~mdw / catacomb / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
pub/, progs/: Implement Bernstein's Ed25519 signature scheme.
[catacomb] / progs / cc-kem.c
CommitLineData
5c3f75ec 1/* -*-c-*-
2 *
5c3f75ec 3 * Catcrypt key-encapsulation
4 *
5 * (c) 2004 Straylight/Edgeware
6 */
7
45c0fd36 8/*----- Licensing notice --------------------------------------------------*
5c3f75ec 9 *
10 * This file is part of Catacomb.
11 *
12 * Catacomb is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU Library General Public License as
14 * published by the Free Software Foundation; either version 2 of the
15 * License, or (at your option) any later version.
45c0fd36 16 *
5c3f75ec 17 * Catacomb is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU Library General Public License for more details.
45c0fd36 21 *
5c3f75ec 22 * You should have received a copy of the GNU Library General Public
23 * License along with Catacomb; if not, write to the Free
24 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
25 * MA 02111-1307, USA.
26 */
27
28/*----- Header files ------------------------------------------------------*/
29
cd6eca43
MW		 30#define _FILE_OFFSET_BITS 64
31
5c3f75ec 32#include <stdlib.h>
33
34#include <mLib/alloc.h>
35#include <mLib/dstr.h>
36#include <mLib/report.h>
37#include <mLib/sub.h>
38
39#include "mprand.h"
40#include "rand.h"
41
42#include "ec.h"
43#include "ec-keys.h"
44#include "dh.h"
45#include "rsa.h"
fc2d44af 46#include "x25519.h"
5c3f75ec 47
48#include "rmd160.h"
49#include "blowfish-cbc.h"
d9d419b0
MW		 50#include "poly1305.h"
51#include "salsa20.h"
52#include "chacha.h"
5c3f75ec 53
54#include "cc.h"
55
66ff643c
MW		 56/*----- Bulk crypto -------------------------------------------------------*/
57
d9d419b0
MW		 58/* --- NaCl `secretbox' --- */
59
60typedef struct naclbox_encctx {
61 bulk b;
62 const gccipher *cc;
63 gcipher *c;
64} naclbox_encctx;
65
66static bulk *naclbox_init(key *k, const char *calg, const char *halg)
67{
68 naclbox_encctx *ctx = CREATE(naclbox_encctx);
69 dstr t = DSTR_INIT;
70 const char *q;
71
72 key_fulltag(k, &t);
73
74 if ((q = key_getattr(0, k, "cipher")) != 0) calg = q;
75 if (!calg || strcmp(calg, "salsa20") == 0) ctx->cc = &salsa20;
76 else if (strcmp(calg, "salsa20/12") == 0) ctx->cc = &salsa2012;
77 else if (strcmp(calg, "salsa20/8") == 0) ctx->cc = &salsa208;
78 else if (strcmp(calg, "chacha20") == 0) ctx->cc = &chacha20;
79 else if (strcmp(calg, "chacha12") == 0) ctx->cc = &chacha12;
80 else if (strcmp(calg, "chacha8") == 0) ctx->cc = &chacha8;
81 else {
82 die(EXIT_FAILURE,
83 "unknown or inappropriate encryption scheme `%s' in key `%s'",
84 calg, t.buf);
85 }
86
87 dstr_destroy(&t);
88 return (&ctx->b);
89}
90
91static int naclbox_setup(bulk *b, gcipher *cx)
92{
