~mdw / catacomb / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
symm/latinpoly-def.h: Implement Bernstein's `crypto_secretbox'.
[catacomb] / progs / cc-kem.c
CommitLineData
5c3f75ec 1/* -*-c-*-
2 *
5c3f75ec 3 * Catcrypt key-encapsulation
4 *
5 * (c) 2004 Straylight/Edgeware
6 */
7
45c0fd36 8/*----- Licensing notice --------------------------------------------------*
5c3f75ec 9 *
10 * This file is part of Catacomb.
11 *
12 * Catacomb is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU Library General Public License as
14 * published by the Free Software Foundation; either version 2 of the
15 * License, or (at your option) any later version.
45c0fd36 16 *
5c3f75ec 17 * Catacomb is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU Library General Public License for more details.
45c0fd36 21 *
5c3f75ec 22 * You should have received a copy of the GNU Library General Public
23 * License along with Catacomb; if not, write to the Free
24 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
25 * MA 02111-1307, USA.
26 */
27
28/*----- Header files ------------------------------------------------------*/
29
cd6eca43
MW		 30#define _FILE_OFFSET_BITS 64
31
5c3f75ec 32#include <stdlib.h>
33
34#include <mLib/alloc.h>
35#include <mLib/dstr.h>
36#include <mLib/report.h>
37#include <mLib/sub.h>
38
11ee758a 39#include "gaead.h"
5c3f75ec 40#include "mprand.h"
41#include "rand.h"
42
43#include "ec.h"
44#include "ec-keys.h"
45#include "dh.h"
46#include "rsa.h"
fc2d44af 47#include "x25519.h"
643eb1bb 48#include "x448.h"
5c3f75ec 49
50#include "rmd160.h"
51#include "blowfish-cbc.h"
11ee758a 52#include "chacha20-poly1305.h"
d9d419b0
MW		 53#include "poly1305.h"
54#include "salsa20.h"
55#include "chacha.h"
5c3f75ec 56
57#include "cc.h"
58
66ff643c
MW		 59/*----- Bulk crypto -------------------------------------------------------*/
60
d9d419b0
MW		 61/* --- NaCl `secretbox' --- */
62
63typedef struct naclbox_encctx {
64 bulk b;
65 const gccipher *cc;
66 gcipher *c;
67} naclbox_encctx;
68
69static bulk *naclbox_init(key *k, const char *calg, const char *halg)
70{
71 naclbox_encctx *ctx = CREATE(naclbox_encctx);
72 dstr t = DSTR_INIT;
73 const char *q;
74
75 key_fulltag(k, &t);
76
77 if ((q = key_getattr(0, k, "cipher")) != 0) calg = q;
78 if (!calg || strcmp(calg, "salsa20") == 0) ctx->cc = &salsa20;
79 else if (strcmp(calg, "salsa20/12") == 0) ctx->cc = &salsa2012;
80 else if (strcmp(calg, "salsa20/8") == 0) ctx->cc = &salsa208;
81 else if (strcmp(calg, "chacha20") == 0) ctx->cc = &chacha20;
82 else if (strcmp(calg, "chacha12") == 0) ctx->cc = &chacha12;
83 else if (strcmp(calg, "chacha8") == 0) ctx->cc = &chacha8;
84 else {
85 die(EXIT_FAILURE,
86 "unknown or inappropriate encryption scheme `%s' in key `%s'",
87 calg, t.buf);
88 }
89
90 dstr_destroy(&t);
91 return (&ctx->b);
92}
93
94static int naclbox_setup(bulk *b, gcipher *cx)
95{
96 naclbox_encctx *ctx = (naclbox_encctx *)b;
97 octet k[SALSA20_KEYSZ];
98
99 GC_ENCRYPT(cx, 0, k, sizeof(k));
100 ctx->c = GC_INIT(ctx->cc, k, sizeof(k));
101 return (0);
102}
103
104static size_t naclbox_overhead(bulk *b) { return (POLY1305_TAGSZ); }
105
106static void naclbox_destroy(bulk *b)
107{
108 naclbox_encctx *ctx = (naclbox_encctx *)b;
109
110 GC_DESTROY(ctx->c);
111 DESTROY(ctx);
112}
113
114static const char *naclbox_encdoit(bulk *b, uint32 seq, buf *bb,
115 const void *p, size_t sz)
116{
117 naclbox_encctx *ctx = (naclbox_encctx *)b;
118 octet t[32];
119 poly1305_key ak;
120 poly1305_ctx a;
121 octet *tag, *ct;
122
123 STORE32(t, seq); STORE32(t + 4, 0); GC_SETIV(ctx->c, t);
124 GC_ENCRYPT(ctx->c, 0, t, POLY1305_KEYSZ + POLY1305_MASKSZ);
