blob: 389e0b414901362f526d216e3aed2a07127e5e2c [file] [log] [blame]
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -07001/* -*- Mode:C++; c-file-style:"gnu"; indent-tabs-mode:nil; -*- */
Zhiyi Zhanga67fa462020-04-19 13:48:03 -07002/**
3 * Copyright (c) 2017-2020, Regents of the University of California.
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -07004 *
5 * This file is part of ndncert, a certificate management system based on NDN.
6 *
7 * ndncert is free software: you can redistribute it and/or modify it under the terms
8 * of the GNU General Public License as published by the Free Software Foundation, either
9 * version 3 of the License, or (at your option) any later version.
10 *
11 * ndncert is distributed in the hope that it will be useful, but WITHOUT ANY
12 * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A
13 * PARTICULAR PURPOSE. See the GNU General Public License for more details.
14 *
15 * You should have received copies of the GNU General Public License along with
16 * ndncert, e.g., in COPYING.md file. If not, see <http://www.gnu.org/licenses/>.
17 *
18 * See AUTHORS.md for complete list of ndncert authors and contributors.
19 */
20
21#include "crypto-helper.hpp"
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -070022#include <openssl/err.h>
Zhiyi Zhanga2ce5992019-08-14 17:35:00 -070023#include <openssl/hmac.h>
Zhiyi Zhangb8cb0472020-05-05 20:55:05 -070024#include <openssl/pem.h>
Zhiyi Zhang2b6d80c2020-10-12 12:49:14 -070025#include <openssl/ec.h>
26#include <openssl/evp.h>
Davide Pesavento368341b2019-08-13 23:57:50 -040027#include <ndn-cxx/encoding/buffer-stream.hpp>
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -070028#include <ndn-cxx/security/transform/base64-decode.hpp>
29#include <ndn-cxx/security/transform/base64-encode.hpp>
30#include <ndn-cxx/security/transform/buffer-source.hpp>
Davide Pesavento368341b2019-08-13 23:57:50 -040031#include <ndn-cxx/security/transform/private-key.hpp>
32#include <ndn-cxx/security/transform/signer-filter.hpp>
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -070033#include <ndn-cxx/security/transform/step-source.hpp>
34#include <ndn-cxx/security/transform/stream-sink.hpp>
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -070035
36namespace ndn {
37namespace ndncert {
38
39const size_t HASH_SIZE = 32;
40
Zhiyi Zhangcfad98d2020-10-11 11:25:14 -070041NDN_LOG_INIT(ndncert.cryptosupport);
42
Zhiyi Zhang63123172020-10-12 14:24:44 -070043struct ECDHState::ECDH_CTX
44{
Zhiyi Zhangcfad98d2020-10-11 11:25:14 -070045 int EC_NID;
46 EVP_PKEY_CTX* ctx_params;
47 EVP_PKEY_CTX* ctx_keygen;
48 EVP_PKEY* privkey;
49 EVP_PKEY* peerkey;
50 EVP_PKEY* params;
51};
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -070052
53ECDHState::ECDHState()
Zhiyi Zhangcfad98d2020-10-11 11:25:14 -070054 : m_publicKeyLen(0)
55 , m_sharedSecretLen(0)
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -070056{
57 OpenSSL_add_all_algorithms();
58 context = std::make_unique<ECDH_CTX>();
59 context->EC_NID = NID_X9_62_prime256v1;
60
61 // Create the context for parameter generation
62 if (nullptr == (context->ctx_params = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, nullptr))) {
63 handleErrors("Could not create context contexts.");
64 return;
65 }
66
67 // Initialise the parameter generation
68 if (EVP_PKEY_paramgen_init(context->ctx_params) != 1) {
69 handleErrors("Could not initialize parameter generation.");
70 return;
71 }
72
73 // We're going to use the ANSI X9.62 Prime 256v1 curve
74 if (1 != EVP_PKEY_CTX_set_ec_paramgen_curve_nid(context->ctx_params, context->EC_NID)) {
75 handleErrors("Likely unknown elliptical curve ID specified.");
76 return;
77 }
78
79 // Create the parameter object params
80 if (!EVP_PKEY_paramgen(context->ctx_params, &context->params)) {
81 // the generated key is written to context->params
82 handleErrors("Could not create parameter object parameters.");
83 return;
84 }
85
86 // Create the context for the key generation
87 if (nullptr == (context->ctx_keygen = EVP_PKEY_CTX_new(context->params, nullptr))) {
88 //The EVP_PKEY_CTX_new() function allocates public key algorithm context using
89 //the algorithm specified in pkey and ENGINE e (in this case nullptr).
