Commit | Line | Data |
---|---|---|
5c3f75ec | 1 | /* -*-c-*- |
2 | * | |
c65df279 | 3 | * $Id$ |
5c3f75ec | 4 | * |
5 | * Catcrypt signatures | |
6 | * | |
7 | * (c) 2004 Straylight/Edgeware | |
8 | */ | |
9 | ||
45c0fd36 | 10 | /*----- Licensing notice --------------------------------------------------* |
5c3f75ec | 11 | * |
12 | * This file is part of Catacomb. | |
13 | * | |
14 | * Catacomb is free software; you can redistribute it and/or modify | |
15 | * it under the terms of the GNU Library General Public License as | |
16 | * published by the Free Software Foundation; either version 2 of the | |
17 | * License, or (at your option) any later version. | |
45c0fd36 | 18 | * |
5c3f75ec | 19 | * Catacomb is distributed in the hope that it will be useful, |
20 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | |
21 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | |
22 | * GNU Library General Public License for more details. | |
45c0fd36 | 23 | * |
5c3f75ec | 24 | * You should have received a copy of the GNU Library General Public |
25 | * License along with Catacomb; if not, write to the Free | |
26 | * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, | |
27 | * MA 02111-1307, USA. | |
28 | */ | |
29 | ||
30 | /*----- Header files ------------------------------------------------------*/ | |
31 | ||
cd6eca43 MW |
32 | #define _FILE_OFFSET_BITS 64 |
33 | ||
5c3f75ec | 34 | #include <stdlib.h> |
35 | ||
36 | #include <mLib/report.h> | |
37 | ||
38 | #include "rand.h" | |
39 | #include "sha.h" | |
40 | #include "has160.h" | |
41 | ||
42 | #include "ec.h" | |
43 | #include "ec-keys.h" | |
44 | #include "dh.h" | |
45 | #include "gdsa.h" | |
46 | #include "gkcdsa.h" | |
47 | #include "rsa.h" | |
48 | ||
49 | #include "cc.h" | |
50 | ||
51 | /*----- Main code ---------------------------------------------------------*/ | |
52 | ||
53 | /* --- RSA PKCS1 --- */ | |
54 | ||
55 | typedef struct rsap1_sigctx { | |
56 | sig s; | |
57 | rsa_privctx rp; | |
58 | pkcs1 p1; | |
59 | } rsap1_sigctx; | |
60 | ||
61 | static sig *rsap1_siginit(key *k, void *kd, const gchash *hc) | |
62 | { | |
63 | rsap1_sigctx *rs = CREATE(rsap1_sigctx); | |
64 | rsa_privcreate(&rs->rp, kd, &rand_global); | |
65 | rs->p1.r = &rand_global; | |
66 | rs->p1.ep = hc->name; | |
67 | rs->p1.epsz = strlen(hc->name) + 1; | |
68 | rs->s.h = 0; | |
69 | return (&rs->s); | |
70 | } | |
71 | ||
72 | static int rsap1_sigdoit(sig *s, dstr *d) | |
73 | { | |
74 | rsap1_sigctx *rs = (rsap1_sigctx *)s; | |
75 | size_t n; | |
76 | mp *m = rsa_sign(&rs->rp, MP_NEW, | |
77 | GH_DONE(s->h, 0), GH_CLASS(s->h)->hashsz, | |
78 | pkcs1_sigencode, &rs->p1); | |
79 | if (!m) return (-1); | |
80 | n = mp_octets(rs->rp.rp->n); dstr_ensure(d, n); mp_storeb(m, d->buf, n); | |
81 | d->len += n; mp_drop(m); | |
82 | return (0); | |
83 | } | |
84 | ||
85 | static const char *rsa_lengthcheck(mp *n) | |
86 | { | |
87 | if (mp_bits(n) < 1024) return ("key too short"); | |
88 | return (0); | |
89 | } | |
90 | ||
91 | static const char *rsap1_sigcheck(sig *s) | |
92 | { | |
93 | rsap1_sigctx *rs = (rsap1_sigctx *)s; | |
94 | const char *e; | |
95 | if ((e = rsa_lengthcheck(rs->rp.rp->n)) != 0) return (e); | |
96 | return (0); | |
97 | } | |