125 poly1305_keyinit(&ak, t, POLY1305_KEYSZ);
126 poly1305_macinit(&a, &ak, t + POLY1305_KEYSZ);
127
128 tag = buf_get(bb, POLY1305_TAGSZ); assert(tag);
129 ct = buf_get(bb, sz); assert(ct);
130 GC_ENCRYPT(ctx->c, p, ct, sz);
131 poly1305_hash(&a, ct, sz);
132 poly1305_done(&a, tag);
133 return (0);
134}
135
136static const char *naclbox_decdoit(bulk *b, uint32 seq, buf *bb,
137 const void *p, size_t sz)
138{
139 naclbox_encctx *ctx = (naclbox_encctx *)b;
140 buf bin;
141 octet t[32];
142 poly1305_key ak;
143 poly1305_ctx a;
144 octet *tag, *ct, *pt;
145
146 STORE32(t, seq); STORE32(t + 4, 0); GC_SETIV(ctx->c, t);
147 GC_ENCRYPT(ctx->c, 0, t, POLY1305_KEYSZ + POLY1305_MASKSZ);
148 poly1305_keyinit(&ak, t, POLY1305_KEYSZ);
149 poly1305_macinit(&a, &ak, t + POLY1305_KEYSZ);
150
151 buf_init(&bin, (/*unconst*/ void *)p, sz);
152 if ((tag = buf_get(&bin, POLY1305_TAGSZ)) == 0) return ("no tag");
153 ct = BCUR(&bin); sz = BLEFT(&bin);
154 poly1305_hash(&a, ct, sz);
155 poly1305_done(&a, t);
156 if (!ct_memeq(t, tag, POLY1305_TAGSZ)) return ("authentication failure");
157 pt = buf_get(bb, sz); assert(pt);
158 GC_DECRYPT(ctx->c, ct, pt, sz);
159 return (0);
160}
161
162static const bulkops naclbox_encops = {
163 naclbox_init, naclbox_setup, naclbox_overhead,
164 naclbox_encdoit, naclbox_destroy
165}, naclbox_decops = {
166 naclbox_init, naclbox_setup, naclbox_overhead,
167 naclbox_decdoit, naclbox_destroy
168};
169
11ee758a
MW		 170/* --- Authenticated encryption schemes --- */
171
172typedef struct aead_encctx {
173 bulk b;
174 const gcaead *aec;
175 gaead_key *key;
176 union { gaead_enc *enc; gaead_dec *dec; } ed;
177 octet *t;
178 size_t nsz, tsz;
179} aead_encctx;
180
181static bulk *aead_init(key *k, const char *calg, const char *halg)
182{
183 aead_encctx *ctx = CREATE(aead_encctx);
184 const char *q;
185 dstr t = DSTR_INIT;
186
187 key_fulltag(k, &t);
188
189 if ((q = key_getattr(0, k, "cipher")) != 0) calg = q;
190 if (!calg) ctx->aec = &chacha20_poly1305;
191 else if ((ctx->aec = gaead_byname(calg)) == 0)
192 die(EXIT_FAILURE, "AEAD scheme `%s' not found in key `%s'",
193 calg, t.buf);
194
195 ctx->key = 0;
196 if ((ctx->nsz = keysz_pad(4, ctx->aec->noncesz)) == 0)
197 die(EXIT_FAILURE, "no suitable nonce size for `%s'", calg);
198 ctx->tsz = keysz(0, ctx->aec->tagsz);
199
200 dstr_destroy(&t);
201 return (&ctx->b);
202}
203
204static int aead_commonsetup(aead_encctx *ctx, gcipher *cx)
205{
206 size_t ksz, n;
207
208 n = ksz = keysz(0, ctx->aec->keysz);
209 if (n < ctx->nsz) n = ctx->nsz;
210 if (n < ctx->tsz) n = ctx->tsz;
211 ctx->t = xmalloc(n);
212
213 GC_ENCRYPT(cx, 0, ctx->t, ksz);
214 ctx->key = GAEAD_KEY(ctx->aec, ctx->t, ksz);
215 return (0);
216}
217
218static size_t aead_overhead(bulk *b)
219 { aead_encctx *ctx = (aead_encctx *)b; return (ctx->aec->ohd + ctx->tsz); }
220
221static void aead_commondestroy(aead_encctx *ctx)
222{
223 if (ctx->key) GAEAD_DESTROY(ctx->key);
224 xfree(ctx->t);
225 DESTROY(ctx);
226}
227
228static int aead_encsetup(bulk *b, gcipher *cx)
229{
230 aead_encctx *ctx = (aead_encctx *)b;
231 ctx->ed.enc = 0; return (aead_commonsetup(ctx, cx));
232}
233
234static const char *aead_encdoit(bulk *b, uint32 seq, buf *bb,
235 const void *p, size_t sz)
236{
237 aead_encctx *ctx = (aead_encctx *)b;
238 octet *t;
239 int rc;
240
241 memset(ctx->t + 4, 0, ctx->nsz - 4); STORE32_B(ctx->t, seq);
242 if (!ctx->ed.enc)
243 ctx->ed.enc = GAEAD_ENC(ctx->key, ctx->t, ctx->nsz, 0, sz, ctx->tsz);
244 else
245 GAEAD_REINIT(ctx->ed.enc, ctx->t, ctx->nsz, 0, sz, ctx->tsz);
246 t = buf_get(bb, ctx->tsz); assert(t);
