mirror/gmsm
1
0
Fork 0
mirror of https://github.com/emmansun/gmsm.git synced 2025-04-28 13:16:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

sm9: ErrDecryption, avoid adaptive attacks

Browse Source
This commit is contained in:
Sun Yimin 2022-12-06 08:54:53 +08:00 committed by GitHub
parent 32acdfea7e
commit 97e419809e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 13 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
sm9/sm9.go
View File

@ -353,10 +353,14 @@ func UnmarshalSM9KeyPackage(der []byte) ([]byte, *bn256.G1, error) {
return key, g, nil return key, g, nil
} }
// ErrDecryption represents a failure to decrypt a message.
// It is deliberately vague to avoid adaptive attacks.
var ErrDecryption = errors.New("sm9: decryption error")
// UnwrapKey unwrap key from cipher, user id and aligned key length // UnwrapKey unwrap key from cipher, user id and aligned key length
func UnwrapKey(priv *EncryptPrivateKey, uid []byte, cipher *bn256.G1, kLen int) ([]byte, error) { func UnwrapKey(priv *EncryptPrivateKey, uid []byte, cipher *bn256.G1, kLen int) ([]byte, error) {
if !cipher.IsOnCurve() { if !cipher.IsOnCurve() {
return nil, errors.New("sm9: invalid cipher, it's NOT on curve") return nil, ErrDecryption
} }
w := bn256.Pair(cipher, priv.PrivateKey) w := bn256.Pair(cipher, priv.PrivateKey)
@ -368,7 +372,7 @@ func UnwrapKey(priv *EncryptPrivateKey, uid []byte, cipher *bn256.G1, kLen int)
key := kdf.Kdf(sm3.New(), buffer, kLen) key := kdf.Kdf(sm3.New(), buffer, kLen)
if subtle.ConstantTimeAllZero(key) { if subtle.ConstantTimeAllZero(key) {
return nil, errors.New("sm9: invalid cipher") return nil, ErrDecryption
} }
return key, nil return key, nil
} }
@ -379,11 +383,11 @@ func (priv *EncryptPrivateKey) UnwrapKey(uid, cipherDer []byte, kLen int) ([]byt
var bytes []byte var bytes []byte
input := cryptobyte.String(cipherDer) input := cryptobyte.String(cipherDer)
if !input.ReadASN1BitStringAsBytes(&bytes) || !input.Empty() { if !input.ReadASN1BitStringAsBytes(&bytes) || !input.Empty() {
return nil, errors.New("sm9: invalid chipher asn1 data") return nil, ErrDecryption
} }
g, err := unmarshalG1(bytes) g, err := unmarshalG1(bytes)
if err != nil { if err != nil {
return nil, err return nil, ErrDecryption
} }
return UnwrapKey(priv, uid, g, kLen) return UnwrapKey(priv, uid, g, kLen)
} }
@ -439,7 +443,7 @@ func Decrypt(priv *EncryptPrivateKey, uid, ciphertext []byte) ([]byte, error) {
c := &bn256.G1{} c := &bn256.G1{}
c3, err := c.Unmarshal(ciphertext) c3, err := c.Unmarshal(ciphertext)
if err != nil { if err != nil {
return nil, err return nil, ErrDecryption
} }
key, err := UnwrapKey(priv, uid, c, len(c3)) key, err := UnwrapKey(priv, uid, c, len(c3))
@ -455,7 +459,7 @@ func Decrypt(priv *EncryptPrivateKey, uid, ciphertext []byte) ([]byte, error) {
c32 := hash.Sum(nil) c32 := hash.Sum(nil)
if goSubtle.ConstantTimeCompare(c3[:sm3.Size], c32) != 1 { if goSubtle.ConstantTimeCompare(c3[:sm3.Size], c32) != 1 {
return nil, errors.New("sm9: invalid mac value") return nil, ErrDecryption
} }
subtle.XORBytes(key, c2, key[:len(c2)]) subtle.XORBytes(key, c2, key[:len(c2)])
@ -466,7 +470,7 @@ func Decrypt(priv *EncryptPrivateKey, uid, ciphertext []byte) ([]byte, error) {
// SM9 cryptographic algorithm application specification, SM9Cipher definition. // SM9 cryptographic algorithm application specification, SM9Cipher definition.
func DecryptASN1(priv *EncryptPrivateKey, uid, ciphertext []byte) ([]byte, error) { func DecryptASN1(priv *EncryptPrivateKey, uid, ciphertext []byte) ([]byte, error) {
if len(ciphertext) <= 32+65 { if len(ciphertext) <= 32+65 {
return nil, errors.New("sm9: invalid ciphertext length") return nil, errors.New("sm9: ciphertext too short")
} }
var ( var (
encType int encType int
@ -490,7 +494,7 @@ func DecryptASN1(priv *EncryptPrivateKey, uid, ciphertext []byte) ([]byte, error
} }
c, err := unmarshalG1(c1Bytes) c, err := unmarshalG1(c1Bytes)
if err != nil { if err != nil {
return nil, err return nil, ErrDecryption
} }
key, err := UnwrapKey(priv, uid, c, len(c2Bytes)+len(c3Bytes)) key, err := UnwrapKey(priv, uid, c, len(c2Bytes)+len(c3Bytes))
@ -504,7 +508,7 @@ func DecryptASN1(priv *EncryptPrivateKey, uid, ciphertext []byte) ([]byte, error
c32 := hash.Sum(nil) c32 := hash.Sum(nil)
if goSubtle.ConstantTimeCompare(c3Bytes, c32) != 1 { if goSubtle.ConstantTimeCompare(c3Bytes, c32) != 1 {
return nil, errors.New("sm9: invalid mac value") return nil, ErrDecryption
} }
subtle.XORBytes(key, c2Bytes, key[:len(c2Bytes)]) subtle.XORBytes(key, c2Bytes, key[:len(c2Bytes)])
return key[:len(c2Bytes)], nil return key[:len(c2Bytes)], nil