98 | ||
99 | static void rsap1_sigdestroy(sig *s) | |
100 | { | |
101 | rsap1_sigctx *rs = (rsap1_sigctx *)s; | |
102 | rsa_privdestroy(&rs->rp); | |
103 | DESTROY(rs); | |
104 | } | |
105 | ||
106 | static const sigops rsap1_sig = { | |
107 | rsa_privfetch, sizeof(rsa_priv), | |
108 | rsap1_siginit, rsap1_sigdoit, rsap1_sigcheck, rsap1_sigdestroy | |
109 | }; | |
110 | ||
111 | typedef struct rsap1_vrfctx { | |
112 | sig s; | |
113 | rsa_pubctx rp; | |
114 | pkcs1 p1; | |
115 | } rsap1_vrfctx; | |
116 | ||
117 | static sig *rsap1_vrfinit(key *k, void *kd, const gchash *hc) | |
118 | { | |
119 | rsap1_vrfctx *rv = CREATE(rsap1_vrfctx); | |
120 | rsa_pubcreate(&rv->rp, kd); | |
121 | rv->p1.r = &rand_global; | |
122 | rv->p1.ep = hc->name; | |
123 | rv->p1.epsz = strlen(hc->name) + 1; | |
124 | rv->s.h = 0; | |
125 | return (&rv->s); | |
126 | } | |
127 | ||
128 | static int rsap1_vrfdoit(sig *s, dstr *d) | |
129 | { | |
130 | rsap1_vrfctx *rv = (rsap1_vrfctx *)s; | |
131 | mp *m = mp_loadb(MP_NEW, d->buf, d->len); | |
132 | int rc = rsa_verify(&rv->rp, m, | |
133 | GH_DONE(s->h, 0), GH_CLASS(s->h)->hashsz, | |
134 | 0, pkcs1_sigdecode, &rv->p1); | |
135 | mp_drop(m); | |
136 | return (rc); | |
137 | } | |
138 | ||
139 | static const char *rsap1_vrfcheck(sig *s) | |
140 | { | |
141 | rsap1_vrfctx *rv = (rsap1_vrfctx *)s; | |
142 | const char *e; | |
143 | if ((e = rsa_lengthcheck(rv->rp.rp->n)) != 0) return (e); | |
144 | return (0); | |
145 | } | |
146 | ||
147 | static void rsap1_vrfdestroy(sig *s) | |
148 | { | |
149 | rsap1_vrfctx *rv = (rsap1_vrfctx *)s; | |
150 | rsa_pubdestroy(&rv->rp); | |
151 | DESTROY(rv); | |
152 | } | |
153 | ||
154 | static const sigops rsap1_vrf = { | |
155 | rsa_pubfetch, sizeof(rsa_pub), | |
156 | rsap1_vrfinit, rsap1_vrfdoit, rsap1_vrfcheck, rsap1_vrfdestroy | |
157 | }; | |
158 | ||
159 | /* --- RSA PSS --- */ | |
160 | ||
161 | static const gccipher *getmgf(key *k, const gchash *hc) | |
162 | { | |
163 | dstr d = DSTR_INIT; | |
164 | const gccipher *gc; | |
165 | const char *mm; | |
166 | ||
167 | if ((mm = key_getattr(0, k, "mgf")) == 0) { | |
168 | dstr_putf(&d, "%s-mgf", hc->name); | |
169 | mm = d.buf; | |
170 | } | |
171 | if ((gc = gcipher_byname(mm)) == 0) | |
172 | die(EXIT_FAILURE, "unknown encryption scheme `%s'", mm); | |
173 | dstr_destroy(&d); | |
174 | return (gc); | |
175 | } | |
176 | ||
177 | typedef struct rsapss_sigctx { | |
178 | sig s; | |
179 | rsa_privctx rp; | |
180 | pss p; | |
181 | } rsapss_sigctx; | |
182 | ||
183 | static sig *rsapss_siginit(key *k, void *kd, const gchash *hc) | |
184 | { | |
185 | rsapss_sigctx *rs = CREATE(rsapss_sigctx); | |
186 | rsa_privcreate(&rs->rp, kd, &rand_global); | |
187 | rs->p.r = &rand_global; | |
188 | rs->p.cc = getmgf(k, hc); | |
189 | rs->p.ch = hc; | |
190 | rs->p.ssz = hc->hashsz; | |
191 | rsa_privdestroy(&rs->rp); | |
192 | return (&rs->s); | |
193 | } | |
194 | ||
195 | static int rsapss_sigdoit(sig *s, dstr *d) | |
196 | { | |
197 | rsapss_sigctx *rs = (rsapss_sigctx *)s; | |
198 | size_t n; | |
199 | mp *m = rsa_sign(&rs->rp, MP_NEW, | |
200 | GH_DONE(s->h, 0), GH_CLASS(s->h)->hashsz, | |
201 | pss_encode, &rs->p); | |
202 | if (!m) return (-1); | |
