Botan 3.5.0
Crypto and TLS for C&
sm2_enc.cpp
Go to the documentation of this file.
1/*
2* SM2 Encryption
3* (C) 2017 Ribose Inc
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/sm2.h>
9
10#include <botan/ber_dec.h>
11#include <botan/der_enc.h>
12#include <botan/hash.h>
13#include <botan/kdf.h>
14#include <botan/pk_ops.h>
15#include <botan/internal/ct_utils.h>
16#include <botan/internal/fmt.h>
17#include <botan/internal/point_mul.h>
18
19namespace Botan {
20
21namespace {
22
23class SM2_Encryption_Operation final : public PK_Ops::Encryption {
24 public:
25 SM2_Encryption_Operation(const SM2_Encryption_PublicKey& key,
26 RandomNumberGenerator& rng,
27 std::string_view kdf_hash) :
28 m_group(key.domain()), m_ws(EC_Point::WORKSPACE_SIZE), m_mul_public_point(key.public_point(), rng, m_ws) {
29 m_hash = HashFunction::create_or_throw(kdf_hash);
30
31 const std::string kdf_name = fmt("KDF2({})", kdf_hash);
32 m_kdf = KDF::create_or_throw(kdf_name);
33 }
34
35 size_t max_input_bits() const override {
36 // This is arbitrary, but assumes SM2 is used for key encapsulation
37 return 512;
38 }
39
40 size_t ciphertext_length(size_t ptext_len) const override {
41 const size_t elem_size = m_group.get_order_bytes();
42 const size_t der_overhead = 16;
43
44 return der_overhead + 2 * elem_size + m_hash->output_length() + ptext_len;
45 }
46
47 secure_vector<uint8_t> encrypt(const uint8_t msg[], size_t msg_len, RandomNumberGenerator& rng) override {
48 const BigInt k = m_group.random_scalar(rng);
49
50 const EC_Point C1 = m_group.blinded_base_point_multiply(k, rng, m_ws);
51 const BigInt x1 = C1.get_affine_x();
52 const BigInt y1 = C1.get_affine_y();
53
54 const EC_Point kPB = m_mul_public_point.mul(k, rng, m_group.get_order(), m_ws);
55
56 const auto x2_bytes = kPB.x_bytes();
57 const auto y2_bytes = kPB.y_bytes();
58
59 secure_vector<uint8_t> kdf_input;
60 kdf_input += x2_bytes;
61 kdf_input += y2_bytes;
62
63 const secure_vector<uint8_t> kdf_output = m_kdf->derive_key(msg_len, kdf_input.data(), kdf_input.size());
64
65 std::vector<uint8_t> masked_msg(msg_len);
66 xor_buf(masked_msg.data(), msg, kdf_output.data(), msg_len);
67
68 m_hash->update(x2_bytes);
69 m_hash->update(msg, msg_len);
70 m_hash->update(y2_bytes);
71 const auto C3 = m_hash->final<std::vector<uint8_t>>();
72
73 return DER_Encoder()
74 .start_sequence()
75 .encode(x1)
76 .encode(y1)
77 .encode(C3, ASN1_Type::OctetString)
78 .encode(masked_msg, ASN1_Type::OctetString)
79 .end_cons()
80 .get_contents();
81 }
82
83 private:
84 const EC_Group m_group;
85 std::unique_ptr<HashFunction> m_hash;
86 std::unique_ptr<KDF> m_kdf;
87 std::vector<BigInt> m_ws;
88 EC_Point_Var_Point_Precompute m_mul_public_point;
89};
90
91class SM2_Decryption_Operation final : public PK_Ops::Decryption {
92 public:
93 SM2_Decryption_Operation(const SM2_Encryption_PrivateKey& key,
94 RandomNumberGenerator& rng,
95 std::string_view kdf_hash) :
96 m_key(key), m_rng(rng) {
97 m_hash = HashFunction::create_or_throw(kdf_hash);
98
99 const std::string kdf_name = fmt("KDF2({})", kdf_hash);
100 m_kdf = KDF::create_or_throw(kdf_name);
101 }
102
103 size_t plaintext_length(size_t ptext_len) const override {
104 /*
105 * This ignores the DER encoding and so overestimates the
106 * plaintext length by 12 bytes or so
107 */
108 const size_t elem_size = m_key.domain().get_order_bytes();
109
110 if(ptext_len < 2 * elem_size + m_hash->output_length()) {
111 return 0;
112 }
113
114 return ptext_len - (2 * elem_size + m_hash->output_length());
115 }
116
117 secure_vector<uint8_t> decrypt(uint8_t& valid_mask, const uint8_t ciphertext[], size_t ciphertext_len) override {
118 const EC_Group& group = m_key.domain();
119 const BigInt& cofactor = group.get_cofactor();
120 const size_t p_bytes = group.get_p_bytes();
121
122 valid_mask = 0x00;
123
124 // Too short to be valid - no timing problem from early return
125 if(ciphertext_len < 1 + p_bytes * 2 + m_hash->output_length()) {
126 return secure_vector<uint8_t>();
127 }
128
129 BigInt x1, y1;
130 secure_vector<uint8_t> C3, masked_msg;
131
132 BER_Decoder(ciphertext, ciphertext_len)
133 .start_sequence()
134 .decode(x1)
135 .decode(y1)
136 .decode(C3, ASN1_Type::OctetString)
137 .decode(masked_msg, ASN1_Type::OctetString)