247 rc = GAEAD_ENCRYPT(ctx->ed.enc, p, sz, bb); assert(rc >= 0);
248 rc = GAEAD_DONE(ctx->ed.enc, 0, bb, t, ctx->tsz); assert(rc >= 0);
249 return (0);
250}
251
252static void aead_encdestroy(bulk *b)
253{
254 aead_encctx *ctx = (aead_encctx *)b;
255 if (ctx->ed.enc) GAEAD_DESTROY(ctx->ed.enc);
256 aead_commondestroy(ctx);
257}
258
259static int aead_decsetup(bulk *b, gcipher *cx)
260{
261 aead_encctx *ctx = (aead_encctx *)b;
262 ctx->ed.dec = 0; return (aead_commonsetup(ctx, cx));
263}
264
265static const char *aead_decdoit(bulk *b, uint32 seq, buf *bb,
266 const void *p, size_t sz)
267{
268 aead_encctx *ctx = (aead_encctx *)b;
269 buf bin;
270 const octet *t;
271 int rc;
272
273 memset(ctx->t + 4, 0, ctx->nsz - 4); STORE32_B(ctx->t, seq);
274 if (!ctx->ed.dec)
275 ctx->ed.dec = GAEAD_DEC(ctx->key, ctx->t, ctx->nsz, 0, sz, ctx->tsz);
276 else
277 GAEAD_REINIT(ctx->ed.enc, ctx->t, ctx->nsz, 0, sz, ctx->tsz);
278
279 buf_init(&bin, (/*unconst*/ void *)p, sz);
280 t = buf_get(&bin, ctx->tsz); if (!t) return ("no tag");
281 rc = GAEAD_DECRYPT(ctx->ed.dec, BCUR(&bin), BLEFT(&bin), bb);
282 assert(rc >= 0);
283 rc = GAEAD_DONE(ctx->ed.dec, 0, bb, t, ctx->tsz); assert(rc >= 0);
284 if (!rc) return ("authentication failure");
285 return (0);
286}
287
288static void aead_decdestroy(bulk *b)
289{
290 aead_encctx *ctx = (aead_encctx *)b;
291 if (ctx->ed.dec) GAEAD_DESTROY(ctx->ed.dec);
292 aead_commondestroy(ctx);
293}
294
295static const struct bulkops aead_encops = {
296 aead_init, aead_encsetup, aead_overhead,
297 aead_encdoit, aead_encdestroy
298}, aead_decops = {
299 aead_init, aead_decsetup, aead_overhead,
300 aead_decdoit, aead_decdestroy
301};
302
66ff643c
MW		 303/* --- Generic composition --- */
304
305typedef struct gencomp_encctx {
306 bulk b;
307 const gccipher *cc;
308 const gcmac *mc;
309 gcipher *c, *cx;
310 gmac *m;
311 octet *t; size_t tsz;
312} gencomp_encctx;
313
314static bulk *gencomp_init(key *k, const char *calg, const char *halg)
315{
316 gencomp_encctx *ctx = CREATE(gencomp_encctx);
317 const char *q;
318 dstr d = DSTR_INIT, t = DSTR_INIT;
319
320 key_fulltag(k, &t);
321
322 if ((q = key_getattr(0, k, "cipher")) != 0) calg = q;
323 if (!calg) ctx->cc = &blowfish_cbc;
324 else if ((ctx->cc = gcipher_byname(calg)) == 0) {
325 die(EXIT_FAILURE, "encryption scheme `%s' not found in key `%s'",
326 calg, t.buf);
327 }
328
329 dstr_reset(&d);
330 if ((q = key_getattr(0, k, "mac")) == 0) {
331 dstr_putf(&d, "%s-hmac", halg);
332 q = d.buf;
333 }
334 if ((ctx->mc = gmac_byname(q)) == 0) {
335 die(EXIT_FAILURE,
336 "message authentication code `%s' not found in key `%s'",
337 q, t.buf);
338 }
339
340 return (&ctx->b);
341}
342
343static int gencomp_setup(bulk *b, gcipher *cx)
344{
345 gencomp_encctx *ctx = (gencomp_encctx *)b;
346 size_t cn, mn, n;
347 octet *kd;
348
349 ctx->cx = cx;
350 n = ctx->cc->blksz;
351 cn = keysz(0, ctx->cc->keysz); if (cn > n) n = cn;
352 mn = keysz(0, ctx->mc->keysz); if (mn > n) n = mn;
353 ctx->t = kd = xmalloc(n); ctx->tsz = n;
354 GC_ENCRYPT(cx, 0, kd, cn);
355 ctx->c = GC_INIT(ctx->cc, kd, cn);
356 GC_ENCRYPT(cx, 0, kd, mn);
357 ctx->m = GM_KEY(ctx->mc, kd, mn);
358 return (0);
359}
360
361static size_t gencomp_overhead(bulk *b)
362{
363 gencomp_encctx *ctx = (gencomp_encctx *)b;
364 return (ctx->cc->blksz + ctx->mc->hashsz); }
365
366static void gencomp_destroy(bulk *b)
367{
368 gencomp_encctx *ctx = (gencomp_encctx *)b;
369
370 GC_DESTROY(ctx->c);
371 GC_DESTROY(ctx->m);
372 xfree(ctx->t);
373 DESTROY(ctx);
374}
375
376static const char *gencomp_encdoit(bulk *b, uint32 seq, buf *bb,
377 const void *p, size_t sz)
378{