90 handleErrors("Could not create the context for the key generation");
91 return;
92 }
93
94 // initializes a public key algorithm context
Zhiyi Zhangb8cb0472020-05-05 20:55:05 -070095 if (1 != EVP_PKEY_keygen_init(context->ctx_keygen)) {
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -070096 handleErrors("Could not init context for key generation.");
97 return;
98 }
99 if (1 != EVP_PKEY_keygen(context->ctx_keygen, &context->privkey)) {
100 //performs a key generation operation, the generated key is written to context->privkey.
101 handleErrors("Could not generate DHE keys in final step");
102 return;
103 }
104}
105
106ECDHState::~ECDHState()
107{
108 // Contexts
Zhiyi Zhangb8cb0472020-05-05 20:55:05 -0700109 if (context->ctx_params != nullptr) {
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700110 EVP_PKEY_CTX_free(context->ctx_params);
111 }
Zhiyi Zhangb8cb0472020-05-05 20:55:05 -0700112 if (context->ctx_keygen != nullptr) {
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700113 EVP_PKEY_CTX_free(context->ctx_keygen);
114 }
115
116 // Keys
Zhiyi Zhangb8cb0472020-05-05 20:55:05 -0700117 if (context->privkey != nullptr) {
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700118 EVP_PKEY_free(context->privkey);
119 }
Zhiyi Zhangb8cb0472020-05-05 20:55:05 -0700120 if (context->peerkey != nullptr) {
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700121 EVP_PKEY_free(context->peerkey);
122 }
Zhiyi Zhangb8cb0472020-05-05 20:55:05 -0700123 if (context->params != nullptr) {
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700124 EVP_PKEY_free(context->params);
125 }
126}
127
128uint8_t*
129ECDHState::getRawSelfPubKey()
130{
131 auto privECKey = EVP_PKEY_get1_EC_KEY(context->privkey);
132
133 if (privECKey == nullptr) {
134 handleErrors("Could not get referenced key when calling EVP_PKEY_get1_EC_KEY().");
135 return nullptr;
136 }
137
138 auto ecPoint = EC_KEY_get0_public_key(privECKey);
139 const EC_GROUP* group = EC_KEY_get0_group(privECKey);
Zhiyi Zhangcfad98d2020-10-11 11:25:14 -0700140 m_publicKeyLen = EC_POINT_point2oct(group, ecPoint, POINT_CONVERSION_COMPRESSED,
141 m_publicKey, 256, nullptr);
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700142 EC_KEY_free(privECKey);
Zhiyi Zhangcfad98d2020-10-11 11:25:14 -0700143 if (m_publicKeyLen == 0) {
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700144 handleErrors("Could not convert EC_POINTS to octet string when calling EC_POINT_point2oct.");
145 return nullptr;
146 }
147
Zhiyi Zhangcfad98d2020-10-11 11:25:14 -0700148 return m_publicKey;
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700149}
150
151std::string
152ECDHState::getBase64PubKey()
153{
Davide Pesavento368341b2019-08-13 23:57:50 -0400154 namespace t = ndn::security::transform;
155
Zhiyi Zhangcfad98d2020-10-11 11:25:14 -0700156 if (m_publicKeyLen == 0) {
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700157 this->getRawSelfPubKey();
158 }
Davide Pesavento368341b2019-08-13 23:57:50 -0400159 std::ostringstream os;
Zhiyi Zhangcfad98d2020-10-11 11:25:14 -0700160 t::bufferSource(m_publicKey, m_publicKeyLen) >> t::base64Encode(false) >> t::streamSink(os);
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700161 return os.str();
162}
163
164uint8_t*
165ECDHState::deriveSecret(const uint8_t* peerkey, int peerKeySize)
166{
167 auto privECKey = EVP_PKEY_get1_EC_KEY(context->privkey);
