5c3f75ec |
1 | /* -*-c-*- |
2 | * |
c65df279 |
3 | * $Id$ |
5c3f75ec |
4 | * |
5 | * Catcrypt key-encapsulation |
6 | * |
7 | * (c) 2004 Straylight/Edgeware |
8 | */ |
9 | |
10 | /*----- Licensing notice --------------------------------------------------* |
11 | * |
12 | * This file is part of Catacomb. |
13 | * |
14 | * Catacomb is free software; you can redistribute it and/or modify |
15 | * it under the terms of the GNU Library General Public License as |
16 | * published by the Free Software Foundation; either version 2 of the |
17 | * License, or (at your option) any later version. |
18 | * |
19 | * Catacomb is distributed in the hope that it will be useful, |
20 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
21 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
22 | * GNU Library General Public License for more details. |
23 | * |
24 | * You should have received a copy of the GNU Library General Public |
25 | * License along with Catacomb; if not, write to the Free |
26 | * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston, |
27 | * MA 02111-1307, USA. |
28 | */ |
29 | |
30 | /*----- Header files ------------------------------------------------------*/ |
31 | |
32 | #include <stdlib.h> |
33 | |
34 | #include <mLib/alloc.h> |
35 | #include <mLib/dstr.h> |
36 | #include <mLib/report.h> |
37 | #include <mLib/sub.h> |
38 | |
39 | #include "mprand.h" |
40 | #include "rand.h" |
41 | |
42 | #include "ec.h" |
43 | #include "ec-keys.h" |
44 | #include "dh.h" |
45 | #include "rsa.h" |
46 | |
47 | #include "rmd160.h" |
48 | #include "blowfish-cbc.h" |
49 | |
50 | #include "cc.h" |
51 | |
52 | /*----- Key encapsulation -------------------------------------------------*/ |
53 | |
54 | /* --- RSA --- */ |
55 | |
56 | typedef struct rsa_encctx { |
57 | kem k; |
58 | rsa_pubctx rp; |
59 | } rsa_encctx; |
60 | |
61 | static kem *rsa_encinit(key *k, void *kd) |
62 | { |
63 | rsa_encctx *re = CREATE(rsa_encctx); |
64 | rsa_pubcreate(&re->rp, kd); |
65 | return (&re->k); |
66 | } |
67 | |
68 | static int rsa_encdoit(kem *k, dstr *d, ghash *h) |
69 | { |
70 | rsa_encctx *re = (rsa_encctx *)k; |
71 | mp *x = mprand_range(MP_NEW, re->rp.rp->n, &rand_global, 0); |
72 | mp *y = rsa_pubop(&re->rp, MP_NEW, x); |
73 | size_t n = mp_octets(re->rp.rp->n); |
74 | dstr_ensure(d, n); |
75 | mp_storeb(x, d->buf, n); |
76 | GH_HASH(h, d->buf, n); |
77 | mp_storeb(y, d->buf, n); |
78 | d->len += n; |
79 | mp_drop(x); |
80 | mp_drop(y); |
81 | return (0); |
82 | } |
83 | |
84 | static const char *rsa_lengthcheck(mp *n) |
85 | { |
86 | if (mp_bits(n) < 1020) return ("key too short"); |
87 | return (0); |
88 | } |
89 | |
90 | static const char *rsa_enccheck(kem *k) |
91 | { |
92 | rsa_encctx *re = (rsa_encctx *)k; |
93 | const char *e; |
94 | if ((e = rsa_lengthcheck(re->rp.rp->n)) != 0) return (e); |
95 | return (0); |
96 | } |
97 | |
98 | static void rsa_encdestroy(kem *k) |
99 | { |
100 | rsa_encctx *re = (rsa_encctx *)k; |
101 | rsa_pubdestroy(&re->rp); |
102 | DESTROY(re); |
103 | } |
104 | |
105 | static const kemops rsa_encops = { |
106 | rsa_pubfetch, sizeof(rsa_pub), |
107 | rsa_encinit, rsa_encdoit, rsa_enccheck, rsa_encdestroy |
108 | }; |
109 | |
110 | typedef struct rsa_decctx { |