379 gencomp_encctx *ctx = (gencomp_encctx *)b;
380 octet *tag, *ct;
381 ghash *h = GM_INIT(ctx->m);
382
383 GH_HASHU32(h, seq);
384 if (ctx->cc->blksz) {
385 GC_ENCRYPT(ctx->cx, 0, ctx->t, ctx->cc->blksz);
386 GC_SETIV(ctx->c, ctx->t);
387 }
388 tag = buf_get(bb, ctx->mc->hashsz); assert(tag);
389 ct = buf_get(bb, sz); assert(ct);
390 GC_ENCRYPT(ctx->c, p, ct, sz);
391 GH_HASH(h, ct, sz);
392 GH_DONE(h, tag);
393 GH_DESTROY(h);
394 return (0);
395}
396
397static const char *gencomp_decdoit(bulk *b, uint32 seq, buf *bb,
398 const void *p, size_t sz)
399{
400 gencomp_encctx *ctx = (gencomp_encctx *)b;
401 buf bin;
402 const octet *tag, *ct;
403 octet *pt;
404 ghash *h;
405 int ok;
406
407 buf_init(&bin, (/*unconst*/ void *)p, sz);
408 if ((tag = buf_get(&bin, ctx->mc->hashsz)) == 0) return ("no tag");
409 ct = BCUR(&bin); sz = BLEFT(&bin);
410 pt = buf_get(bb, sz); assert(pt);
411
412 h = GM_INIT(ctx->m);
413 GH_HASHU32(h, seq);
414 GH_HASH(h, ct, sz);
415 ok = ct_memeq(tag, GH_DONE(h, 0), ctx->mc->hashsz);
416 GH_DESTROY(h);
417 if (!ok) return ("authentication failure");
418
419 if (ctx->cc->blksz) {
420 GC_ENCRYPT(ctx->cx, 0, ctx->t, ctx->cc->blksz);
421 GC_SETIV(ctx->c, ctx->t);
422 }
423 GC_DECRYPT(ctx->c, ct, pt, sz);
424 return (0);
425}
426
427static const bulkops gencomp_encops = {
428 gencomp_init, gencomp_setup, gencomp_overhead,
429 gencomp_encdoit, gencomp_destroy
430}, gencomp_decops = {
431 gencomp_init, gencomp_setup, gencomp_overhead,
432 gencomp_decdoit, gencomp_destroy
433};
434
435const struct bulktab bulktab[] = {
436 { "gencomp", &gencomp_encops, &gencomp_decops },
d9d419b0 437 { "naclbox", &naclbox_encops, &naclbox_decops },
11ee758a 438 { "aead", &aead_encops, &aead_decops },
66ff643c
MW		 439 { 0, 0, 0 }
440};
441
5c3f75ec 442/*----- Key encapsulation -------------------------------------------------*/
443
444/* --- RSA --- */
445
446typedef struct rsa_encctx {
447 kem k;
448 rsa_pubctx rp;
449} rsa_encctx;
450
451static kem *rsa_encinit(key *k, void *kd)
452{
453 rsa_encctx *re = CREATE(rsa_encctx);
454 rsa_pubcreate(&re->rp, kd);
455 return (&re->k);
456}
457
458static int rsa_encdoit(kem *k, dstr *d, ghash *h)
459{
460 rsa_encctx *re = (rsa_encctx *)k;
461 mp *x = mprand_range(MP_NEW, re->rp.rp->n, &rand_global, 0);
462 mp *y = rsa_pubop(&re->rp, MP_NEW, x);
463 size_t n = mp_octets(re->rp.rp->n);
464 dstr_ensure(d, n);
465 mp_storeb(x, d->buf, n);
466 GH_HASH(h, d->buf, n);
467 mp_storeb(y, d->buf, n);
468 d->len += n;
469 mp_drop(x);
470 mp_drop(y);
471 return (0);
472}
473
474static const char *rsa_lengthcheck(mp *n)
475{
476 if (mp_bits(n) < 1020) return ("key too short");
477 return (0);
478}
479
480static const char *rsa_enccheck(kem *k)
481{
482 rsa_encctx *re = (rsa_encctx *)k;
483 const char *e;
484 if ((e = rsa_lengthcheck(re->rp.rp->n)) != 0) return (e);
485 return (0);
486}
487
488static void rsa_encdestroy(kem *k)
489{
490 rsa_encctx *re = (rsa_encctx *)k;
491 rsa_pubdestroy(&re->rp);
492 DESTROY(re);
493}
494
495static const kemops rsa_encops = {
496 rsa_pubfetch, sizeof(rsa_pub),
497 rsa_encinit, rsa_encdoit, rsa_enccheck, rsa_encdestroy
498};
499
500typedef struct rsa_decctx {
501 kem k;
502 rsa_privctx rp;
503} rsa_decctx;
504
505static kem *rsa_decinit(key *k, void *kd)
506{
507 rsa_decctx *rd = CREATE(rsa_decctx);
508 rsa_privcreate(&rd->rp, kd, &rand_global);
509 return (&rd->k);
510}
511
512static int rsa_decdoit(kem *k, dstr *d, ghash *h)
513{
514 rsa_decctx *rd = (rsa_decctx *)k;
515 mp *x = mp_loadb(MP_NEW, d->buf, d->len);
516 size_t n;
517 char *p;
518
519 if (MP_CMP(x, >=, rd->rp.rp->n)) {
520 mp_drop(x);
521 return (-1);
522 }
