diff --git a/src/crypto/index.js b/src/crypto/index.js index 4c0178a4..0626df39 100644 --- a/src/crypto/index.js +++ b/src/crypto/index.js @@ -14,6 +14,7 @@ import hash from './hash'; import cfb from './cfb'; import gcm from './gcm'; import eax from './eax'; +import ocb from './ocb'; import publicKey from './public_key'; import signature from './signature'; import random from './random'; @@ -34,6 +35,8 @@ const mod = { gcm: gcm, /** @see module:crypto/eax */ eax: eax, + /** @see module:crypto/ocb */ + ocb: ocb, /** @see module:crypto/public_key */ publicKey: publicKey, /** @see module:crypto/signature */ diff --git a/src/crypto/ocb.js b/src/crypto/ocb.js new file mode 100644 index 00000000..c0467772 --- /dev/null +++ b/src/crypto/ocb.js @@ -0,0 +1,312 @@ +// OpenPGP.js - An OpenPGP implementation in javascript +// Copyright (C) 2018 ProtonTech AG +// +// This library is free software; you can redistribute it and/or +// modify it under the terms of the GNU Lesser General Public +// License as published by the Free Software Foundation; either +// version 3.0 of the License, or (at your option) any later version. +// +// This library is distributed in the hope that it will be useful, +// but WITHOUT ANY WARRANTY; without even the implied warranty of +// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +// Lesser General Public License for more details. +// +// You should have received a copy of the GNU Lesser General Public +// License along with this library; if not, write to the Free Software +// Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + +/** + * @fileoverview This module implements AES-OCB en/decryption. + * @requires crypto/cipher + * @requires util + * @module crypto/ocb + */ + +import ciphers from './cipher'; +import util from '../util'; + + +const blockLength = 16; +const ivLength = 15; + +// https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.16.2: +// While OCB [RFC7253] allows the authentication tag length to be of any +// number up to 128 bits long, this document requires a fixed +// authentication tag length of 128 bits (16 octets) for simplicity. +const tagLength = 16; + + +const { shiftLeft, shiftRight } = util; + + +function zeros(bytes) { + return new Uint8Array(bytes); +} + +function ntz(n) { + let ntz = 0; + for(let i = 1; (n & i) === 0; i <<= 1) { + ntz++; + } + return ntz; +} + +function set_xor(S, T) { + for (let i = 0; i < S.length; i++) { + S[i] ^= T[i]; + } + return S; +} + +function xor(S, T) { + return set_xor(S.slice(), T); +} + +function concat(...arrays) { + return util.concatUint8Array(arrays); +} + +function double(S) { + const double = S.slice(); + shiftLeft(double, 1); + if (S[0] & 0b10000000) { + double[15] ^= 0b10000111; + } + return double; +} + + +function constructKeyVariables(cipher, key, text, adata) { + const aes = new ciphers[cipher](key); + const encipher = aes.encrypt.bind(aes); + const decipher = aes.decrypt.bind(aes); + + const L_x = encipher(zeros(16)); + const L_$ = double(L_x); + const L = []; + L[0] = double(L_$); + + const max_ntz = util.nbits(Math.max(text.length, adata.length) >> 4) - 1; + for (let i = 1; i <= max_ntz; i++) { + L[i] = double(L[i - 1]); + } + + L.x = L_x; + L.$ = L_$; + + return { encipher, decipher, L }; +} + +function hash(kv, key, adata) { + if (!adata.length) { + // Fast path + return zeros(16); + } + + const { encipher, L } = kv; + + // + // Consider A as a sequence of 128-bit blocks + // + const m = adata.length >> 4; + + const offset = zeros(16); + const sum = zeros(16); + for (let i = 0; i < m; i++) { + set_xor(offset, L[ntz(i + 1)]); + set_xor(sum, encipher(xor(offset, adata))); + adata = adata.subarray(16); + } + + // + // Process any final partial block; compute final hash value + // + if (adata.length) { + set_xor(offset, L.x); + + const cipherInput = zeros(16); + cipherInput.set(adata, 0); + cipherInput[adata.length] = 0b10000000; + set_xor(cipherInput, offset); + + set_xor(sum, encipher(cipherInput)); + } + + return sum; +} + + +/** + * Encrypt plaintext input. + * @param {String} cipher The symmetric cipher algorithm to use e.g. 