111 | kem k; |
112 | rsa_privctx rp; |
113 | } rsa_decctx; |
114 | |
115 | static kem *rsa_decinit(key *k, void *kd) |
116 | { |
117 | rsa_decctx *rd = CREATE(rsa_decctx); |
118 | rsa_privcreate(&rd->rp, kd, &rand_global); |
119 | return (&rd->k); |
120 | } |
121 | |
122 | static int rsa_decdoit(kem *k, dstr *d, ghash *h) |
123 | { |
124 | rsa_decctx *rd = (rsa_decctx *)k; |
125 | mp *x = mp_loadb(MP_NEW, d->buf, d->len); |
126 | size_t n; |
127 | char *p; |
128 | |
129 | if (MP_CMP(x, >=, rd->rp.rp->n)) { |
130 | mp_drop(x); |
131 | return (-1); |
132 | } |
133 | n = mp_octets(rd->rp.rp->n); |
134 | p = xmalloc(n); |
135 | x = rsa_privop(&rd->rp, x, x); |
136 | mp_storeb(x, p, n); |
137 | GH_HASH(h, p, n); |
138 | mp_drop(x); |
139 | xfree(p); |
140 | return (0); |
141 | } |
142 | |
143 | static const char *rsa_deccheck(kem *k) |
144 | { |
145 | rsa_decctx *rd = (rsa_decctx *)k; |
146 | const char *e; |
147 | if ((e = rsa_lengthcheck(rd->rp.rp->n)) != 0) return (e); |
148 | return (0); |
149 | } |
150 | |
151 | static void rsa_decdestroy(kem *k) |
152 | { |
153 | rsa_decctx *rd = (rsa_decctx *)k; |
154 | rsa_privdestroy(&rd->rp); |
155 | DESTROY(rd); |
156 | } |
157 | |
158 | static const kemops rsa_decops = { |
159 | rsa_privfetch, sizeof(rsa_priv), |
160 | rsa_decinit, rsa_decdoit, rsa_deccheck, rsa_decdestroy |
161 | }; |
162 | |
163 | /* --- DH and EC --- */ |
164 | |
165 | typedef struct dh_encctx { |
166 | kem k; |
167 | group *g; |
168 | mp *x; |
169 | ge *y; |
170 | } dh_encctx; |
171 | |
3688eb75 |
172 | static dh_encctx *dh_doinit(key *k, const gprime_param *gp, mp *y, |
173 | group *(*makegroup)(const gprime_param *), |
174 | const char *what) |
5c3f75ec |
175 | { |
176 | dh_encctx *de = CREATE(dh_encctx); |
177 | dstr t = DSTR_INIT; |
178 | |
179 | key_fulltag(k, &t); |
3688eb75 |
180 | if ((de->g = makegroup(gp)) == 0) |
181 | die(EXIT_FAILURE, "bad %s group in key `%s'", what, t.buf); |
5c3f75ec |
182 | de->x = MP_NEW; |
183 | de->y = G_CREATE(de->g); |
184 | if (G_FROMINT(de->g, de->y, y)) |
185 | die(EXIT_FAILURE, "bad public key `%s'", t.buf); |
186 | dstr_destroy(&t); |
187 | return (de); |
188 | } |
189 | |
190 | static dh_encctx *ec_doinit(key *k, const char *cstr, const ec *y) |
191 | { |
192 | dh_encctx *de = CREATE(dh_encctx); |
193 | ec_info ei; |
194 | const char *e; |
195 | dstr t = DSTR_INIT; |
196 | |
197 | key_fulltag(k, &t); |
198 | if ((e = ec_getinfo(&ei, cstr)) != 0 || |
199 | (de->g = group_ec(&ei)) == 0) |
200 | die(EXIT_FAILURE, "bad elliptic curve spec in key `%s': %s", t.buf, e); |
201 | de->x = MP_NEW; |
202 | de->y = G_CREATE(de->g); |
203 | if (G_FROMEC(de->g, de->y, y)) |
204 | die(EXIT_FAILURE, "bad public curve point `%s'", t.buf); |
205 | dstr_destroy(&t); |
206 | return (de); |
207 | } |
208 | |
209 | static kem *dh_encinit(key *k, void *kd) |
210 | { |
211 | dh_pub *dp = kd; |
3688eb75 |
212 | dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_prime, "prime"); |
213 | return (&de->k); |
214 | } |
215 | |
216 | static kem *bindh_encinit(key *k, void *kd) |
217 | { |
218 | dh_pub *dp = kd; |
219 | dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_binary, "binary"); |
5c3f75ec |
220 | return (&de->k); |