523 n = mp_octets(rd->rp.rp->n);
524 p = xmalloc(n);
525 x = rsa_privop(&rd->rp, x, x);
526 mp_storeb(x, p, n);
527 GH_HASH(h, p, n);
528 mp_drop(x);
529 xfree(p);
530 return (0);
531}
532
533static const char *rsa_deccheck(kem *k)
534{
535 rsa_decctx *rd = (rsa_decctx *)k;
536 const char *e;
537 if ((e = rsa_lengthcheck(rd->rp.rp->n)) != 0) return (e);
538 return (0);
539}
540
541static void rsa_decdestroy(kem *k)
542{
543 rsa_decctx *rd = (rsa_decctx *)k;
544 rsa_privdestroy(&rd->rp);
545 DESTROY(rd);
546}
547
548static const kemops rsa_decops = {
549 rsa_privfetch, sizeof(rsa_priv),
550 rsa_decinit, rsa_decdoit, rsa_deccheck, rsa_decdestroy
551};
552
553/* --- DH and EC --- */
554
555typedef struct dh_encctx {
556 kem k;
557 group *g;
558 mp *x;
559 ge *y;
560} dh_encctx;
561
45c0fd36 562static dh_encctx *dh_doinit(key *k, const gprime_param *gp, mp *y,
3688eb75 563 group *(*makegroup)(const gprime_param *),
564 const char *what)
5c3f75ec 565{
566 dh_encctx *de = CREATE(dh_encctx);
567 dstr t = DSTR_INIT;
568
569 key_fulltag(k, &t);
3688eb75 570 if ((de->g = makegroup(gp)) == 0)
571 die(EXIT_FAILURE, "bad %s group in key `%s'", what, t.buf);
5c3f75ec 572 de->x = MP_NEW;
573 de->y = G_CREATE(de->g);
574 if (G_FROMINT(de->g, de->y, y))
575 die(EXIT_FAILURE, "bad public key `%s'", t.buf);
576 dstr_destroy(&t);
577 return (de);
578}
579
580static dh_encctx *ec_doinit(key *k, const char *cstr, const ec *y)
581{
582 dh_encctx *de = CREATE(dh_encctx);
583 ec_info ei;
584 const char *e;
585 dstr t = DSTR_INIT;
586
587 key_fulltag(k, &t);
588 if ((e = ec_getinfo(&ei, cstr)) != 0 ||
589 (de->g = group_ec(&ei)) == 0)
590 die(EXIT_FAILURE, "bad elliptic curve spec in key `%s': %s", t.buf, e);
591 de->x = MP_NEW;
592 de->y = G_CREATE(de->g);
593 if (G_FROMEC(de->g, de->y, y))
594 die(EXIT_FAILURE, "bad public curve point `%s'", t.buf);
595 dstr_destroy(&t);
596 return (de);
597}
598
599static kem *dh_encinit(key *k, void *kd)
600{
601 dh_pub *dp = kd;
3688eb75 602 dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_prime, "prime");
603 return (&de->k);
604}
605
606static kem *bindh_encinit(key *k, void *kd)
607{
608 dh_pub *dp = kd;
609 dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_binary, "binary");
5c3f75ec 610 return (&de->k);
611}
612
613static kem *ec_encinit(key *k, void *kd)
614{
615 ec_pub *ep = kd;
616 dh_encctx *de = ec_doinit(k, ep->cstr, &ep->p);
617 return (&de->k);
618}
619
620static int dh_encdoit(kem *k, dstr *d, ghash *h)
621{
622 dh_encctx *de = (dh_encctx *)k;
623 mp *r = mprand_range(MP_NEW, de->g->r, &rand_global, 0);
624 ge *x = G_CREATE(de->g);
625 ge *y = G_CREATE(de->g);
626 size_t n = de->g->noctets;
627 buf b;
45c0fd36 628
5c3f75ec 629 G_EXP(de->g, x, de->g->g, r);
630 G_EXP(de->g, y, de->y, r);
631 dstr_ensure(d, n);
632 buf_init(&b, d->buf, n);
633 G_TORAW(de->g, &b, y);
634 GH_HASH(h, BBASE(&b), BLEN(&b));
635 buf_init(&b, d->buf, n);
636 G_TORAW(de->g, &b, x);
637 GH_HASH(h, BBASE(&b), BLEN(&b));
638 d->len += BLEN(&b);
639 mp_drop(r);
640 G_DESTROY(de->g, x);
641 G_DESTROY(de->g, y);
642 return (0);
643}
644
645static const char *dh_enccheck(kem *k)
646{
647 dh_encctx *de = (dh_encctx *)k;
648 const char *e;
649 if ((e = G_CHECK(de->g, &rand_global)) != 0)
650 return (0);
651 if (group_check(de->g, de->y))
652 return ("public key not in subgroup");
653 return (0);
654}
655
656static void dh_encdestroy(kem *k)
657{
658 dh_encctx *de = (dh_encctx *)k;
659 G_DESTROY(de->g, de->y);
660 mp_drop(de->x);
661 G_DESTROYGROUP(de->g);
6f313264 662 DESTROY(de);
5c3f75ec 663}
664
665static const kemops dh_encops = {
666 dh_pubfetch, sizeof(dh_pub),