93 naclbox_encctx *ctx = (naclbox_encctx *)b;
94 octet k[SALSA20_KEYSZ];
95
96 GC_ENCRYPT(cx, 0, k, sizeof(k));
97 ctx->c = GC_INIT(ctx->cc, k, sizeof(k));
98 return (0);
99}
100
101static size_t naclbox_overhead(bulk *b) { return (POLY1305_TAGSZ); }
102
103static void naclbox_destroy(bulk *b)
104{
105 naclbox_encctx *ctx = (naclbox_encctx *)b;
106
107 GC_DESTROY(ctx->c);
108 DESTROY(ctx);
109}
110
111static const char *naclbox_encdoit(bulk *b, uint32 seq, buf *bb,
112 const void *p, size_t sz)
113{
114 naclbox_encctx *ctx = (naclbox_encctx *)b;
115 octet t[32];
116 poly1305_key ak;
117 poly1305_ctx a;
118 octet *tag, *ct;
119
120 STORE32(t, seq); STORE32(t + 4, 0); GC_SETIV(ctx->c, t);
121 GC_ENCRYPT(ctx->c, 0, t, POLY1305_KEYSZ + POLY1305_MASKSZ);
122 poly1305_keyinit(&ak, t, POLY1305_KEYSZ);
123 poly1305_macinit(&a, &ak, t + POLY1305_KEYSZ);
124
125 tag = buf_get(bb, POLY1305_TAGSZ); assert(tag);
126 ct = buf_get(bb, sz); assert(ct);
127 GC_ENCRYPT(ctx->c, p, ct, sz);
128 poly1305_hash(&a, ct, sz);
129 poly1305_done(&a, tag);
130 return (0);
131}
132
133static const char *naclbox_decdoit(bulk *b, uint32 seq, buf *bb,
134 const void *p, size_t sz)
135{
136 naclbox_encctx *ctx = (naclbox_encctx *)b;
137 buf bin;
138 octet t[32];
139 poly1305_key ak;
140 poly1305_ctx a;
141 octet *tag, *ct, *pt;
142
143 STORE32(t, seq); STORE32(t + 4, 0); GC_SETIV(ctx->c, t);
144 GC_ENCRYPT(ctx->c, 0, t, POLY1305_KEYSZ + POLY1305_MASKSZ);
145 poly1305_keyinit(&ak, t, POLY1305_KEYSZ);
146 poly1305_macinit(&a, &ak, t + POLY1305_KEYSZ);
147
148 buf_init(&bin, (/*unconst*/ void *)p, sz);
149 if ((tag = buf_get(&bin, POLY1305_TAGSZ)) == 0) return ("no tag");
150 ct = BCUR(&bin); sz = BLEFT(&bin);
151 poly1305_hash(&a, ct, sz);
152 poly1305_done(&a, t);
153 if (!ct_memeq(t, tag, POLY1305_TAGSZ)) return ("authentication failure");
154 pt = buf_get(bb, sz); assert(pt);
155 GC_DECRYPT(ctx->c, ct, pt, sz);
156 return (0);
157}
158
159static const bulkops naclbox_encops = {
160 naclbox_init, naclbox_setup, naclbox_overhead,
161 naclbox_encdoit, naclbox_destroy
162}, naclbox_decops = {
163 naclbox_init, naclbox_setup, naclbox_overhead,
164 naclbox_decdoit, naclbox_destroy
165};
166
66ff643c
MW		 167/* --- Generic composition --- */
168
169typedef struct gencomp_encctx {
170 bulk b;
171 const gccipher *cc;
172 const gcmac *mc;
173 gcipher *c, *cx;
174 gmac *m;
175 octet *t; size_t tsz;
176} gencomp_encctx;
177
178static bulk *gencomp_init(key *k, const char *calg, const char *halg)
179{
180 gencomp_encctx *ctx = CREATE(gencomp_encctx);
181 const char *q;
182 dstr d = DSTR_INIT, t = DSTR_INIT;
183
184 key_fulltag(k, &t);
185
186 if ((q = key_getattr(0, k, "cipher")) != 0) calg = q;
187 if (!calg) ctx->cc = &blowfish_cbc;