168
169 if (privECKey == nullptr) {
Zhiyi Zhang8da54d62019-11-21 00:03:05 -0800170 handleErrors("Could not get referenced key when calling EVP_PKEY_get1_EC_KEY()");
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700171 return nullptr;
172 }
173
174 auto group = EC_KEY_get0_group(privECKey);
175 auto peerPoint = EC_POINT_new(group);
Zhiyi Zhang8da54d62019-11-21 00:03:05 -0800176 int result = EC_POINT_oct2point(group, peerPoint, peerkey, peerKeySize, nullptr);
177 if (result == 0) {
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700178 EC_POINT_free(peerPoint);
179 EC_KEY_free(privECKey);
Zhiyi Zhang8da54d62019-11-21 00:03:05 -0800180 handleErrors("Cannot convert peer's key into a EC point when calling EC_POINT_oct2point()");
181 }
182
Zhiyi Zhangcfad98d2020-10-11 11:25:14 -0700183 if (-1 == (m_sharedSecretLen = ECDH_compute_key(m_sharedSecret, 256, peerPoint, privECKey, nullptr))) {
Zhiyi Zhang8da54d62019-11-21 00:03:05 -0800184 EC_POINT_free(peerPoint);
185 EC_KEY_free(privECKey);
186 handleErrors("Cannot generate ECDH secret when calling ECDH_compute_key()");
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700187 }
188 EC_POINT_free(peerPoint);
189 EC_KEY_free(privECKey);
Zhiyi Zhangcfad98d2020-10-11 11:25:14 -0700190 return m_sharedSecret;
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700191}
192
193uint8_t*
194ECDHState::deriveSecret(const std::string& peerKeyStr)
195{
196 namespace t = ndn::security::transform;
Davide Pesavento368341b2019-08-13 23:57:50 -0400197
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700198 OBufferStream os;
Zhiyi Zhang8da54d62019-11-21 00:03:05 -0800199 t::bufferSource(peerKeyStr) >> t::base64Decode(false) >> t::streamSink(os);
Davide Pesavento368341b2019-08-13 23:57:50 -0400200 auto result = os.buf();
201
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700202 return this->deriveSecret(result->data(), result->size());
203}
204
Davide Pesavento368341b2019-08-13 23:57:50 -0400205int
Zhiyi Zhang97bedb82020-10-10 11:11:35 -0700206hmac_sha256(const uint8_t* data, const unsigned data_length,
Zhiyi Zhangcfad98d2020-10-11 11:25:14 -0700207 const uint8_t* key, const unsigned key_length,
208 uint8_t* result)
Davide Pesavento368341b2019-08-13 23:57:50 -0400209{
Zhiyi Zhanga2ce5992019-08-14 17:35:00 -0700210 HMAC(EVP_sha256(), key, key_length,
211 (unsigned char*)data, data_length,
Zhiyi Zhanga2c39f72020-10-06 16:45:55 -0700212 (unsigned char*)result, nullptr);
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700213 return 0;
214}
215
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700216int
Zhiyi Zhang97bedb82020-10-10 11:11:35 -0700217hkdf(const uint8_t* secret, int secret_len, const uint8_t* salt,
218 int salt_len, uint8_t* output, int output_len,
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700219 const uint8_t* info, int info_len)
220{
Davide Pesavento368341b2019-08-13 23:57:50 -0400221 namespace t = ndn::security::transform;
222
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700223 // hkdf generate prk
224 uint8_t prk[HASH_SIZE];
Zhiyi Zhang97bedb82020-10-10 11:11:35 -0700225 if (salt_len == 0) {
Zhiyi Zhanga2ce5992019-08-14 17:35:00 -0700226 uint8_t realSalt[HASH_SIZE] = {0};
Zhiyi Zhang97bedb82020-10-10 11:11:35 -0700227 hmac_sha256(secret, secret_len, realSalt, HASH_SIZE, prk);
Zhiyi Zhanga2ce5992019-08-14 17:35:00 -0700228 }
229 else {