221 | } |
222 | |
223 | static kem *ec_encinit(key *k, void *kd) |
224 | { |
225 | ec_pub *ep = kd; |
226 | dh_encctx *de = ec_doinit(k, ep->cstr, &ep->p); |
227 | return (&de->k); |
228 | } |
229 | |
230 | static int dh_encdoit(kem *k, dstr *d, ghash *h) |
231 | { |
232 | dh_encctx *de = (dh_encctx *)k; |
233 | mp *r = mprand_range(MP_NEW, de->g->r, &rand_global, 0); |
234 | ge *x = G_CREATE(de->g); |
235 | ge *y = G_CREATE(de->g); |
236 | size_t n = de->g->noctets; |
237 | buf b; |
238 | |
239 | G_EXP(de->g, x, de->g->g, r); |
240 | G_EXP(de->g, y, de->y, r); |
241 | dstr_ensure(d, n); |
242 | buf_init(&b, d->buf, n); |
243 | G_TORAW(de->g, &b, y); |
244 | GH_HASH(h, BBASE(&b), BLEN(&b)); |
245 | buf_init(&b, d->buf, n); |
246 | G_TORAW(de->g, &b, x); |
247 | GH_HASH(h, BBASE(&b), BLEN(&b)); |
248 | d->len += BLEN(&b); |
249 | mp_drop(r); |
250 | G_DESTROY(de->g, x); |
251 | G_DESTROY(de->g, y); |
252 | return (0); |
253 | } |
254 | |
255 | static const char *dh_enccheck(kem *k) |
256 | { |
257 | dh_encctx *de = (dh_encctx *)k; |
258 | const char *e; |
259 | if ((e = G_CHECK(de->g, &rand_global)) != 0) |
260 | return (0); |
261 | if (group_check(de->g, de->y)) |
262 | return ("public key not in subgroup"); |
263 | return (0); |
264 | } |
265 | |
266 | static void dh_encdestroy(kem *k) |
267 | { |
268 | dh_encctx *de = (dh_encctx *)k; |
269 | G_DESTROY(de->g, de->y); |
270 | mp_drop(de->x); |
271 | G_DESTROYGROUP(de->g); |
6f313264 |
272 | DESTROY(de); |
5c3f75ec |
273 | } |
274 | |
275 | static const kemops dh_encops = { |
276 | dh_pubfetch, sizeof(dh_pub), |
277 | dh_encinit, dh_encdoit, dh_enccheck, dh_encdestroy |
278 | }; |
279 | |
3688eb75 |
280 | static const kemops bindh_encops = { |
281 | dh_pubfetch, sizeof(dh_pub), |
282 | bindh_encinit, dh_encdoit, dh_enccheck, dh_encdestroy |
283 | }; |
284 | |
5c3f75ec |
285 | static const kemops ec_encops = { |
286 | ec_pubfetch, sizeof(ec_pub), |
287 | ec_encinit, dh_encdoit, dh_enccheck, dh_encdestroy |
288 | }; |
289 | |
290 | static kem *dh_decinit(key *k, void *kd) |
291 | { |
292 | dh_priv *dp = kd; |
3688eb75 |
293 | dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_prime, "prime"); |
294 | de->x = MP_COPY(dp->x); |
295 | return (&de->k); |
296 | } |
297 | |
298 | static kem *bindh_decinit(key *k, void *kd) |
299 | { |
300 | dh_priv *dp = kd; |
301 | dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_binary, "binary"); |
5c3f75ec |
302 | de->x = MP_COPY(dp->x); |
303 | return (&de->k); |
304 | } |
305 | |
306 | static kem *ec_decinit(key *k, void *kd) |
307 | { |
308 | ec_priv *ep = kd; |
309 | dh_encctx *de = ec_doinit(k, ep->cstr, &ep->p); |
310 | de->x = MP_COPY(ep->x); |
311 | return (&de->k); |
312 | } |
313 | |
314 | static int dh_decdoit(kem *k, dstr *d, ghash *h) |
315 | { |
316 | dh_encctx *de = (dh_encctx *)k; |
317 | ge *x = G_CREATE(de->g); |
318 | size_t n = de->g->noctets; |
319 | void *p = xmalloc(n); |
320 | buf b; |
321 | int rc = -1; |
322 | |
323 | buf_init(&b, d->buf, d->len); |
324 | if (G_FROMRAW(de->g, &b, x) || group_check(de->g, x)) |
325 | goto done; |
326 | G_EXP(de->g, x, x, de->x); |
327 | buf_init(&b, p, n); |
328 | G_TORAW(de->g, &b, x); |
329 | GH_HASH(h, BBASE(&b), BLEN(&b)); |