188 else if ((ctx->cc = gcipher_byname(calg)) == 0) {
189 die(EXIT_FAILURE, "encryption scheme `%s' not found in key `%s'",
190 calg, t.buf);
191 }
192
193 dstr_reset(&d);
194 if ((q = key_getattr(0, k, "mac")) == 0) {
195 dstr_putf(&d, "%s-hmac", halg);
196 q = d.buf;
197 }
198 if ((ctx->mc = gmac_byname(q)) == 0) {
199 die(EXIT_FAILURE,
200 "message authentication code `%s' not found in key `%s'",
201 q, t.buf);
202 }
203
204 return (&ctx->b);
205}
206
207static int gencomp_setup(bulk *b, gcipher *cx)
208{
209 gencomp_encctx *ctx = (gencomp_encctx *)b;
210 size_t cn, mn, n;
211 octet *kd;
212
213 ctx->cx = cx;
214 n = ctx->cc->blksz;
215 cn = keysz(0, ctx->cc->keysz); if (cn > n) n = cn;
216 mn = keysz(0, ctx->mc->keysz); if (mn > n) n = mn;
217 ctx->t = kd = xmalloc(n); ctx->tsz = n;
218 GC_ENCRYPT(cx, 0, kd, cn);
219 ctx->c = GC_INIT(ctx->cc, kd, cn);
220 GC_ENCRYPT(cx, 0, kd, mn);
221 ctx->m = GM_KEY(ctx->mc, kd, mn);
222 return (0);
223}
224
225static size_t gencomp_overhead(bulk *b)
226{
227 gencomp_encctx *ctx = (gencomp_encctx *)b;
228 return (ctx->cc->blksz + ctx->mc->hashsz); }
229
230static void gencomp_destroy(bulk *b)
231{
232 gencomp_encctx *ctx = (gencomp_encctx *)b;
233
234 GC_DESTROY(ctx->c);
235 GC_DESTROY(ctx->m);
236 xfree(ctx->t);
237 DESTROY(ctx);
238}
239
240static const char *gencomp_encdoit(bulk *b, uint32 seq, buf *bb,
241 const void *p, size_t sz)
242{
243 gencomp_encctx *ctx = (gencomp_encctx *)b;
244 octet *tag, *ct;
245 ghash *h = GM_INIT(ctx->m);
246
247 GH_HASHU32(h, seq);
248 if (ctx->cc->blksz) {
249 GC_ENCRYPT(ctx->cx, 0, ctx->t, ctx->cc->blksz);
250 GC_SETIV(ctx->c, ctx->t);
251 }
252 tag = buf_get(bb, ctx->mc->hashsz); assert(tag);
253 ct = buf_get(bb, sz); assert(ct);
254 GC_ENCRYPT(ctx->c, p, ct, sz);
255 GH_HASH(h, ct, sz);
256 GH_DONE(h, tag);
257 GH_DESTROY(h);
258 return (0);
259}
260
261static const char *gencomp_decdoit(bulk *b, uint32 seq, buf *bb,
262 const void *p, size_t sz)
263{
264 gencomp_encctx *ctx = (gencomp_encctx *)b;
265 buf bin;
266 const octet *tag, *ct;
267 octet *pt;
268 ghash *h;
269 int ok;
270
271 buf_init(&bin, (/*unconst*/ void *)p, sz);
272 if ((tag = buf_get(&bin, ctx->mc->hashsz)) == 0) return ("no tag");
273 ct = BCUR(&bin); sz = BLEFT(&bin);
274 pt = buf_get(bb, sz); assert(pt);
275
276 h = GM_INIT(ctx->m);
277 GH_HASHU32(h, seq);
278 GH_HASH(h, ct, sz);
279 ok = ct_memeq(tag, GH_DONE(h, 0), ctx->mc->hashsz);
280 GH_DESTROY(h);
281 if (!ok) return ("authentication failure");
282
283 if (ctx->cc->blksz) {
284 GC_ENCRYPT(ctx->cx, 0, ctx->t, ctx->cc->blksz);
285 GC_SETIV(ctx->c, ctx->t);
286 }
287 GC_DECRYPT(ctx->c, ct, pt, sz);
288 return (0);
289}
290
291static const bulkops gencomp_encops = {
292 gencomp_init, gencomp_setup, gencomp_overhead,
293 gencomp_encdoit, gencomp_destroy