203 | n = mp_octets(rs->rp.rp->n); dstr_ensure(d, n); mp_storeb(m, d->buf, n); | |
45c0fd36 | 204 | d->len += n; mp_drop(m); |
5c3f75ec | 205 | return (0); |
206 | } | |
207 | ||
208 | static const char *rsapss_sigcheck(sig *s) | |
209 | { | |
210 | rsapss_sigctx *rs = (rsapss_sigctx *)s; | |
211 | const char *e; | |
212 | if ((e = rsa_lengthcheck(rs->rp.rp->n)) != 0) return (e); | |
213 | return (0); | |
214 | } | |
215 | ||
216 | static void rsapss_sigdestroy(sig *s) | |
217 | { | |
218 | rsapss_sigctx *rs = (rsapss_sigctx *)s; | |
219 | rsa_privdestroy(&rs->rp); | |
220 | DESTROY(rs); | |
221 | } | |
222 | ||
223 | static const sigops rsapss_sig = { | |
224 | rsa_privfetch, sizeof(rsa_priv), | |
225 | rsapss_siginit, rsapss_sigdoit, rsapss_sigcheck, rsapss_sigdestroy | |
226 | }; | |
227 | ||
228 | typedef struct rsapss_vrfctx { | |
229 | sig s; | |
230 | rsa_pubctx rp; | |
231 | pss p; | |
232 | } rsapss_vrfctx; | |
233 | ||
234 | static sig *rsapss_vrfinit(key *k, void *kd, const gchash *hc) | |
235 | { | |
236 | rsapss_vrfctx *rv = CREATE(rsapss_vrfctx); | |
237 | rsa_pubcreate(&rv->rp, kd); | |
238 | rv->p.r = &rand_global; | |
239 | rv->p.cc = getmgf(k, hc); | |
240 | rv->p.ch = hc; | |
241 | rv->p.ssz = hc->hashsz; | |
242 | return (&rv->s); | |
243 | } | |
244 | ||
245 | static int rsapss_vrfdoit(sig *s, dstr *d) | |
246 | { | |
247 | rsapss_vrfctx *rv = (rsapss_vrfctx *)s; | |
248 | mp *m = mp_loadb(MP_NEW, d->buf, d->len); | |
249 | int rc = rsa_verify(&rv->rp, m, | |
250 | GH_DONE(s->h, 0), GH_CLASS(s->h)->hashsz, | |
251 | 0, pss_decode, &rv->p); | |
252 | mp_drop(m); | |
253 | return (rc); | |
254 | } | |
255 | ||
256 | static const char *rsapss_vrfcheck(sig *s) | |
257 | { | |
258 | rsapss_vrfctx *rv = (rsapss_vrfctx *)s; | |
259 | const char *e; | |
260 | if ((e = rsa_lengthcheck(rv->rp.rp->n)) != 0) return (e); | |
261 | return (0); | |
262 | } | |
263 | ||
264 | static void rsapss_vrfdestroy(sig *s) | |
265 | { | |
266 | rsapss_vrfctx *rv = (rsapss_vrfctx *)s; | |
267 | rsa_pubdestroy(&rv->rp); | |
268 | DESTROY(rv); | |
269 | } | |
270 | ||
271 | static const sigops rsapss_vrf = { | |
272 | rsa_pubfetch, sizeof(rsa_pub), | |
273 | rsapss_vrfinit, rsapss_vrfdoit, rsapss_vrfcheck, rsapss_vrfdestroy | |
274 | }; | |
275 | ||
276 | /* --- DSA and ECDSA --- */ | |
277 | ||
278 | typedef struct dsa_sigctx { | |
279 | sig s; | |
280 | gdsa g; | |
281 | } dsa_sigctx; | |
282 | ||
283 | static void dsa_initcommon(dsa_sigctx *ds, const gchash *hc, | |
284 | const char *ktag) | |
285 | { | |
286 | ds->g.r = &rand_global; | |
287 | ds->g.h = hc; | |
288 | ds->g.u = MP_NEW; | |
289 | ds->s.h = 0; | |
290 | } | |
291 | ||
292 | static dsa_sigctx *dsa_doinit(key *k, const gprime_param *gp, | |
3688eb75 | 293 | mp *y, const gchash *hc, |
294 | group *(*makegroup)(const gprime_param *), | |
295 | const char *what) | |
5c3f75ec | 296 | { |
297 | dsa_sigctx *ds = CREATE(dsa_sigctx); | |
298 | dstr t = DSTR_INIT; | |
299 | ||
300 | key_fulltag(k, &t); | |
3688eb75 | 301 | if ((ds->g.g = makegroup(gp)) == 0) |
302 | die(EXIT_FAILURE, "bad %s group in key `%s'", what, t.buf); | |
5c3f75ec | 303 | ds->g.p = G_CREATE(ds->g.g); |
304 | if (G_FROMINT(ds->g.g, ds->g.p, y)) | |