Zhiyi Zhang97bedb82020-10-10 11:11:35 -0700230 hmac_sha256(secret, secret_len, salt, salt_len, prk);
Zhiyi Zhanga2ce5992019-08-14 17:35:00 -0700231 }
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700232
233 // hkdf expand
234 uint8_t prev[HASH_SIZE] = {0};
Zhiyi Zhang97bedb82020-10-10 11:11:35 -0700235 int done_len = 0, dig_len = HASH_SIZE, n = output_len / dig_len;
236 if (output_len % dig_len)
Davide Pesavento368341b2019-08-13 23:57:50 -0400237 n++;
Zhiyi Zhang97bedb82020-10-10 11:11:35 -0700238 if (n > 255 || output == nullptr)
Davide Pesavento368341b2019-08-13 23:57:50 -0400239 return 0;
240
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700241 for (int i = 1; i <= n; i++) {
242 size_t copy_len;
243 const uint8_t ctr = i;
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700244
Davide Pesavento368341b2019-08-13 23:57:50 -0400245 t::StepSource source;
246 t::PrivateKey privKey;
247 privKey.loadRaw(KeyType::HMAC, prk, dig_len);
248 OBufferStream os;
Zhiyi Zhangb8cb0472020-05-05 20:55:05 -0700249 source >> t::signerFilter(DigestAlgorithm::SHA256, privKey) >> t::streamSink(os);
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700250
251 if (i > 1) {
252 source.write(prev, dig_len);
253 }
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700254 source.write(info, info_len);
255 source.write(&ctr, 1);
256 source.end();
257
258 auto result = os.buf();
259 memcpy(prev, result->data(), dig_len);
Zhiyi Zhang97bedb82020-10-10 11:11:35 -0700260 copy_len = (done_len + dig_len > output_len) ? output_len - done_len : dig_len;
261 memcpy(output + done_len, prev, copy_len);
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700262 done_len += copy_len;
263 }
264 return done_len;
265}
266
Zhiyi Zhanga67fa462020-04-19 13:48:03 -0700267int
268aes_gcm_128_encrypt(const uint8_t* plaintext, size_t plaintext_len, const uint8_t* associated, size_t associated_len,
269 const uint8_t* key, const uint8_t* iv, uint8_t* ciphertext, uint8_t* tag)
270{
Zhiyi Zhangb8cb0472020-05-05 20:55:05 -0700271 EVP_CIPHER_CTX* ctx;
Zhiyi Zhanga67fa462020-04-19 13:48:03 -0700272 int len;
273 int ciphertext_len;
274
275 // Create and initialise the context
276 if (!(ctx = EVP_CIPHER_CTX_new())) {
277 handleErrors("Cannot create and initialise the context when calling EVP_CIPHER_CTX_new()");
278 }
279
280 // Initialise the encryption operation.
281 if (1 != EVP_EncryptInit_ex(ctx, EVP_aes_128_gcm(), nullptr, nullptr, nullptr)) {
Zhiyi Zhangb8cb0472020-05-05 20:55:05 -0700282 handleErrors("Cannot initialise the encryption operation when calling EVP_EncryptInit_ex()");
Zhiyi Zhanga67fa462020-04-19 13:48:03 -0700283 }
284
285 // Set IV length if default 12 bytes (96 bits) is not appropriate
286 if (1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, 12, nullptr)) {
287 handleErrors("Cannot set IV length when calling EVP_CIPHER_CTX_ctrl()");
288 }
289
290 // Initialise key and IV
291 if (1 != EVP_EncryptInit_ex(ctx, nullptr, nullptr, key, iv)) {
292 handleErrors("Cannot initialize key and IV when calling EVP_EncryptInit_ex()");
293 }
294
295 // Provide any AAD data. This can be called zero or more times as required
296 if (1 != EVP_EncryptUpdate(ctx, nullptr, &len, associated, associated_len)) {
297 handleErrors("Cannot set associated authentication data when calling EVP_EncryptUpdate()");
298 }
299
300 // Provide the message to be encrypted, and obtain the encrypted output.
