
|
r.mapErr(proc (e: cstring): EciesError = v)
|
|
|
|
|
2019-02-05 15:40:29 +00:00
|
|
|
template eciesOverheadLength*(): int =
|
|
|
|
## Return data overhead size for ECIES encrypted message
|
|
|
|
1 + sizeof(PublicKey) + aes128.sizeBlock + sha256.sizeDigest
|
|
|
|
|
|
|
|
template eciesEncryptedLength*(size: int): int =
|
|
|
|
## Return size of encrypted message for message with size `size`.
|
|
|
|
size + eciesOverheadLength()
|
|
|
|
|
|
|
|
template eciesDecryptedLength*(size: int): int =
|
|
|
|
## Return size of decrypted message for encrypted message with size `size`.
|
|
|
|
size - eciesOverheadLength()
|
|
|
|
|
|
|
|
template eciesMacLength(size: int): int =
|
|
|
|
## Return size of authenticated data
|
|
|
|
size + aes128.sizeBlock
|
|
|
|
|
|
|
|
template eciesMacPos(size: int): int =
|
|
|
|
## Return position of MAC code in encrypted block
|
|
|
|
size - sha256.sizeDigest
|
|
|
|
|
|
|
|
template eciesDataPos(): int =
|
|
|
|
## Return position of encrypted data in block
|
|
|
|
1 + sizeof(PublicKey) + aes128.sizeBlock
|
|
|
|
|
|
|
|
template eciesIvPos(): int =
|
|
|
|
## Return position of IV in block
|
|
|
|
1 + sizeof(PublicKey)
|
|
|
|
|
|
|
|
template eciesTagPos(size: int): int =
|
|
|
|
1 + sizeof(PublicKey) + aes128.sizeBlock + size
|
|
|
|
|
2021-12-20 12:14:50 +00:00
|
|
|
proc kdf*(data: openArray[byte]): array[KeyLength, byte] {.noinit.} =
|
2019-02-05 15:40:29 +00:00
|
|
|
## NIST SP 800-56a Concatenation Key Derivation Function (see section 5.8.1)
|
|
|
|
var ctx: sha256
|
|
|
|
var counter: uint32
|
|
|
|
var counterLe: uint32
|
|
|
|
let reps = ((KeyLength + 7) * 8) div (int(ctx.sizeBlock) * 8)
|
|
|
|
var offset = 0
|
|
|
|
var storage = newSeq[byte](int(ctx.sizeDigest) * (reps + 1))
|
|
|
|
while counter <= uint32(reps):
|
|
|
|
counter = counter + 1
|
2020-07-10 21:30:34 +00:00
|
|
|
counterLe = toBE(counter)
|
2019-02-05 15:40:29 +00:00
|
|
|
ctx.init()
|
|
|
|
ctx.update(cast[ptr byte](addr counterLe), uint(sizeof(uint32)))
|
|
|
|
ctx.update(unsafeAddr data[0], uint(len(data)))
|
|
|
|
var hash = ctx.finish()
|
|
|
|
copyMem(addr storage[offset], addr hash.data[0], ctx.sizeDigest)
|
|
|
|
offset += int(ctx.sizeDigest)
|
|
|
|
ctx.clear() # clean ctx
|
|
|
|
copyMem(addr result[0], addr storage[0], KeyLength)