330 | GH_HASH(h, d->buf, d->len); |
331 | rc = 0; |
332 | done: |
333 | G_DESTROY(de->g, x); |
334 | xfree(p); |
335 | return (rc); |
336 | } |
337 | |
338 | static const kemops dh_decops = { |
339 | dh_privfetch, sizeof(dh_priv), |
340 | dh_decinit, dh_decdoit, dh_enccheck, dh_encdestroy |
341 | }; |
342 | |
3688eb75 |
343 | static const kemops bindh_decops = { |
344 | dh_privfetch, sizeof(dh_priv), |
345 | bindh_decinit, dh_decdoit, dh_enccheck, dh_encdestroy |
346 | }; |
347 | |
5c3f75ec |
348 | static const kemops ec_decops = { |
349 | ec_privfetch, sizeof(ec_priv), |
350 | ec_decinit, dh_decdoit, dh_enccheck, dh_encdestroy |
351 | }; |
352 | |
353 | /* --- The switch table --- */ |
354 | |
c65df279 |
355 | const struct kemtab kemtab[] = { |
5c3f75ec |
356 | { "rsa", &rsa_encops, &rsa_decops }, |
357 | { "dh", &dh_encops, &dh_decops }, |
3688eb75 |
358 | { "bindh", &bindh_encops, &bindh_decops }, |
5c3f75ec |
359 | { "ec", &ec_encops, &ec_decops }, |
360 | { 0, 0, 0 } |
361 | }; |
362 | |
363 | /* --- @getkem@ --- * |
364 | * |
365 | * Arguments: @key *k@ = the key to load |
366 | * @const char *app@ = application name |
367 | * @int wantpriv@ = nonzero if we want to decrypt |
368 | * |
369 | * Returns: A key-encapsulating thing. |
370 | * |
371 | * Use: Loads a key. |
372 | */ |
373 | |
374 | kem *getkem(key *k, const char *app, int wantpriv) |
375 | { |
376 | const char *kalg, *halg = 0, *calg = 0; |
377 | dstr d = DSTR_INIT; |
378 | dstr t = DSTR_INIT; |
379 | size_t n; |
380 | char *p = 0; |
381 | const char *q; |
382 | kem *kk; |
383 | const struct kemtab *kt; |
384 | const kemops *ko; |
385 | void *kd; |
386 | int e; |
387 | key_packdef *kp; |
388 | |
389 | /* --- Setup stuff --- */ |
390 | |
391 | key_fulltag(k, &t); |
392 | |
393 | /* --- Get the KEM name --- * |
394 | * |
395 | * Take the attribute if it's there; otherwise use the key type. |
396 | */ |
397 | |
398 | n = strlen(app); |
399 | if ((q = key_getattr(0, k, "kem")) != 0) { |
400 | dstr_puts(&d, q); |
401 | p = d.buf; |
402 | } else if (strncmp(k->type, app, n) == 0 && k->type[n] == '-') { |
403 | dstr_puts(&d, k->type); |
404 | p = d.buf + n + 1; |
405 | } else |
406 | die(EXIT_FAILURE, "no KEM for key `%s'", t.buf); |
407 | kalg = p; |
408 | |
409 | /* --- Grab the encryption scheme --- * |
410 | * |
411 | * Grab it from the KEM if it's there, but override it from the attribute. |
412 | */ |
413 | |
414 | if (p && (p = strchr(p, '/')) != 0) { |
415 | *p++ = 0; |
416 | calg = p; |
417 | } |
418 | if ((q = key_getattr(0, k, "cipher")) != 0) |
419 | calg = q; |
420 | |
421 | /* --- Grab the hash function --- */ |
422 | |
423 | if (p && (p = strchr(p, '/')) != 0) { |
424 | *p++ = 0; |
425 | halg = p; |
426 | } |
427 | if ((q = key_getattr(0, k, "hash")) != 0) |
428 | halg = q; |
429 | |
430 | /* --- Instantiate the KEM --- */ |
431 | |
432 | for (kt = kemtab; kt->name; kt++) { |
433 | if (strcmp(kt->name, kalg) == 0) |
434 | goto k_found; |
435 | } |
436 | die(EXIT_FAILURE, "key encapsulation mechanism `%s' not found in key `%s'", |
437 | kalg, t.buf); |
438 | k_found:; |
439 | ko = wantpriv ? kt->decops : kt->encops; |
440 | kd = xmalloc(ko->kdsz); |
441 | kp = key_fetchinit(ko->kf, 0, kd); |