301 // EVP_EncryptUpdate can be called multiple times if necessary
302 if (1 != EVP_EncryptUpdate(ctx, ciphertext, &len, plaintext, plaintext_len)) {
303 handleErrors("Cannot encrypt when calling EVP_EncryptUpdate()");
304 }
305 ciphertext_len = len;
306
307 // Finalise the encryption. Normally ciphertext bytes may be written at
308 // this stage, but this does not occur in GCM mode
309 if (1 != EVP_EncryptFinal_ex(ctx, ciphertext + len, &len)) {
310 handleErrors("Cannot finalise the encryption when calling EVP_EncryptFinal_ex()");
311 }
312 ciphertext_len += len;
313
314 // Get the tag
315 if (1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag)) {
316 handleErrors("Cannot get tag when calling EVP_CIPHER_CTX_ctrl()");
317 }
318
319 // Clean up
320 EVP_CIPHER_CTX_free(ctx);
321 return ciphertext_len;
322}
323
324int
325aes_gcm_128_decrypt(const uint8_t* ciphertext, size_t ciphertext_len, const uint8_t* associated, size_t associated_len,
326 const uint8_t* tag, const uint8_t* key, const uint8_t* iv, uint8_t* plaintext)
327{
328 EVP_CIPHER_CTX* ctx;
329 int len;
330 int plaintext_len;
331 int ret;
332
333 // Create and initialise the context
334 if (!(ctx = EVP_CIPHER_CTX_new())) {
335 handleErrors("Cannot create and initialise the context when calling EVP_CIPHER_CTX_new()");
336 }
337
338 // Initialise the decryption operation.
339 if (!EVP_DecryptInit_ex(ctx, EVP_aes_128_gcm(), nullptr, nullptr, nullptr)) {
340 handleErrors("Cannot initialise the decryption operation when calling EVP_DecryptInit_ex()");
341 }
342
343 // Set IV length. Not necessary if this is 12 bytes (96 bits)
344 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, 12, nullptr)) {
345 handleErrors("Cannot set IV length when calling EVP_CIPHER_CTX_ctrl");
346 }
347
348 // Initialise key and IV
349 if (!EVP_DecryptInit_ex(ctx, nullptr, nullptr, key, iv)) {
350 handleErrors("Cannot initialise key and IV when calling EVP_DecryptInit_ex()");
351 }
352
353 // Provide any AAD data. This can be called zero or more times as required
354 if (!EVP_DecryptUpdate(ctx, nullptr, &len, associated, associated_len)) {
355 handleErrors("Cannot set associated authentication data when calling EVP_EncryptUpdate()");
356 }
357
358 // Provide the message to be decrypted, and obtain the plaintext output.
359 // EVP_DecryptUpdate can be called multiple times if necessary
360 if (!EVP_DecryptUpdate(ctx, plaintext, &len, ciphertext, ciphertext_len)) {
361 handleErrors("Cannot decrypt when calling EVP_DecryptUpdate()");
362 }
363 plaintext_len = len;
364
365 // Set expected tag value. Works in OpenSSL 1.0.1d and later
366 if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, (void*)tag)) {
367 handleErrors("Cannot set tag value when calling EVP_CIPHER_CTX_ctrl");
368 }
369
370 // Finalise the decryption. A positive return value indicates success,
371 // anything else is a failure - the plaintext is not trustworthy.
372 ret = EVP_DecryptFinal_ex(ctx, plaintext + len, &len);
373
374 // Clean up
375 EVP_CIPHER_CTX_free(ctx);
376
377 if (ret > 0) {
378 // Success
379 plaintext_len += len;
380 return plaintext_len;
381 }
382 else {
383 // Verify failed
384 return -1;
385 }
386}
387
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700388void
389handleErrors(const std::string& errorInfo)
390{
Zhiyi Zhangd61b4a82020-10-10 15:18:43 -0700391 NDN_LOG_DEBUG("Error in CRYPTO SUPPORT " << errorInfo);
Zhiyi Zhangccd5a0c2020-10-12 13:48:16 -0700392 NDN_THROW(std::runtime_error("Error in CRYPTO SUPPORT: " + errorInfo));
Zhiyi Zhangaf7c2902019-03-14 22:13:21 -0700393}
394
Zhiyi Zhange4891b72020-10-10 15:11:57 -0700395} // namespace ndncert
396} // namespace ndn