'aes128' + * @param {Uint8Array} plaintext The cleartext input to be encrypted + * @param {Uint8Array} key The encryption key + * @param {Uint8Array} nonce The nonce (15 bytes) + * @param {Uint8Array} adata Associated data to sign + * @returns {Promise} The ciphertext output + */ +async function encrypt(cipher, plaintext, key, nonce, adata) { + // + // Consider P as a sequence of 128-bit blocks + // + const m = plaintext.length >> 4; + + // + // Key-dependent variables + // + const kv = constructKeyVariables(cipher, key, plaintext, adata); + const { encipher, L } = kv; + + // + // Nonce-dependent and per-encryption variables + // + // We assume here that TAGLEN mod 128 == 0 (tagLength === 16). + const Nonce = concat(zeros(15 - nonce.length), new Uint8Array([1]), nonce); + const bottom = Nonce[15] & 0b111111; + Nonce[15] &= 0b11000000; + const Ktop = encipher(Nonce); + const Stretch = concat(Ktop, xor(Ktop.subarray(0, 8), Ktop.subarray(1, 9))); + // Offset_0 = Stretch[1+bottom..128+bottom] + const offset = shiftRight(Stretch.subarray(0 + (bottom >> 3), 17 + (bottom >> 3)), 8 - (bottom & 7)).subarray(1); + const checksum = zeros(16); + + const C = new Uint8Array(plaintext.length + tagLength); + + // + // Process any whole blocks + // + let i; + let pos = 0; + for (i = 0; i < m; i++) { + set_xor(offset, L[ntz(i + 1)]); + C.set(xor(offset, encipher(xor(offset, plaintext))), pos); + set_xor(checksum, plaintext); + + plaintext = plaintext.subarray(16); + pos += 16; + } + + // + // Process any final partial block and compute raw tag + // + if (plaintext.length) { + set_xor(offset, L.x); + const Pad = encipher(offset); + C.set(xor(plaintext, Pad), pos); + + // Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*))) + const xorInput = zeros(16); + xorInput.set(plaintext, 0); + xorInput[plaintext.length] = 0b10000000; + set_xor(checksum, xorInput); + pos += plaintext.length; + } + const Tag = xor(encipher(xor(xor(checksum, offset), L.$)), hash(kv, key, adata)); + + // + // Assemble ciphertext + // + C.set(Tag, pos); + return C; +} + + +/** + * Decrypt ciphertext input. + * @param {String} cipher The symmetric cipher algorithm to use e.g. 'aes128' + * @param {Uint8Array} ciphertext The ciphertext input to be decrypted + * @param {Uint8Array} key The encryption key + * @param {Uint8Array} nonce The nonce (15 bytes) + * @param {Uint8Array} adata Associated data to verify + * @returns {Promise} The plaintext output + */ +async function decrypt(cipher, ciphertext, key, nonce, adata) { + // + // Consider C as a sequence of 128-bit blocks + // + const T = ciphertext.subarray(ciphertext.length - tagLength); + ciphertext = ciphertext.subarray(0, ciphertext.length - tagLength); + const m = ciphertext.length >> 4; + + // + // Key-dependent variables + // + const kv = constructKeyVariables(cipher, key, ciphertext, adata); + const { encipher, decipher, L } = kv; + + // + // Nonce-dependent and per-encryption variables + // + // We assume here that TAGLEN mod 128 == 0 (tagLength === 16). + const Nonce = concat(zeros(15 - nonce.length), new Uint8Array([1]), nonce); + const bottom = Nonce[15] & 0b111111; + Nonce[15] &= 0b11000000; + const Ktop = encipher(Nonce); + const Stretch = concat(Ktop, xor(Ktop.subarray(0, 8), Ktop.subarray(1, 9))); + // Offset_0 = Stretch[1+bottom..128+bottom] + const