442 | if ((e = key_fetch(kp, k)) != 0) |
443 | die(EXIT_FAILURE, "error fetching key `%s': %s", t.buf, key_strerror(e)); |
444 | kk = ko->init(k, kd); |
445 | kk->kp = kp; |
446 | kk->ops = ko; |
447 | kk->kd = kd; |
448 | |
449 | /* --- Set up the algorithms --- */ |
450 | |
451 | if (!halg) |
452 | kk->h = &rmd160; |
453 | else if ((kk->h = ghash_byname(halg)) == 0) { |
454 | die(EXIT_FAILURE, "hash algorithm `%s' not found in key `%s'", |
455 | halg, t.buf); |
456 | } |
457 | |
458 | if (!calg) |
459 | kk->c = &blowfish_cbc; |
460 | else if ((kk->c = gcipher_byname(calg)) == 0) { |
461 | die(EXIT_FAILURE, "encryption scheme `%s' not found in key `%s'", |
462 | calg, t.buf); |
463 | } |
464 | |
465 | dstr_reset(&d); |
466 | if ((q = key_getattr(0, k, "kdf")) == 0) { |
467 | dstr_putf(&d, "%s-mgf", kk->h->name); |
468 | q = d.buf; |
469 | } |
470 | if ((kk->cx = gcipher_byname(q)) == 0) { |
471 | die(EXIT_FAILURE, "encryption scheme (KDF) `%s' not found in key `%s'", |
472 | q, t.buf); |
473 | } |
474 | |
475 | dstr_reset(&d); |
476 | if ((q = key_getattr(0, k, "mac")) == 0) { |
477 | dstr_putf(&d, "%s-hmac", kk->h->name); |
478 | q = d.buf; |
479 | } |
480 | if ((kk->m = gmac_byname(q)) == 0) { |
481 | die(EXIT_FAILURE, |
482 | "message authentication code `%s' not found in key `%s'", |
483 | q, t.buf); |
484 | } |
485 | |
486 | /* --- Tidy up --- */ |
487 | |
488 | dstr_destroy(&d); |
489 | dstr_destroy(&t); |
490 | return (kk); |
491 | } |
492 | |
493 | /* --- @setupkem@ --- * |
494 | * |
495 | * Arguments: @kem *k@ = key-encapsulation thing |
496 | * @dstr *d@ = key-encapsulation data |
497 | * @gcipher **cx@ = key-expansion function (for IVs) |
498 | * @gcipher **c@ = where to put initialized encryption scheme |
499 | * @gmac **m@ = where to put initialized MAC |
500 | * |
501 | * Returns: Zero on success, nonzero on failure. |
502 | * |
503 | * Use: Initializes all the various symmetric things from a KEM. |
504 | */ |
505 | |
506 | int setupkem(kem *k, dstr *d, gcipher **cx, gcipher **c, gmac **m) |
507 | { |
508 | octet *kd; |
509 | size_t n, cn, mn; |
510 | ghash *h; |
c65df279 |
511 | int rc = -1; |
5c3f75ec |
512 | |
513 | h = GH_INIT(k->h); |
514 | if (k->ops->doit(k, d, h)) |
515 | goto done; |
516 | n = keysz(GH_CLASS(h)->hashsz, k->cx->keysz); |
517 | if (!n) |
518 | goto done; |
519 | kd = GH_DONE(h, 0); |
520 | *cx = GC_INIT(k->cx, kd, n); |
521 | |
522 | cn = keysz(0, k->c->keysz); n = cn; |
523 | mn = keysz(0, k->m->keysz); if (mn > n) n = mn; |
524 | kd = xmalloc(n); |
525 | GC_ENCRYPT(*cx, 0, kd, cn); |
526 | *c = GC_INIT(k->c, kd, cn); |
527 | GC_ENCRYPT(*cx, 0, kd, mn); |
528 | *m = GM_KEY(k->m, kd, mn); |
529 | xfree(kd); |
530 | |
531 | rc = 0; |
532 | done: |
533 | GH_DESTROY(h); |
534 | return (rc); |
535 | } |
536 | |
537 | /* --- @freekem@ --- * |
538 | * |
539 | * Arguments: @kem *k@ = key-encapsulation thing |
540 | * |
541 | * Returns: --- |
542 | * |
543 | * Use: Frees up a key-encapsulation thing. |
544 | */ |
545 | |
546 | void freekem(kem *k) |
547 | { |
548 | key_fetchdone(k->kp); |
549 | xfree(k->kd); |
550 | k->ops->destroy(k); |
551 | } |
552 | |
553 | /*----- That's all, folks -------------------------------------------------*/ |