667 dh_encinit, dh_encdoit, dh_enccheck, dh_encdestroy
668};
669
3688eb75 670static const kemops bindh_encops = {
671 dh_pubfetch, sizeof(dh_pub),
672 bindh_encinit, dh_encdoit, dh_enccheck, dh_encdestroy
673};
674
5c3f75ec 675static const kemops ec_encops = {
676 ec_pubfetch, sizeof(ec_pub),
677 ec_encinit, dh_encdoit, dh_enccheck, dh_encdestroy
678};
679
680static kem *dh_decinit(key *k, void *kd)
681{
682 dh_priv *dp = kd;
3688eb75 683 dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_prime, "prime");
684 de->x = MP_COPY(dp->x);
685 return (&de->k);
686}
687
688static kem *bindh_decinit(key *k, void *kd)
689{
690 dh_priv *dp = kd;
691 dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_binary, "binary");
5c3f75ec 692 de->x = MP_COPY(dp->x);
693 return (&de->k);
694}
695
696static kem *ec_decinit(key *k, void *kd)
697{
698 ec_priv *ep = kd;
699 dh_encctx *de = ec_doinit(k, ep->cstr, &ep->p);
700 de->x = MP_COPY(ep->x);
701 return (&de->k);
702}
703
704static int dh_decdoit(kem *k, dstr *d, ghash *h)
705{
706 dh_encctx *de = (dh_encctx *)k;
707 ge *x = G_CREATE(de->g);
708 size_t n = de->g->noctets;
709 void *p = xmalloc(n);
710 buf b;
711 int rc = -1;
712
713 buf_init(&b, d->buf, d->len);
714 if (G_FROMRAW(de->g, &b, x) || group_check(de->g, x))
715 goto done;
716 G_EXP(de->g, x, x, de->x);
717 buf_init(&b, p, n);
718 G_TORAW(de->g, &b, x);
719 GH_HASH(h, BBASE(&b), BLEN(&b));
720 GH_HASH(h, d->buf, d->len);
721 rc = 0;
722done:
723 G_DESTROY(de->g, x);
724 xfree(p);
725 return (rc);
726}
727
728static const kemops dh_decops = {
729 dh_privfetch, sizeof(dh_priv),
730 dh_decinit, dh_decdoit, dh_enccheck, dh_encdestroy
731};
732
3688eb75 733static const kemops bindh_decops = {
734 dh_privfetch, sizeof(dh_priv),
735 bindh_decinit, dh_decdoit, dh_enccheck, dh_encdestroy
736};
737
5c3f75ec 738static const kemops ec_decops = {
739 ec_privfetch, sizeof(ec_priv),
740 ec_decinit, dh_decdoit, dh_enccheck, dh_encdestroy
741};
742
593f7bd3
MW		 743/* --- X25519 and similar schemes --- */
744
745#define XDHS(_) \
746 _(x25519, X25519) \
747 _(x448, X448)
748
749#define XDHDEF(xdh, XDH) \
750 \
751 static kem *xdh##_encinit(key *k, void *kd) { return (CREATE(kem)); } \
752 static void xdh##_encdestroy(kem *k) { DESTROY(k); } \
753 \
754 static const char *xdh##_enccheck(kem *k) \
755 { \
756 xdh##_pub *kd = k->kd; \
757 \
758 if (kd->pub.sz != XDH##_PUBSZ) \
759 return ("incorrect " #XDH "public key length"); \
760 return (0); \
761 } \
762 \
763 static int xdh##_encdoit(kem *k, dstr *d, ghash *h) \
764 { \
765 octet t[XDH##_KEYSZ], z[XDH##_OUTSZ]; \
766 xdh##_pub *kd = k->kd; \
767 \
768 rand_get(RAND_GLOBAL, t, sizeof(t)); \
769 dstr_ensure(d, XDH##_PUBSZ); \
770 xdh((octet *)d->buf, t, xdh##_base); \
771 xdh(z, t, kd->pub.k); \
772 d->len += XDH##_PUBSZ; \
773 GH_HASH(h, d->buf, XDH##_PUBSZ); \
774 GH_HASH(h, z, XDH##_OUTSZ); \
775 return (0); \
776 } \
777 \
778 static const char *xdh##_deccheck(kem *k) \
779 { \
780 xdh##_priv *kd = k->kd; \
781 \
782 if (kd->priv.sz != XDH##_KEYSZ) \
783 return ("incorrect " #XDH " private key length"); \
784 if (kd->pub.sz != XDH##_PUBSZ) \
785 return ("incorrect " #XDH " public key length"); \
786 return (0); \
787 } \
788 \
789 static int xdh##_decdoit(kem *k, dstr *d, ghash *h) \
790 { \
791 octet z[XDH##_OUTSZ]; \
792 xdh##_priv *kd = k->kd; \
793 int rc = -1; \
794 \
795 if (d->len != XDH##_PUBSZ) goto done; \
796 xdh(z, kd->priv.k, (const octet *)d->buf); \
797 GH_HASH(h, d->buf, XDH##_PUBSZ); \
798 GH_HASH(h, z, XDH##_OUTSZ); \
799 rc = 0; \
800 done: \
801 return (rc); \
802 } \
803 \
804 static const kemops xdh##_encops = { \