|
|
|
|
|
2021-12-20 12:14:50 +00:00
|
|
|
proc eciesEncrypt*(rng: var BrHmacDrbgContext, input: openArray[byte],
|
|
|
|
output: var openArray[byte], pubkey: PublicKey,
|
|
|
|
sharedmac: openArray[byte] = emptyMac): EciesResult[void] =
|
2019-02-05 15:40:29 +00:00
|
|
|
## Encrypt data with ECIES method using given public key `pubkey`.
|
|
|
|
## ``input`` - input data
|
|
|
|
## ``output`` - output data
|
|
|
|
## ``pubkey`` - ECC public key
|
|
|
|
## ``sharedmac`` - additional data used to calculate encrypted message MAC
|
|
|
|
## Length of output data can be calculated using ``eciesEncryptedLength()``
|
|
|
|
## template.
|
|
|
|
var
|
|
|
|
encKey: array[aes128.sizeKey, byte]
|
|
|
|
cipher: CTR[aes128]
|
|
|
|
ctx: HMAC[sha256]
|
|
|
|
iv: array[aes128.sizeBlock, byte]
|
|
|
|
|
|
|
|
if len(output) < eciesEncryptedLength(len(input)):
|
2020-04-06 16:24:15 +00:00
|
|
|
return err(BufferOverrun)
|
2020-07-07 08:56:26 +00:00
|
|
|
|
|
|
|
brHmacDrbgGenerate(rng, iv)
|
2019-02-05 15:40:29 +00:00
|
|
|
|
2020-04-06 16:24:15 +00:00
|
|
|
var
|
2020-07-07 08:56:26 +00:00
|
|
|
ephemeral = KeyPair.random(rng)
|
2020-06-22 16:07:48 +00:00
|
|
|
secret = ecdhRaw(ephemeral.seckey, pubkey)
|
2020-04-06 16:24:15 +00:00
|
|
|
material = kdf(secret.data)
|
2019-02-05 15:40:29 +00:00
|
|
|
|
2020-04-06 16:24:15 +00:00
|
|
|
clear(secret)
|
2019-02-05 15:40:29 +00:00
|
|
|
|
|
|
|
copyMem(addr encKey[0], addr material[0], aes128.sizeKey)
|
2020-04-06 16:24:15 +00:00
|
|
|
|
2020-04-18 08:17:59 +00:00
|
|
|
var macKey =
|
|
|
|
sha256.digest(material.toOpenArray(KeyLength div 2, material.high))
|
2019-02-05 15:40:29 +00:00
|
|
|
burnMem(material)
|
|
|
|
|
|
|
|
var header = cast[ptr EciesHeader](addr output[0])
|
|
|
|
header.version = 0x04
|
2020-04-06 16:24:15 +00:00
|
|
|
header.pubkey = ephemeral.pubkey.toRaw()
|
2019-02-05 15:40:29 +00:00
|
|
|
header.iv = iv
|
|
|
|
|
2020-04-06 16:24:15 +00:00
|
|
|
clear(ephemeral)
|
|
|
|
|
2019-02-05 15:40:29 +00:00
|
|
|
var so = eciesDataPos()
|
|
|
|
var eo = so + len(input)
|
|
|
|
cipher.init(encKey, iv)
|
|
|
|
cipher.encrypt(input, toOpenArray(output, so, eo))
|
|
|
|
burnMem(encKey)
|
|
|
|
cipher.clear()
|
|
|
|
|
|
|
|
so = eciesIvPos()
|
|
|
|
eo = so + aes128.sizeBlock + len(input) - 1
|
|
|
|
ctx.init(macKey.data)
|
|
|
|
ctx.update(toOpenArray(output, so, eo))
|
|
|
|
if len(sharedmac) > 0:
|
|
|
|
ctx.update(sharedmac)
|
|
|
|
var tag = ctx.finish()
|
|
|
|
|
|
|
|
so = eciesTagPos(len(input))
|
|
|
|
# ctx.sizeDigest() crash compiler
|
|
|
|
copyMem(addr output[so], addr tag.data[0], sha256.sizeDigest)
|
|
|
|
ctx.clear()
|
|
|
|
|
2020-04-06 16:24:15 +00:00
|
|
|
ok()