294}, gencomp_decops = {
295 gencomp_init, gencomp_setup, gencomp_overhead,
296 gencomp_decdoit, gencomp_destroy
297};
298
299const struct bulktab bulktab[] = {
300 { "gencomp", &gencomp_encops, &gencomp_decops },
d9d419b0 301 { "naclbox", &naclbox_encops, &naclbox_decops },
66ff643c
MW		 302 { 0, 0, 0 }
303};
304
5c3f75ec 305/*----- Key encapsulation -------------------------------------------------*/
306
307/* --- RSA --- */
308
309typedef struct rsa_encctx {
310 kem k;
311 rsa_pubctx rp;
312} rsa_encctx;
313
314static kem *rsa_encinit(key *k, void *kd)
315{
316 rsa_encctx *re = CREATE(rsa_encctx);
317 rsa_pubcreate(&re->rp, kd);
318 return (&re->k);
319}
320
321static int rsa_encdoit(kem *k, dstr *d, ghash *h)
322{
323 rsa_encctx *re = (rsa_encctx *)k;
324 mp *x = mprand_range(MP_NEW, re->rp.rp->n, &rand_global, 0);
325 mp *y = rsa_pubop(&re->rp, MP_NEW, x);
326 size_t n = mp_octets(re->rp.rp->n);
327 dstr_ensure(d, n);
328 mp_storeb(x, d->buf, n);
329 GH_HASH(h, d->buf, n);
330 mp_storeb(y, d->buf, n);
331 d->len += n;
332 mp_drop(x);
333 mp_drop(y);
334 return (0);
335}
336
337static const char *rsa_lengthcheck(mp *n)
338{
339 if (mp_bits(n) < 1020) return ("key too short");
340 return (0);
341}
342
343static const char *rsa_enccheck(kem *k)
344{
345 rsa_encctx *re = (rsa_encctx *)k;
346 const char *e;
347 if ((e = rsa_lengthcheck(re->rp.rp->n)) != 0) return (e);
348 return (0);
349}
350
351static void rsa_encdestroy(kem *k)
352{
353 rsa_encctx *re = (rsa_encctx *)k;
354 rsa_pubdestroy(&re->rp);
355 DESTROY(re);
356}
357
358static const kemops rsa_encops = {
359 rsa_pubfetch, sizeof(rsa_pub),
360 rsa_encinit, rsa_encdoit, rsa_enccheck, rsa_encdestroy
361};
362
363typedef struct rsa_decctx {
364 kem k;
365 rsa_privctx rp;
366} rsa_decctx;
367
368static kem *rsa_decinit(key *k, void *kd)
369{
370 rsa_decctx *rd = CREATE(rsa_decctx);
371 rsa_privcreate(&rd->rp, kd, &rand_global);
372 return (&rd->k);
373}
374
375static int rsa_decdoit(kem *k, dstr *d, ghash *h)
376{
377 rsa_decctx *rd = (rsa_decctx *)k;
378 mp *x = mp_loadb(MP_NEW, d->buf, d->len);
379 size_t n;
380 char *p;
381
382 if (MP_CMP(x, >=, rd->rp.rp->n)) {
383 mp_drop(x);
384 return (-1);
385 }
386 n = mp_octets(rd->rp.rp->n);
387 p = xmalloc(n);
388 x = rsa_privop(&rd->rp, x, x);
389 mp_storeb(x, p, n);
390 GH_HASH(h, p, n);
391 mp_drop(x);
392 xfree(p);
393 return (0);
394}
395
396static const char *rsa_deccheck(kem *k)
397{
398 rsa_decctx *rd = (rsa_decctx *)k;
399 const char *e;
400 if ((e = rsa_lengthcheck(rd->rp.rp->n)) != 0) return (e);
401 return (0);
402}
403
404static void rsa_decdestroy(kem *k)
405{
406 rsa_decctx *rd = (rsa_decctx *)k;
407 rsa_privdestroy(&rd->rp);
408 DESTROY(rd);
409}
410
411static const kemops rsa_decops = {