805 xdh##_pubfetch, sizeof(xdh##_pub), \
806 xdh##_encinit, xdh##_encdoit, xdh##_enccheck, xdh##_encdestroy \
807 }; \
808 \
809 static const kemops xdh##_decops = { \
810 xdh##_privfetch, sizeof(xdh##_priv), \
811 xdh##_encinit, xdh##_decdoit, xdh##_deccheck, xdh##_encdestroy \
812 };
813
814XDHS(XDHDEF)
815#undef XDHDEF
643eb1bb 816
02dfbd5b
MW		 817/* --- Symmetric --- */
818
819typedef struct symm_ctx {
820 kem k;
821 key_packdef kp;
822 key_bin kb;
823} symm_ctx;
824
825static kem *symm_init(key *k, void *kd)
826{
827 symm_ctx *s;
828 dstr d = DSTR_INIT;
829 int err;
830
831 s = CREATE(symm_ctx);
832
833 key_fulltag(k, &d);
834 s->kp.e = KENC_BINARY;
835 s->kp.p = &s->kb;
836 s->kp.kd = 0;
837
838 if ((err = key_unpack(&s->kp, kd, &d)) != 0) {
839 die(EXIT_FAILURE, "failed to unpack symmetric key `%s': %s",
840 d.buf, key_strerror(err));
841 }
842 dstr_destroy(&d);
843 return (&s->k);
844}
845
846static int symm_decdoit(kem *k, dstr *d, ghash *h)
847{
848 symm_ctx *s = (symm_ctx *)k;
849
850 GH_HASH(h, s->kb.k, s->kb.sz);
851 GH_HASH(h, d->buf, d->len);
852 return (0);
853}
854
855static int symm_encdoit(kem *k, dstr *d, ghash *h)
856{
857 dstr_ensure(d, h->ops->c->hashsz);
858 d->len += h->ops->c->hashsz;
859 rand_get(RAND_GLOBAL, d->buf, d->len);
860 return (symm_decdoit(k, d, h));
861}
862
863static const char *symm_check(kem *k) { return (0); }
864
865static void symm_destroy(kem *k)
866 { symm_ctx *s = (symm_ctx *)k; key_unpackdone(&s->kp); }
867
868static const kemops symm_encops = {
869 0, 0,
870 symm_init, symm_encdoit, symm_check, symm_destroy
871};
872
873static const kemops symm_decops = {
874 0, 0,
875 symm_init, symm_decdoit, symm_check, symm_destroy
876};
877
5c3f75ec 878/* --- The switch table --- */
879
c65df279 880const struct kemtab kemtab[] = {
5c3f75ec 881 { "rsa", &rsa_encops, &rsa_decops },
882 { "dh", &dh_encops, &dh_decops },
3688eb75 883 { "bindh", &bindh_encops, &bindh_decops },
5c3f75ec 884 { "ec", &ec_encops, &ec_decops },
593f7bd3
MW		 885#define XDHTAB(xdh, XDH) \
886 { #xdh, &xdh##_encops, &xdh##_decops },
887 XDHS(XDHTAB)
888#undef XDHTAB
02dfbd5b 889 { "symm", &symm_encops, &symm_decops },
5c3f75ec 890 { 0, 0, 0 }
891};
892
893/* --- @getkem@ --- *
894 *
895 * Arguments: @key *k@ = the key to load
896 * @const char *app@ = application name
897 * @int wantpriv@ = nonzero if we want to decrypt
66ff643c 898 * @bulk **bc@ = bulk crypto context to set up
5c3f75ec 899 *
900 * Returns: A key-encapsulating thing.
901 *
902 * Use: Loads a key.
903 */
904
66ff643c 905kem *getkem(key *k, const char *app, int wantpriv, bulk **bc)
5c3f75ec 906{
66ff643c 907 const char *kalg, *halg = 0, *balg = 0;
5c3f75ec 908 dstr d = DSTR_INIT;
909 dstr t = DSTR_INIT;
910 size_t n;
911 char *p = 0;
912 const char *q;
913 kem *kk;
914 const struct kemtab *kt;
915 const kemops *ko;
66ff643c
MW		 916 const struct bulktab *bt;
917 const bulkops *bo;
5c3f75ec 918 void *kd;
919 int e;
920 key_packdef *kp;
921
922 /* --- Setup stuff --- */
923
924 key_fulltag(k, &t);
925
926 /* --- Get the KEM name --- *
927 *
928 * Take the attribute if it's there; otherwise use the key type.
929 */
930
931 n = strlen(app);
932 if ((q = key_getattr(0, k, "kem")) != 0) {
933 dstr_puts(&d, q);
934 p = d.buf;
935 } else if (strncmp(k->type, app, n) == 0 && k->type[n] == '-') {
936 dstr_puts(&d, k->type);
937 p = d.buf + n + 1;
938 } else
939 die(EXIT_FAILURE, "no KEM for key `%s'", t.buf);
940 kalg = p;
941
66ff643c 942 /* --- Grab the bulk encryption scheme --- *
5c3f75ec 943 *
944 * Grab it from the KEM if it's there, but override it from the attribute.