305 | die(EXIT_FAILURE, "bad public key in key `%s'", t.buf); | |
306 | dsa_initcommon(ds, hc, t.buf); | |
307 | dstr_destroy(&t); | |
308 | return (ds); | |
309 | } | |
310 | ||
311 | static dsa_sigctx *ecdsa_doinit(key *k, const char *cstr, | |
312 | ec *y, const gchash *hc) | |
313 | { | |
314 | dsa_sigctx *ds = CREATE(dsa_sigctx); | |
315 | ec_info ei; | |
316 | const char *e; | |
317 | dstr t = DSTR_INIT; | |
318 | ||
319 | key_fulltag(k, &t); | |
320 | if ((e = ec_getinfo(&ei, cstr)) != 0) | |
321 | die(EXIT_FAILURE, "bad curve in key `%s': %s", t.buf, e); | |
322 | ds->g.g = group_ec(&ei); | |
323 | ds->g.p = G_CREATE(ds->g.g); | |
324 | if (G_FROMEC(ds->g.g, ds->g.p, y)) | |
325 | die(EXIT_FAILURE, "bad public key in key `%s'", t.buf); | |
326 | dsa_initcommon(ds, hc, t.buf); | |
327 | dstr_destroy(&t); | |
328 | return (ds); | |
329 | } | |
330 | ||
331 | static sig *dsa_siginit(key *k, void *kd, const gchash *hc) | |
332 | { | |
333 | dh_priv *dp = kd; | |
3688eb75 | 334 | dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_prime, "prime"); |
335 | ds->g.u = MP_COPY(dp->x); | |
336 | return (&ds->s); | |
337 | } | |
338 | ||
339 | static sig *bindsa_siginit(key *k, void *kd, const gchash *hc) | |
340 | { | |
341 | dh_priv *dp = kd; | |
342 | dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_binary, "binary"); | |
5c3f75ec | 343 | ds->g.u = MP_COPY(dp->x); |
344 | return (&ds->s); | |
345 | } | |
346 | ||
347 | static sig *ecdsa_siginit(key *k, void *kd, const gchash *hc) | |
348 | { | |
349 | ec_priv *ep = kd; | |
350 | dsa_sigctx *ds = ecdsa_doinit(k, ep->cstr, &ep->p, hc); | |
351 | ds->g.u = MP_COPY(ep->x); | |
352 | return (&ds->s); | |
353 | } | |
354 | ||
355 | static int dsa_sigdoit(sig *s, dstr *d) | |
356 | { | |
357 | dsa_sigctx *ds = (dsa_sigctx *)s; | |
358 | gdsa_sig ss = GDSA_SIG_INIT; | |
359 | size_t n = mp_octets(ds->g.g->r); | |
360 | ||
361 | gdsa_sign(&ds->g, &ss, GH_DONE(ds->s.h, 0), 0); | |
362 | dstr_ensure(d, 2 * n); | |
363 | mp_storeb(ss.r, d->buf, n); | |
364 | mp_storeb(ss.s, d->buf + n, n); | |
365 | d->len += 2 * n; | |
366 | mp_drop(ss.r); mp_drop(ss.s); | |
367 | return (0); | |
368 | } | |
369 | ||
370 | static const char *dsa_sigcheck(sig *s) | |
371 | { | |
372 | dsa_sigctx *ds = (dsa_sigctx *)s; | |
373 | const char *e; | |
374 | if ((e = G_CHECK(ds->g.g, &rand_global)) != 0) | |
375 | return (0); | |
376 | if (group_check(ds->g.g, ds->g.p)) | |
377 | return ("public key not in subgroup"); | |
378 | return (0); | |
379 | } | |
380 | ||
381 | static void dsa_sigdestroy(sig *s) | |
382 | { | |
383 | dsa_sigctx *ds = (dsa_sigctx *)s; | |
384 | G_DESTROY(ds->g.g, ds->g.p); | |
385 | mp_drop(ds->g.u); | |
386 | G_DESTROYGROUP(ds->g.g); | |
ef13e9a4 | 387 | DESTROY(ds); |
5c3f75ec | 388 | } |
389 | ||
390 | static const sigops dsa_sig = { | |
391 | dh_privfetch, sizeof(dh_priv), | |
392 | dsa_siginit, dsa_sigdoit, dsa_sigcheck, dsa_sigdestroy | |
393 | }; | |
394 | ||
3688eb75 | 395 | static const sigops bindsa_sig = { |
396 | dh_privfetch, sizeof(dh_priv), | |
397 | bindsa_siginit, dsa_sigdoit, dsa_sigcheck, dsa_sigdestroy | |
398 | }; | |
399 | ||
5c3f75ec | 400 | static const sigops ecdsa_sig = { |
401 | ec_privfetch, sizeof(ec_priv), | |