412 rsa_privfetch, sizeof(rsa_priv),
413 rsa_decinit, rsa_decdoit, rsa_deccheck, rsa_decdestroy
414};
415
416/* --- DH and EC --- */
417
418typedef struct dh_encctx {
419 kem k;
420 group *g;
421 mp *x;
422 ge *y;
423} dh_encctx;
424
45c0fd36 425static dh_encctx *dh_doinit(key *k, const gprime_param *gp, mp *y,
3688eb75 426 group *(*makegroup)(const gprime_param *),
427 const char *what)
5c3f75ec 428{
429 dh_encctx *de = CREATE(dh_encctx);
430 dstr t = DSTR_INIT;
431
432 key_fulltag(k, &t);
3688eb75 433 if ((de->g = makegroup(gp)) == 0)
434 die(EXIT_FAILURE, "bad %s group in key `%s'", what, t.buf);
5c3f75ec 435 de->x = MP_NEW;
436 de->y = G_CREATE(de->g);
437 if (G_FROMINT(de->g, de->y, y))
438 die(EXIT_FAILURE, "bad public key `%s'", t.buf);
439 dstr_destroy(&t);
440 return (de);
441}
442
443static dh_encctx *ec_doinit(key *k, const char *cstr, const ec *y)
444{
445 dh_encctx *de = CREATE(dh_encctx);
446 ec_info ei;
447 const char *e;
448 dstr t = DSTR_INIT;
449
450 key_fulltag(k, &t);
451 if ((e = ec_getinfo(&ei, cstr)) != 0 ||
452 (de->g = group_ec(&ei)) == 0)
453 die(EXIT_FAILURE, "bad elliptic curve spec in key `%s': %s", t.buf, e);
454 de->x = MP_NEW;
455 de->y = G_CREATE(de->g);
456 if (G_FROMEC(de->g, de->y, y))
457 die(EXIT_FAILURE, "bad public curve point `%s'", t.buf);
458 dstr_destroy(&t);
459 return (de);
460}
461
462static kem *dh_encinit(key *k, void *kd)
463{
464 dh_pub *dp = kd;
3688eb75 465 dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_prime, "prime");
466 return (&de->k);
467}
468
469static kem *bindh_encinit(key *k, void *kd)
470{
471 dh_pub *dp = kd;
472 dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_binary, "binary");
5c3f75ec 473 return (&de->k);
474}
475
476static kem *ec_encinit(key *k, void *kd)
477{
478 ec_pub *ep = kd;
479 dh_encctx *de = ec_doinit(k, ep->cstr, &ep->p);
480 return (&de->k);
481}
482
483static int dh_encdoit(kem *k, dstr *d, ghash *h)
484{
485 dh_encctx *de = (dh_encctx *)k;
486 mp *r = mprand_range(MP_NEW, de->g->r, &rand_global, 0);
487 ge *x = G_CREATE(de->g);
488 ge *y = G_CREATE(de->g);
489 size_t n = de->g->noctets;
490 buf b;
45c0fd36 491
5c3f75ec 492 G_EXP(de->g, x, de->g->g, r);
493 G_EXP(de->g, y, de->y, r);
494 dstr_ensure(d, n);
495 buf_init(&b, d->buf, n);
496 G_TORAW(de->g, &b, y);
497 GH_HASH(h, BBASE(&b), BLEN(&b));
498 buf_init(&b, d->buf, n);
499 G_TORAW(de->g, &b, x);
500 GH_HASH(h, BBASE(&b), BLEN(&b));
501 d->len += BLEN(&b);
502 mp_drop(r);
503 G_DESTROY(de->g, x);
504 G_DESTROY(de->g, y);
505 return (0);
506}
507
508static const char *dh_enccheck(kem *k)
509{
510 dh_encctx *de = (dh_encctx *)k;
511 const char *e;
512 if ((e = G_CHECK(de->g, &rand_global)) != 0)
513 return (0);
514 if (group_check(de->g, de->y))
515 return ("public key not in subgroup");