945 */
946
947 if (p && (p = strchr(p, '/')) != 0) {
948 *p++ = 0;
66ff643c 949 balg = p;
5c3f75ec 950 }
66ff643c
MW		 951 if ((q = key_getattr(0, k, "bulk")) != 0)
952 balg = q;
5c3f75ec 953
954 /* --- Grab the hash function --- */
955
956 if (p && (p = strchr(p, '/')) != 0) {
957 *p++ = 0;
958 halg = p;
959 }
960 if ((q = key_getattr(0, k, "hash")) != 0)
961 halg = q;
962
963 /* --- Instantiate the KEM --- */
964
965 for (kt = kemtab; kt->name; kt++) {
966 if (strcmp(kt->name, kalg) == 0)
967 goto k_found;
968 }
969 die(EXIT_FAILURE, "key encapsulation mechanism `%s' not found in key `%s'",
970 kalg, t.buf);
971k_found:;
972 ko = wantpriv ? kt->decops : kt->encops;
02dfbd5b
MW		 973 if (!ko->kf) {
974 kd = k->k;
975 key_incref(kd);
78ec50fa 976 kp = 0;
02dfbd5b
MW		 977 } else {
978 kd = xmalloc(ko->kdsz);
979 kp = key_fetchinit(ko->kf, 0, kd);
980 if ((e = key_fetch(kp, k)) != 0) {
981 die(EXIT_FAILURE, "error fetching key `%s': %s",
982 t.buf, key_strerror(e));
983 }
984 }
5c3f75ec 985 kk = ko->init(k, kd);
986 kk->kp = kp;
987 kk->ops = ko;
988 kk->kd = kd;
989
66ff643c 990 /* --- Set up the bulk crypto --- */
5c3f75ec 991
992 if (!halg)
66ff643c
MW		 993 kk->hc = &rmd160;
994 else if ((kk->hc = ghash_byname(halg)) == 0) {
5c3f75ec 995 die(EXIT_FAILURE, "hash algorithm `%s' not found in key `%s'",
996 halg, t.buf);
997 }
998
66ff643c
MW		 999 if (!balg)
1000 bt = bulktab;
1001 else {
1002 for (bt = bulktab, bo = 0; bt->name; bt++) {
1003 if (strcmp(balg, bt->name) == 0)
1004 { balg = 0; goto b_found; }
1005 n = strlen(bt->name);
1006 if (strncmp(balg, bt->name, n) == 0 && balg[n] == '-')
1007 { balg += n + 1; goto b_found; }
1008 }
1009 bt = bulktab;
1010 b_found:;
5c3f75ec 1011 }
66ff643c
MW		 1012 bo = wantpriv ? bt->decops : bt->encops;
1013 *bc = bo->init(k, balg, kk->hc->name);
1014 (*bc)->ops = bo;
5c3f75ec 1015
c90ce6bb
MW		 1016 dstr_reset(&d);
1017 if ((q = key_getattr(0, k, "kdf")) == 0) {
1018 dstr_putf(&d, "%s-mgf", kk->hc->name);
1019 q = d.buf;
1020 }
1021 if ((kk->cxc = gcipher_byname(q)) == 0) {
1022 die(EXIT_FAILURE, "encryption scheme (KDF) `%s' not found in key `%s'",
1023 q, t.buf);
1024 }
1025
5c3f75ec 1026 /* --- Tidy up --- */
1027
1028 dstr_destroy(&d);
1029 dstr_destroy(&t);
1030 return (kk);
1031}
1032
1033/* --- @setupkem@ --- *
1034 *
1035 * Arguments: @kem *k@ = key-encapsulation thing
1036 * @dstr *d@ = key-encapsulation data
66ff643c 1037 * @bulk *bc@ = bulk crypto context to set up
5c3f75ec 1038 *
1039 * Returns: Zero on success, nonzero on failure.
1040 *
1041 * Use: Initializes all the various symmetric things from a KEM.
1042 */
1043
66ff643c 1044int setupkem(kem *k, dstr *d, bulk *bc)
5c3f75ec 1045{
1046 octet *kd;
66ff643c 1047 size_t n;
5c3f75ec 1048 ghash *h;
c65df279 1049 int rc = -1;
5c3f75ec 1050
66ff643c 1051 h = GH_INIT(k->hc);
5c3f75ec 1052 if (k->ops->doit(k, d, h))
1053 goto done;
66ff643c 1054 n = keysz(GH_CLASS(h)->hashsz, k->cxc->keysz);
5c3f75ec 1055 if (!n)
1056 goto done;
1057 kd = GH_DONE(h, 0);
66ff643c
MW		 1058 k->cx = GC_INIT(k->cxc, kd, n);
1059 bc->ops->setup(bc, k->cx);
5c3f75ec 1060
1061 rc = 0;
1062done:
1063 GH_DESTROY(h);
1064 return (rc);
1065}
1066
1067/* --- @freekem@ --- *
1068 *
1069 * Arguments: @kem *k@ = key-encapsulation thing
1070 *
1071 * Returns: ---
1072 *
1073 * Use: Frees up a key-encapsulation thing.
1074 */
1075
1076void freekem(kem *k)
1077{
02dfbd5b
MW		 1078 if (!k->ops->kf)
1079 key_drop(k->kd);
1080 else {
1081 key_fetchdone(k->kp);
1082 xfree(k->kd);
1083 }
66ff643c 1084 GC_DESTROY(k->cx);
5c3f75ec 1085 k->ops->destroy(k);
1086}
1087
1088/*----- That's all, folks -------------------------------------------------*/
Catacomb cryptographic library