402 | ecdsa_siginit, dsa_sigdoit, dsa_sigcheck, dsa_sigdestroy | |
403 | }; | |
404 | ||
405 | static sig *dsa_vrfinit(key *k, void *kd, const gchash *hc) | |
406 | { | |
407 | dh_pub *dp = kd; | |
3688eb75 | 408 | dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_prime, "prime"); |
409 | return (&ds->s); | |
410 | } | |
411 | ||
412 | static sig *bindsa_vrfinit(key *k, void *kd, const gchash *hc) | |
413 | { | |
414 | dh_pub *dp = kd; | |
415 | dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_binary, "binary"); | |
5c3f75ec | 416 | return (&ds->s); |
417 | } | |
418 | ||
419 | static sig *ecdsa_vrfinit(key *k, void *kd, const gchash *hc) | |
420 | { | |
421 | ec_pub *ep = kd; | |
422 | dsa_sigctx *ds = ecdsa_doinit(k, ep->cstr, &ep->p, hc); | |
423 | return (&ds->s); | |
424 | } | |
425 | ||
426 | static int dsa_vrfdoit(sig *s, dstr *d) | |
427 | { | |
428 | dsa_sigctx *ds = (dsa_sigctx *)s; | |
429 | gdsa_sig ss; | |
430 | size_t n = d->len/2; | |
431 | int rc; | |
432 | ||
433 | ss.r = mp_loadb(MP_NEW, d->buf, n); | |
434 | ss.s = mp_loadb(MP_NEW, d->buf + n, d->len - n); | |
435 | rc = gdsa_verify(&ds->g, &ss, GH_DONE(ds->s.h, 0)); | |
436 | mp_drop(ss.r); mp_drop(ss.s); | |
437 | return (rc); | |
438 | } | |
439 | ||
440 | static const sigops dsa_vrf = { | |
441 | dh_pubfetch, sizeof(dh_pub), | |
442 | dsa_vrfinit, dsa_vrfdoit, dsa_sigcheck, dsa_sigdestroy | |
443 | }; | |
444 | ||
3688eb75 | 445 | static const sigops bindsa_vrf = { |
446 | dh_pubfetch, sizeof(dh_pub), | |
447 | bindsa_vrfinit, dsa_vrfdoit, dsa_sigcheck, dsa_sigdestroy | |
448 | }; | |
449 | ||
5c3f75ec | 450 | static const sigops ecdsa_vrf = { |
451 | ec_pubfetch, sizeof(ec_pub), | |
452 | ecdsa_vrfinit, dsa_vrfdoit, dsa_sigcheck, dsa_sigdestroy | |
453 | }; | |
454 | ||
455 | /* --- KCDSA and ECKCDSA --- */ | |
456 | ||
457 | static void kcdsa_privkey(dsa_sigctx *ds, mp *x) | |
458 | { ds->g.u = mp_modinv(MP_NEW, x, ds->g.g->r); } | |
459 | ||
460 | static void kcdsa_sethash(dsa_sigctx *ds, const gchash *hc) | |
461 | { ds->s.h = gkcdsa_beginhash(&ds->g); } | |
462 | ||
463 | static sig *kcdsa_siginit(key *k, void *kd, const gchash *hc) | |
464 | { | |
465 | dh_priv *dp = kd; | |
3688eb75 | 466 | dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_prime, "prime"); |
467 | kcdsa_privkey(ds, dp->x); | |
468 | kcdsa_sethash(ds, hc); | |
469 | return (&ds->s); | |
470 | } | |
471 | ||
472 | static sig *binkcdsa_siginit(key *k, void *kd, const gchash *hc) | |
473 | { | |
474 | dh_priv *dp = kd; | |
475 | dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_binary, "binary"); | |
5c3f75ec | 476 | kcdsa_privkey(ds, dp->x); |
477 | kcdsa_sethash(ds, hc); | |
478 | return (&ds->s); | |
479 | } | |
480 | ||
481 | static sig *eckcdsa_siginit(key *k, void *kd, const gchash *hc) | |
482 | { | |
483 | ec_priv *ep = kd; | |
484 | dsa_sigctx *ds = ecdsa_doinit(k, ep->cstr, &ep->p, hc); | |
485 | kcdsa_privkey(ds, ep->x); | |
486 | kcdsa_sethash(ds, hc); | |
487 | return (&ds->s); | |
488 | } | |
489 | ||
490 | static int kcdsa_sigdoit(sig *s, dstr *d) | |
491 | { | |
492 | dsa_sigctx *ds = (dsa_sigctx *)s; | |
493 | gkcdsa_sig ss = GKCDSA_SIG_INIT; | |
494 | size_t hsz = ds->g.h->hashsz, n = mp_octets(ds->g.g->r); | |
495 | ||