offset = shiftRight(Stretch.subarray(0 + (bottom >> 3), 17 + (bottom >> 3)), 8 - (bottom & 7)).subarray(1); + const checksum = zeros(16); + + const P = new Uint8Array(ciphertext.length); + + // + // Process any whole blocks + // + let i; + let pos = 0; + for (i = 0; i < m; i++) { + set_xor(offset, L[ntz(i + 1)]); + P.set(xor(offset, decipher(xor(offset, ciphertext))), pos); + set_xor(checksum, P.subarray(pos)); + + ciphertext = ciphertext.subarray(16); + pos += 16; + } + + // + // Process any final partial block and compute raw tag + // + if (ciphertext.length) { + set_xor(offset, L.x); + const Pad = encipher(offset); + P.set(xor(ciphertext, Pad), pos); + + // Checksum_* = Checksum_m xor (P_* || 1 || zeros(127-bitlen(P_*))) + const xorInput = zeros(16); + xorInput.set(P.subarray(pos), 0); + xorInput[ciphertext.length] = 0b10000000; + set_xor(checksum, xorInput); + pos += ciphertext.length; + } + const Tag = xor(encipher(xor(xor(checksum, offset), L.$)), hash(kv, key, adata)); + + // + // Check for validity and assemble plaintext + // + if (!util.equalsUint8Array(Tag, T)) { + throw new Error('Authentication tag mismatch in OCB ciphertext'); + } + return P; +} + +/** + * Get OCB nonce as defined by {@link https://tools.ietf.org/html/draft-ietf-openpgp-rfc4880bis-04#section-5.16.2|RFC4880bis-04, section 5.16.2}. + * @param {Uint8Array} iv The initialization vector (15 bytes) + * @param {Uint8Array} chunkIndex The chunk index (8 bytes) + */ +function getNonce(iv, chunkIndex) { + const nonce = iv.slice(); + for (let i = 0; i < chunkIndex.length; i++) { + nonce[7 + i] ^= chunkIndex[i]; + } + return nonce; +} + + +export default { + blockLength, + ivLength, + encrypt, + decrypt, + getNonce +}; diff --git a/test/crypto/index.js b/test/crypto/index.js index 9fc50442..762d9c95 100644 --- a/test/crypto/index.js +++ b/test/crypto/index.js @@ -7,4 +7,5 @@ describe('Crypto', function () { require('./pkcs5.js'); require('./aes_kw.js'); require('./eax.js'); + require('./ocb.js'); }); diff --git a/test/crypto/ocb.js b/test/crypto/ocb.js new file mode 100644 index 00000000..a3358913 --- /dev/null +++ b/test/crypto/ocb.js @@ -0,0 +1,152 @@ +// Modified by ProtonTech AG + +// Adapted from https://github.com/artjomb/cryptojs-extension/blob/8c61d159/test/eax.js + +const openpgp = typeof window !== 'undefined' && window.openpgp ? window.openpgp : require('../../dist/openpgp'); + +const chai = require('chai'); +chai.use(require('chai-as-promised')); + +const expect = chai.expect; + +const ocb = openpgp.crypto.ocb; + +describe('Symmetric AES-OCB', function() { + it('Passes all test vectors', async function() { + const K = '000102030405060708090A0B0C0D0E0F'; + const keyBytes = openpgp.util.hex_to_Uint8Array(K); + + var vectors = [ + // From https://tools.ietf.org/html/rfc7253#appendix-A + { + N: 'BBAA99887766554433221100', + A: '', + P: '', + C: '785407BFFFC8AD9EDCC5520AC9111EE6' + }, + { + N: 'BBAA99887766554433221101', + A: '0001020304050607', + P: '0001020304050607', + C: '6820B3657B6F615A5725BDA0D3B4EB3A257C9AF1F8F03009' + }, + { + N: 'BBAA99887766554433221102', + A: '0001020304050607', + P: '', + C: '81017F8203F081277152FADE694A0A00' + }, + { + N: 'BBAA99887766554433221103', + A: '', + P: '0001020304050607', + C: '45DD69F8F5AAE72414054CD1F35D82760B2CD00D2F99BFA9' + }, + { + N: 'BBAA99887766554433221104', + A: '000102030405060708090A0B0C0D0E0F', + P: '000102030405060708090A0B0C0D0E0F', + C: '571D535B60B277188BE5147170A9A22C3AD7A4FF3835B8C5701C1CCEC8FC3358' + }, + { + N: 'BBAA99887766554433221105', + A: '000102030405060708090A0B0C0D0E0F', + P: '', + C: '8CF761B6902EF764462AD86498CA6B97' + }, + { + N: 'BBAA99887766554433221106', + A: '', + P: '000102030405060708090A0B0C0D0E0F', + C: '5CE88EC2E0692706A915C00AEB8B2396F40E1C743F52436BDF06D8FA1ECA343D' + }, + { + N: 'BBAA99887766554433221107', + A: '000102030405060708090A0B0C0D0E0F1011121314151617', + P: '000102030405060708090A0B0C0D0E0F1011121314151617', + C: '1CA2207308C87C010756104D8840CE1952F09673A448A122C92C62241051F57356D7F3C90BB0E07F' + }, + { + N: 'BBAA99887766554433221108', + A: '000102030405060708090A0B0C0D0E0F1011121314151617', + P: '', + C: '6DC225A071FC1B9F7C69F93B0F1E10DE' + }, + { + N: 'BBAA99887766554433221109', + A: '', + P: '000102030405060708090A0B0C0D0E0F1011121314151617', + C: '221BD0DE7FA6FE993ECCD769460A0AF2D6CDED0C395B1C3CE725F32494B9F914D85C0B1EB38357FF' + }, + { + N: 'BBAA9988776655443322110A', + A: '000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F', + P: '000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F', + C: 'BD6F6C496201C69296C11EFD138A467ABD3C707924B964DEAFFC40319AF5A48540FBBA186C5553C68AD9F592A79A4240' + }, + { + N: 'BBAA9988776655443322110B', + A: '000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F', + P: '', + C: 'FE80690BEE8A485D11F32965BC9D2A32' + }, + { + N: 'BBAA9988776655443322110C', + A: '', + P: '000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F', + C: '2942BFC773BDA23CABC6ACFD9BFD5835BD300F0973792EF46040C53F1432BCDFB5E1DDE3BC18A5F840B52E653444D5DF' + }, + { + N: 'BBAA9988776655443322110D', + A: '000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627', + P: '000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627', + C: 'D5CA91748410C1751FF8A2F618255B68A0A12E093FF454606E59F9C1D0DDC54B65E8628E568BAD7AED07BA06A4A69483A7035490C5769E60' + }, + { + N: 'BBAA9988776655443322110E', + A: '000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627', + P: '', + C: 'C5CD9D1850C141E358649994EE701B68' + }, + { + N: 'BBAA9988776655443322110F', + A: '', + P: '000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F2021222324252627', + C: '4412923493C57D5DE0D700F753CCE0D1D2D95060122E9F15A5DDBFC5787E50B5CC55EE507BCB084E479AD363AC366B95A98CA5F3000B1479' + } + ]; + + const cipher = 'aes128'; + + for(const [i, vec] of vectors.entries()) { + const msgBytes = openpgp.util.hex_to_Uint8Array(vec.P), + nonceBytes = openpgp.util.hex_to_Uint8Array(vec.N), + headerBytes = openpgp.util.hex_to_Uint8Array(vec.A), + ctBytes = openpgp.util.hex_to_Uint8Array(vec.C); + + // encryption test + let ct = await ocb.encrypt(cipher, msgBytes, keyBytes, nonceBytes, headerBytes); + expect(openpgp.util.Uint8Array_to_hex(ct)).to.equal(vec.C.toLowerCase()); + + // decryption test with verification + let pt = await ocb.decrypt(cipher, ctBytes, keyBytes, nonceBytes, headerBytes); + expect(openpgp.util.Uint8Array_to_hex(pt)).to.equal(vec.P.toLowerCase()); + + // tampering detection test + ct = await ocb.encrypt(cipher, msgBytes, keyBytes, nonceBytes, headerBytes); + ct[2] ^= 8; + pt = ocb.decrypt(cipher, ct, keyBytes, nonceBytes, headerBytes); + await expect(pt).to.eventually.be.rejectedWith('Authentication tag mismatch in OCB ciphertext') + + // testing without additional data + ct = await ocb.encrypt(cipher, msgBytes, keyBytes, nonceBytes, new Uint8Array()); + pt = await ocb.decrypt(cipher, ct, keyBytes, nonceBytes, new Uint8Array()); + expect(openpgp.util.Uint8Array_to_hex(pt)).to.equal(vec.P.toLowerCase()); + + // testing with multiple additional data + ct = await ocb.encrypt(cipher, msgBytes, keyBytes, nonceBytes, openpgp.util.concatUint8Array([headerBytes, headerBytes, headerBytes])); + pt = await ocb.decrypt(cipher, ct, keyBytes, nonceBytes, openpgp.util.concatUint8Array([headerBytes, headerBytes, headerBytes])); + expect(openpgp.util.Uint8Array_to_hex(pt)).to.equal(vec.P.toLowerCase()); + } + }); +});