|
2019-02-05 15:40:29 +00:00
|
|
|
|
2021-12-20 12:14:50 +00:00
|
|
|
proc eciesDecrypt*(input: openArray[byte],
|
|
|
|
output: var openArray[byte],
|
2019-02-05 15:40:29 +00:00
|
|
|
seckey: PrivateKey,
|
2021-12-20 12:14:50 +00:00
|
|
|
sharedmac: openArray[byte] = emptyMac): EciesResult[void] =
|
2019-02-05 15:40:29 +00:00
|
|
|
## Decrypt data with ECIES method using given private key `seckey`.
|
|
|
|
## ``input`` - input data
|
|
|
|
## ``output`` - output data
|
|
|
|
## ``pubkey`` - ECC private key
|
|
|
|
## ``sharedmac`` - additional data used to calculate encrypted message MAC
|
|
|
|
## Length of output data can be calculated using ``eciesDecryptedLength()``
|
|
|
|
## template.
|
|
|
|
var
|
|
|
|
encKey: array[aes128.sizeKey, byte]
|
|
|
|
cipher: CTR[aes128]
|
|
|
|
ctx: HMAC[sha256]
|
|
|
|
|
|
|
|
if len(input) <= 0:
|
2020-04-06 16:24:15 +00:00
|
|
|
return err(IncompleteError)
|
2019-02-05 15:40:29 +00:00
|
|
|
|
|
|
|
var header = cast[ptr EciesHeader](unsafeAddr input[0])
|
|
|
|
if header.version != 0x04:
|
2020-04-06 16:24:15 +00:00
|
|
|
return err(WrongHeader)
|
2019-02-05 15:40:29 +00:00
|
|
|
if len(input) <= eciesOverheadLength():
|
2020-04-06 16:24:15 +00:00
|
|
|
return err(IncompleteError)
|
2019-02-05 15:40:29 +00:00
|
|
|
if len(input) - eciesOverheadLength() > len(output):
|
2020-04-06 16:24:15 +00:00
|
|
|
return err(BufferOverrun)
|
|
|
|
|
|
|
|
var
|
|
|
|
pubkey = ? PublicKey.fromRaw(header.pubkey).mapErrTo(IncorrectKey)
|
2020-06-22 16:07:48 +00:00
|
|
|
secret = ecdhRaw(seckey, pubkey)
|
2020-04-06 16:24:15 +00:00
|
|
|
|
|
|
|
var material = kdf(secret.data)
|
2019-02-05 15:40:29 +00:00
|
|
|
burnMem(secret)
|
2020-04-06 16:24:15 +00:00
|
|
|
|
2019-02-05 15:40:29 +00:00
|
|
|
copyMem(addr encKey[0], addr material[0], aes128.sizeKey)
|
2020-04-18 08:17:59 +00:00
|
|
|
var macKey =
|
|
|
|
sha256.digest(material.toOpenArray(KeyLength div 2, material.high))
|
2019-02-05 15:40:29 +00:00
|
|
|
burnMem(material)
|
|
|
|
|
|
|
|
let macsize = eciesMacLength(len(input) - eciesOverheadLength())
|
|
|
|
ctx.init(macKey.data)
|
|
|
|
burnMem(macKey)
|
|
|
|
ctx.update(toOpenArray(input, eciesIvPos(), eciesIvPos() + macsize - 1))
|
|
|
|
if len(sharedmac) > 0:
|
|
|
|
ctx.update(sharedmac)
|
|
|
|
var tag = ctx.finish()
|
|
|
|
ctx.clear()
|
|
|
|
|
|
|
|
if not equalMem(addr tag.data[0], unsafeAddr input[eciesMacPos(len(input))],
|
|
|
|
sha256.sizeDigest):
|
2020-04-06 16:24:15 +00:00
|
|
|
return err(IncorrectTag)
|
2019-02-05 15:40:29 +00:00
|
|
|
|
|
|
|
let datsize = eciesDecryptedLength(len(input))
|
|
|
|
cipher.init(encKey, header.iv)
|
|
|
|
burnMem(encKey)
|
|
|
|
cipher.decrypt(toOpenArray(input, eciesDataPos(),
|
|
|
|
eciesDataPos() + datsize - 1), output)
|
|
|
|
cipher.clear()
|
2020-04-06 16:24:15 +00:00
|
|
|
|
|
|
|
ok()
|