496 | gkcdsa_sign(&ds->g, &ss, GH_DONE(ds->s.h, 0), 0); | |
497 | dstr_ensure(d, hsz + n); | |
498 | memcpy(d->buf, ss.r, hsz); | |
499 | mp_storeb(ss.s, d->buf + hsz, n); | |
500 | d->len += hsz + n; | |
501 | xfree(ss.r); mp_drop(ss.s); | |
502 | return (0); | |
503 | } | |
504 | ||
505 | static const sigops kcdsa_sig = { | |
506 | dh_privfetch, sizeof(dh_priv), | |
507 | kcdsa_siginit, kcdsa_sigdoit, dsa_sigcheck, dsa_sigdestroy | |
508 | }; | |
509 | ||
3688eb75 | 510 | static const sigops binkcdsa_sig = { |
511 | dh_privfetch, sizeof(dh_priv), | |
512 | binkcdsa_siginit, kcdsa_sigdoit, dsa_sigcheck, dsa_sigdestroy | |
513 | }; | |
514 | ||
5c3f75ec | 515 | static const sigops eckcdsa_sig = { |
516 | ec_privfetch, sizeof(ec_priv), | |
517 | eckcdsa_siginit, kcdsa_sigdoit, dsa_sigcheck, dsa_sigdestroy | |
518 | }; | |
519 | ||
520 | static sig *kcdsa_vrfinit(key *k, void *kd, const gchash *hc) | |
521 | { | |
522 | dh_pub *dp = kd; | |
3688eb75 | 523 | dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_prime, "prime"); |
524 | kcdsa_sethash(ds, hc); | |
525 | return (&ds->s); | |
526 | } | |
527 | ||
528 | static sig *binkcdsa_vrfinit(key *k, void *kd, const gchash *hc) | |
529 | { | |
530 | dh_pub *dp = kd; | |
531 | dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_binary, "binary"); | |
5c3f75ec | 532 | kcdsa_sethash(ds, hc); |
533 | return (&ds->s); | |
534 | } | |
535 | ||
536 | static sig *eckcdsa_vrfinit(key *k, void *kd, const gchash *hc) | |
537 | { | |
538 | ec_pub *ep = kd; | |
539 | dsa_sigctx *ds = ecdsa_doinit(k, ep->cstr, &ep->p, hc); | |
540 | kcdsa_sethash(ds, hc); | |
541 | return (&ds->s); | |
542 | } | |
543 | ||
544 | static int kcdsa_vrfdoit(sig *s, dstr *d) | |
545 | { | |
546 | dsa_sigctx *ds = (dsa_sigctx *)s; | |
547 | gkcdsa_sig ss; | |
548 | size_t hsz = ds->g.h->hashsz, n = d->len - hsz; | |
549 | int rc; | |
550 | ||
551 | if (d->len < hsz) | |
552 | return (-1); | |
553 | ss.r = (octet *)d->buf; | |
554 | ss.s = mp_loadb(MP_NEW, d->buf + hsz, n); | |
555 | rc = gkcdsa_verify(&ds->g, &ss, GH_DONE(ds->s.h, 0)); | |
556 | mp_drop(ss.s); | |
557 | return (rc); | |
558 | } | |
559 | ||
560 | static const sigops kcdsa_vrf = { | |
561 | dh_pubfetch, sizeof(dh_pub), | |
562 | kcdsa_vrfinit, kcdsa_vrfdoit, dsa_sigcheck, dsa_sigdestroy | |
563 | }; | |
564 | ||
3688eb75 | 565 | static const sigops binkcdsa_vrf = { |
566 | dh_pubfetch, sizeof(dh_pub), | |
567 | binkcdsa_vrfinit, kcdsa_vrfdoit, dsa_sigcheck, dsa_sigdestroy | |
568 | }; | |
569 | ||
5c3f75ec | 570 | static const sigops eckcdsa_vrf = { |
571 | ec_pubfetch, sizeof(ec_pub), | |
572 | eckcdsa_vrfinit, kcdsa_vrfdoit, dsa_sigcheck, dsa_sigdestroy | |
573 | }; | |
574 | ||
02dfbd5b MW |
575 | /* --- Symmetric message authentication --- */ |
576 | ||
577 | typedef struct mac_ctx { | |
578 | sig s; | |
579 | const gcmac *mc; | |
580 | gmac *m; | |
581 | key_packdef kp; | |
582 | key_bin kb; | |
583 | } mac_ctx; | |
584 | ||
585 | static sig *mac_init(key *k, void *kd, const gchash *hc) | |
586 | { | |
587 | mac_ctx *m; | |
588 | dstr d = DSTR_INIT; | |
589 | int err; | |
590 | const char *mm; | |
591 | ||
592 | m = CREATE(mac_ctx); | |
593 | ||
594 | key_fulltag(k, &d); | |
595 | m->kp.e = KENC_BINARY; | |
