Holger Hildebrandt | fa07499 | 2020-03-27 15:42:06 +0000 | [diff] [blame] | 1 | // Package rfc8009 provides encryption and checksum methods as specified in RFC 8009 |
| 2 | package rfc8009 |
| 3 | |
| 4 | import ( |
| 5 | "crypto/aes" |
| 6 | "crypto/hmac" |
| 7 | "crypto/rand" |
| 8 | "errors" |
| 9 | "fmt" |
| 10 | |
| 11 | "gopkg.in/jcmturner/aescts.v1" |
| 12 | "gopkg.in/jcmturner/gokrb5.v7/crypto/common" |
| 13 | "gopkg.in/jcmturner/gokrb5.v7/crypto/etype" |
| 14 | "gopkg.in/jcmturner/gokrb5.v7/iana/etypeID" |
| 15 | ) |
| 16 | |
| 17 | // EncryptData encrypts the data provided using methods specific to the etype provided as defined in RFC 8009. |
| 18 | func EncryptData(key, data []byte, e etype.EType) ([]byte, []byte, error) { |
| 19 | kl := e.GetKeyByteSize() |
| 20 | if e.GetETypeID() == etypeID.AES256_CTS_HMAC_SHA384_192 { |
| 21 | kl = 32 |
| 22 | } |
| 23 | if len(key) != kl { |
| 24 | return []byte{}, []byte{}, fmt.Errorf("incorrect keysize: expected: %v actual: %v", e.GetKeyByteSize(), len(key)) |
| 25 | } |
| 26 | ivz := make([]byte, aes.BlockSize) |
| 27 | return aescts.Encrypt(key, ivz, data) |
| 28 | } |
| 29 | |
| 30 | // EncryptMessage encrypts the message provided using the methods specific to the etype provided as defined in RFC 8009. |
| 31 | // The encrypted data is concatenated with its integrity hash to create an encrypted message. |
| 32 | func EncryptMessage(key, message []byte, usage uint32, e etype.EType) ([]byte, []byte, error) { |
| 33 | kl := e.GetKeyByteSize() |
| 34 | if e.GetETypeID() == etypeID.AES256_CTS_HMAC_SHA384_192 { |
| 35 | kl = 32 |
| 36 | } |
| 37 | if len(key) != kl { |
| 38 | return []byte{}, []byte{}, fmt.Errorf("incorrect keysize: expected: %v actual: %v", kl, len(key)) |
| 39 | } |
| 40 | if len(key) != e.GetKeyByteSize() { |
| 41 | } |
| 42 | //confounder |
| 43 | c := make([]byte, e.GetConfounderByteSize()) |
| 44 | _, err := rand.Read(c) |
| 45 | if err != nil { |
| 46 | return []byte{}, []byte{}, fmt.Errorf("could not generate random confounder: %v", err) |
| 47 | } |
| 48 | plainBytes := append(c, message...) |
| 49 | |
| 50 | // Derive key for encryption from usage |
| 51 | var k []byte |
| 52 | if usage != 0 { |
| 53 | k, err = e.DeriveKey(key, common.GetUsageKe(usage)) |
| 54 | if err != nil { |
| 55 | return []byte{}, []byte{}, fmt.Errorf("error deriving key for encryption: %v", err) |
| 56 | } |
| 57 | } |
| 58 | |
| 59 | // Encrypt the data |
| 60 | iv, b, err := e.EncryptData(k, plainBytes) |
| 61 | if err != nil { |
| 62 | return iv, b, fmt.Errorf("error encrypting data: %v", err) |
| 63 | } |
| 64 | |
| 65 | ivz := make([]byte, e.GetConfounderByteSize()) |
| 66 | ih, err := GetIntegityHash(ivz, b, key, usage, e) |
| 67 | if err != nil { |
| 68 | return iv, b, fmt.Errorf("error encrypting data: %v", err) |
| 69 | } |
| 70 | b = append(b, ih...) |
| 71 | return iv, b, nil |
| 72 | } |
| 73 | |
| 74 | // DecryptData decrypts the data provided using the methods specific to the etype provided as defined in RFC 8009. |
| 75 | func DecryptData(key, data []byte, e etype.EType) ([]byte, error) { |
| 76 | kl := e.GetKeyByteSize() |
| 77 | if e.GetETypeID() == etypeID.AES256_CTS_HMAC_SHA384_192 { |
| 78 | kl = 32 |
| 79 | } |
| 80 | if len(key) != kl { |
| 81 | return []byte{}, fmt.Errorf("incorrect keysize: expected: %v actual: %v", kl, len(key)) |
| 82 | } |
| 83 | ivz := make([]byte, aes.BlockSize) |
| 84 | return aescts.Decrypt(key, ivz, data) |
| 85 | } |
| 86 | |
| 87 | // DecryptMessage decrypts the message provided using the methods specific to the etype provided as defined in RFC 8009. |
| 88 | // The integrity of the message is also verified. |
| 89 | func DecryptMessage(key, ciphertext []byte, usage uint32, e etype.EType) ([]byte, error) { |
| 90 | //Derive the key |
| 91 | k, err := e.DeriveKey(key, common.GetUsageKe(usage)) |
| 92 | if err != nil { |
| 93 | return nil, fmt.Errorf("error deriving key: %v", err) |
| 94 | } |
| 95 | // Strip off the checksum from the end |
| 96 | b, err := e.DecryptData(k, ciphertext[:len(ciphertext)-e.GetHMACBitLength()/8]) |
| 97 | if err != nil { |
| 98 | return nil, err |
| 99 | } |
| 100 | //Verify checksum |
| 101 | if !e.VerifyIntegrity(key, ciphertext, b, usage) { |
| 102 | return nil, errors.New("integrity verification failed") |
| 103 | } |
| 104 | //Remove the confounder bytes |
| 105 | return b[e.GetConfounderByteSize():], nil |
| 106 | } |
| 107 | |
| 108 | // GetIntegityHash returns a keyed integrity hash of the bytes provided as defined in RFC 8009 |
| 109 | func GetIntegityHash(iv, c, key []byte, usage uint32, e etype.EType) ([]byte, error) { |
| 110 | // Generate and append integrity hash |
| 111 | // The HMAC is calculated over the cipher state concatenated with the |
| 112 | // AES output, instead of being calculated over the confounder and |
| 113 | // plaintext. This allows the message receiver to verify the |
| 114 | // integrity of the message before decrypting the message. |
| 115 | // H = HMAC(Ki, IV | C) |
| 116 | ib := append(iv, c...) |
| 117 | return common.GetIntegrityHash(ib, key, usage, e) |
| 118 | } |
| 119 | |
| 120 | // VerifyIntegrity verifies the integrity of cipertext bytes ct. |
| 121 | func VerifyIntegrity(key, ct []byte, usage uint32, etype etype.EType) bool { |
| 122 | h := make([]byte, etype.GetHMACBitLength()/8) |
| 123 | copy(h, ct[len(ct)-etype.GetHMACBitLength()/8:]) |
| 124 | ivz := make([]byte, etype.GetConfounderByteSize()) |
| 125 | ib := append(ivz, ct[:len(ct)-(etype.GetHMACBitLength()/8)]...) |
| 126 | expectedMAC, _ := common.GetIntegrityHash(ib, key, usage, etype) |
| 127 | return hmac.Equal(h, expectedMAC) |
| 128 | } |