138 .end_cons()
139 .verify_end();
140
141 std::vector<uint8_t> recode_ctext;
142 DER_Encoder(recode_ctext)
143 .start_sequence()
144 .encode(x1)
145 .encode(y1)
146 .encode(C3, ASN1_Type::OctetString)
147 .encode(masked_msg, ASN1_Type::OctetString)
148 .end_cons();
149
150 if(recode_ctext.size() != ciphertext_len) {
151 return secure_vector<uint8_t>();
152 }
153
154 if(CT::is_equal(recode_ctext.data(), ciphertext, ciphertext_len).as_bool() == false) {
155 return secure_vector<uint8_t>();
156 }
157
158 EC_Point C1 = group.point(x1, y1);
159 C1.randomize_repr(m_rng);
160
161 // Here C1 is publically invalid, so no problem with early return:
162 if(!C1.on_the_curve()) {
163 return secure_vector<uint8_t>();
164 }
165
166 if(cofactor > 1 && (C1 * cofactor).is_zero()) {
167 return secure_vector<uint8_t>();
168 }
169
170 const EC_Point dbC1 = group.blinded_var_point_multiply(C1, m_key.private_value(), m_rng, m_ws);
171
172 const auto x2_bytes = dbC1.x_bytes();
173 const auto y2_bytes = dbC1.y_bytes();
174
175 secure_vector<uint8_t> kdf_input;
176 kdf_input += x2_bytes;
177 kdf_input += y2_bytes;
178
179 const secure_vector<uint8_t> kdf_output =
180 m_kdf->derive_key(masked_msg.size(), kdf_input.data(), kdf_input.size());
181
182 xor_buf(masked_msg.data(), kdf_output.data(), kdf_output.size());
183
184 m_hash->update(x2_bytes);
185 m_hash->update(masked_msg);
186 m_hash->update(y2_bytes);
187 secure_vector<uint8_t> u = m_hash->final();
188
189 if(!CT::is_equal(u.data(), C3.data(), m_hash->output_length()).as_bool()) {
190 return secure_vector<uint8_t>();
191 }
192
193 valid_mask = 0xFF;
194 return masked_msg;
195 }
196
197 private:
198 const SM2_Encryption_PrivateKey& m_key;
199 RandomNumberGenerator& m_rng;
200 std::vector<BigInt> m_ws;
201 std::unique_ptr<HashFunction> m_hash;
202 std::unique_ptr<KDF> m_kdf;
203};
204
205} // namespace
206
207std::unique_ptr<PK_Ops::Encryption> SM2_PublicKey::create_encryption_op(RandomNumberGenerator& rng,
208 std::string_view params,
209 std::string_view provider) const {
210 if(provider == "base" || provider.empty()) {
211 if(params.empty()) {
212 return std::make_unique<SM2_Encryption_Operation>(*this, rng, "SM3");
213 } else {
214 return std::make_unique<SM2_Encryption_Operation>(*this, rng, params);
215 }
216 }
217
218 throw Provider_Not_Found(algo_name(), provider);
219}
220
221std::unique_ptr<PK_Ops::Decryption> SM2_PrivateKey::create_decryption_op(RandomNumberGenerator& rng,
222 std::string_view params,
223 std::string_view provider) const {
224 if(provider == "base" || provider.empty()) {
225 if(params.empty()) {
226 return std::make_unique<SM2_Decryption_Operation>(*this, rng, "SM3");
227 } else {
228 return std::make_unique<SM2_Decryption_Operation>(*this, rng, params);
229 }
230 }
231
232 throw Provider_Not_Found(algo_name(), provider);
233}
234
235} // namespace Botan
static std::unique_ptr< HashFunction > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition hash.cpp:298
static std::unique_ptr< KDF > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition kdf.cpp:199
std::unique_ptr< PK_Ops::Decryption > create_decryption_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
Definition sm2_enc.cpp:221
std::unique_ptr< PK_Ops::Encryption > create_encryption_op(RandomNumberGenerator &rng, std::string_view params, std::string_view provider) const override
Definition sm2_enc.cpp:207
std::string algo_name() const override
Definition sm2.cpp:21
int(* final)(unsigned char *, CTX *)
constexpr CT::Mask< T > is_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:486
std::string encrypt(const uint8_t input[], size_t input_len, std::string_view passphrase, RandomNumberGenerator &rng)
Definition cryptobox.cpp:42
std::string decrypt(const uint8_t input[], size_t input_len, std::string_view passphrase)
SM2_PublicKey SM2_Encryption_PublicKey
Definition sm2.h:114
std::string fmt(std::string_view format, const T &... args)
Definition fmt.h:53
SM2_PrivateKey SM2_Encryption_PrivateKey
Definition sm2.h:117
constexpr void xor_buf(ranges::contiguous_output_range< uint8_t > auto &&out, ranges::contiguous_range< uint8_t > auto &&in)
Definition mem_ops.h:341
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61