596 | m->kp.p = &m->kb; | |
597 | m->kp.kd = 0; | |
598 | ||
599 | if ((mm = key_getattr(0 /*yik*/, k, "mac")) == 0) { | |
600 | dstr_putf(&d, "%s-hmac", hc->name); | |
601 | mm = d.buf; | |
602 | } | |
603 | if ((m->mc = gmac_byname(mm)) == 0) | |
604 | die(EXIT_FAILURE, "unknown message authentication scheme `%s'", mm); | |
605 | dstr_reset(&d); | |
606 | ||
607 | if ((err = key_unpack(&m->kp, kd, &d)) != 0) { | |
608 | die(EXIT_FAILURE, "failed to unpack symmetric key `%s': %s", | |
609 | d.buf, key_strerror(err)); | |
610 | } | |
611 | dstr_destroy(&d); | |
612 | ||
613 | if (keysz(m->kb.sz, m->mc->keysz) != m->kb.sz) { | |
614 | die(EXIT_FAILURE, "bad key size %lu for `%s'", | |
615 | (unsigned long)m->kb.sz, m->mc->name); | |
616 | } | |
617 | m->m = GM_KEY(m->mc, m->kb.k, m->kb.sz); | |
618 | m->s.h = GM_INIT(m->m); | |
619 | return (&m->s); | |
620 | } | |
621 | ||
622 | static int mac_sigdoit(sig *s, dstr *d) | |
623 | { | |
624 | mac_ctx *m = (mac_ctx *)s; | |
625 | ||
626 | dstr_ensure(d, m->mc->hashsz); | |
627 | GH_DONE(m->s.h, d->buf); | |
628 | d->len += m->mc->hashsz; | |
629 | return (0); | |
630 | } | |
631 | ||
632 | static int mac_vrfdoit(sig *s, dstr *d) | |
633 | { | |
634 | mac_ctx *m = (mac_ctx *)s; | |
635 | const octet *t; | |
636 | ||
637 | t = GH_DONE(m->s.h, 0); | |
638 | if (d->len != m->mc->hashsz || memcmp(d->buf, t, d->len) != 0) | |
639 | return (-1); | |
640 | return (0); | |
641 | } | |
642 | ||
643 | static const char *mac_check(sig *s) { return (0); } | |
644 | ||
645 | static void mac_destroy(sig *s) | |
646 | { | |
647 | mac_ctx *m = (mac_ctx *)s; | |
648 | GM_DESTROY(m->m); | |
649 | key_unpackdone(&m->kp); | |
650 | } | |
651 | ||
652 | static const sigops mac_sig = { | |
653 | 0, 0, | |
654 | mac_init, mac_sigdoit, mac_check, mac_destroy | |
655 | }; | |
656 | ||
657 | static const sigops mac_vrf = { | |
658 | 0, 0, | |
659 | mac_init, mac_vrfdoit, mac_check, mac_destroy | |
660 | }; | |
661 | ||
5c3f75ec | 662 | /* --- The switch table --- */ |
663 | ||
c65df279 | 664 | const struct sigtab sigtab[] = { |
5c3f75ec | 665 | { "rsapkcs1", &rsap1_sig, &rsap1_vrf, &sha }, |
666 | { "rsapss", &rsapss_sig, &rsapss_vrf, &sha }, | |
667 | { "dsa", &dsa_sig, &dsa_vrf, &sha }, | |
3688eb75 | 668 | { "bindsa", &bindsa_sig, &bindsa_vrf, &sha }, |
5c3f75ec | 669 | { "ecdsa", &ecdsa_sig, &ecdsa_vrf, &sha }, |
670 | { "kcdsa", &kcdsa_sig, &kcdsa_vrf, &has160 }, | |
3688eb75 | 671 | { "binkcdsa", &binkcdsa_sig, &binkcdsa_vrf, &has160 }, |
5c3f75ec | 672 | { "eckcdsa", &eckcdsa_sig, &eckcdsa_vrf, &has160 }, |
02dfbd5b | 673 | { "mac", &mac_sig, &mac_vrf, &rmd160 }, |
5c3f75ec | 674 | { 0, 0, 0 } |
675 | }; | |
676 | ||
677 | /* --- @getsig@ --- * | |
678 | * | |
679 | * Arguments: @key *k@ = the key to load | |
680 | * @const char *app@ = application name | |
681 | * @int wantpriv@ = nonzero if we want to sign | |
682 | * | |
683 | * Returns: A signature-making thing. | |
684 | * | |
685 | * Use: Loads a key and starts hashing. | |
686 | */ | |
687 | ||
688 | sig *getsig(key *k, const char *app, int wantpriv) | |
689 | { | |
690 | const char *salg, *halg = 0; | |
691 | dstr d = DSTR_INIT; | |
692 | dstr t = DSTR_INIT; | |
693 | char *p = 0; | |
694 | const char *q; | |
695 | sig *s; | |
696 | size_t n; | |
697 | const struct sigtab *st; | |
698 | const sigops *so; | |
699 | const gchash *ch; | |
700 | void *kd; | |
701 | int e; | |
702 | key_packdef *kp; | |
703 | ||
704 | /* --- Setup stuff --- */ | |
705 | ||
706 | key_fulltag(k, &t); | |
707 | ||
708 | /* --- Get the signature algorithm --- * | |
709 | * | |
710 | * Take the attribute if it's there; otherwise use the key type. | |
711 | */ | |
712 | ||
713 | n = strlen(app); | |
714 | if ((q = key_getattr(0, k, "sig")) != 0) { | |
715 | dstr_puts(&d, q); | |
716 | p = d.buf; | |
717 | } else if (strncmp(k->type, app, n) == 0 && k->type[n] == '-') { | |
718 | dstr_puts(&d, k->type); | |
719 | p = d.buf + n + 1; | |
720 | } else | |
721 | die(EXIT_FAILURE, "no signature algorithm for key `%s'", t.buf); | |
722 | ||
723 | /* --- Grab the hash algorithm --- * | |
724 | * | |
725 | * Grab it from the signature algorithm if it's there. But override that | |
726 | * from the attribute. | |
727 | */ | |
728 | ||
729 | salg = p; | |
730 | if ((p = strchr(p, '/')) != 0) { | |
731 | *p++ = 0; | |
732 | halg = p; | |
733 | } | |
734 | if ((q = key_getattr(0, k, "hash")) != 0) | |
735 | halg = q; | |
736 | ||
737 | /* --- Look up the algorithms in the table --- */ | |
738 | ||
739 | for (st = sigtab; st->name; st++) { | |
740 | if (strcmp(st->name, salg) == 0) | |
741 | goto s_found; | |
742 | } | |
743 | die(EXIT_FAILURE, "signature algorithm `%s' not found in key `%s'", | |
744 | salg, t.buf); | |
745 | s_found:; | |
746 | if (!halg) | |
747 | ch = st->ch; | |
748 | else { | |
749 | if ((ch = ghash_byname(halg)) == 0) { | |
750 | die(EXIT_FAILURE, "hash algorithm `%s' not found in key `%s'", | |
751 | halg, t.buf); | |
752 | } | |
753 | } | |
754 | so = wantpriv ? st->signops : st->verifyops; | |
755 | ||
756 | /* --- Load the key --- */ | |
757 | ||
02dfbd5b MW |
758 | if (!so->kf) { |
759 | kd = k->k; | |
760 | key_incref(kd); | |
78ec50fa | 761 | kp = 0; |
02dfbd5b MW |
762 | } else { |
763 | kd = xmalloc(so->kdsz); | |
764 | kp = key_fetchinit(so->kf, 0, kd); | |
765 | if ((e = key_fetch(kp, k)) != 0) { | |
766 | die(EXIT_FAILURE, "error fetching key `%s': %s", | |
767 | t.buf, key_strerror(e)); | |
768 | } | |
769 | } | |
5c3f75ec | 770 | s = so->init(k, kd, ch); |
771 | if (!s->h) | |
772 | s->h = GH_INIT(ch); | |
773 | s->kp = kp; | |
774 | s->ops = so; | |
775 | s->kd = kd; | |
02dfbd5b | 776 | s->ch = ch; |
5c3f75ec | 777 | |
778 | /* --- Free stuff up --- */ | |
779 | ||
780 | dstr_destroy(&d); | |
781 | dstr_destroy(&t); | |
782 | return (s); | |
783 | } | |
784 | ||
785 | /* --- @freesig@ --- * | |
786 | * | |
787 | * Arguments: @sig *s@ = signature-making thing | |
788 | * | |
789 | * Returns: --- | |
790 | * | |
791 | * Use: Frees up a signature-making thing | |
792 | */ | |
793 | ||
794 | void freesig(sig *s) | |
795 | { | |
796 | GH_DESTROY(s->h); | |
02dfbd5b MW |
797 | if (!s->ops->kf) |
798 | key_drop(s->kd); | |
45c0fd36 | 799 | else { |
02dfbd5b MW |
800 | key_fetchdone(s->kp); |
801 | xfree(s->kd); | |
802 | } | |
5c3f75ec | 803 | s->ops->destroy(s); |
804 | } | |
805 | ||
806 | /*----- That's all, folks -------------------------------------------------*/ |