516 return (0);
517}
518
519static void dh_encdestroy(kem *k)
520{
521 dh_encctx *de = (dh_encctx *)k;
522 G_DESTROY(de->g, de->y);
523 mp_drop(de->x);
524 G_DESTROYGROUP(de->g);
6f313264 525 DESTROY(de);
5c3f75ec 526}
527
528static const kemops dh_encops = {
529 dh_pubfetch, sizeof(dh_pub),
530 dh_encinit, dh_encdoit, dh_enccheck, dh_encdestroy
531};
532
3688eb75 533static const kemops bindh_encops = {
534 dh_pubfetch, sizeof(dh_pub),
535 bindh_encinit, dh_encdoit, dh_enccheck, dh_encdestroy
536};
537
5c3f75ec 538static const kemops ec_encops = {
539 ec_pubfetch, sizeof(ec_pub),
540 ec_encinit, dh_encdoit, dh_enccheck, dh_encdestroy
541};
542
543static kem *dh_decinit(key *k, void *kd)
544{
545 dh_priv *dp = kd;
3688eb75 546 dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_prime, "prime");
547 de->x = MP_COPY(dp->x);
548 return (&de->k);
549}
550
551static kem *bindh_decinit(key *k, void *kd)
552{
553 dh_priv *dp = kd;
554 dh_encctx *de = dh_doinit(k, &dp->dp, dp->y, group_binary, "binary");
5c3f75ec 555 de->x = MP_COPY(dp->x);
556 return (&de->k);
557}
558
559static kem *ec_decinit(key *k, void *kd)
560{
561 ec_priv *ep = kd;
562 dh_encctx *de = ec_doinit(k, ep->cstr, &ep->p);
563 de->x = MP_COPY(ep->x);
564 return (&de->k);
565}
566
567static int dh_decdoit(kem *k, dstr *d, ghash *h)
568{
569 dh_encctx *de = (dh_encctx *)k;
570 ge *x = G_CREATE(de->g);
571 size_t n = de->g->noctets;
572 void *p = xmalloc(n);
573 buf b;
574 int rc = -1;
575
576 buf_init(&b, d->buf, d->len);
577 if (G_FROMRAW(de->g, &b, x) || group_check(de->g, x))
578 goto done;
579 G_EXP(de->g, x, x, de->x);
580 buf_init(&b, p, n);
581 G_TORAW(de->g, &b, x);
582 GH_HASH(h, BBASE(&b), BLEN(&b));
583 GH_HASH(h, d->buf, d->len);
584 rc = 0;
585done:
586 G_DESTROY(de->g, x);
587 xfree(p);
588 return (rc);
589}
590
591static const kemops dh_decops = {
592 dh_privfetch, sizeof(dh_priv),
593 dh_decinit, dh_decdoit, dh_enccheck, dh_encdestroy
594};
595
3688eb75 596static const kemops bindh_decops = {
597 dh_privfetch, sizeof(dh_priv),
598 bindh_decinit, dh_decdoit, dh_enccheck, dh_encdestroy
599};
600
5c3f75ec 601static const kemops ec_decops = {
602 ec_privfetch, sizeof(ec_priv),
603 ec_decinit, dh_decdoit, dh_enccheck, dh_encdestroy
604};
605
fc2d44af
MW		 606/* --- X25519 --- */
607
608static kem *x25519_encinit(key *k, void *kd) { return (CREATE(kem)); }
609static void x25519_encdestroy(kem *k) { DESTROY(k); }
610
611static const char *x25519_enccheck(kem *k)
612{
613 x25519_pub *kd = k->kd;
614
615 if (kd->pub.sz != X25519_PUBSZ)
616 return ("incorrect X25519 public key length");
617 return (0);
618}
619
620static int x25519_encdoit(kem *k, dstr *d, ghash *h)
621{
622 octet t[X25519_KEYSZ], z[X25519_OUTSZ];
623 x25519_pub *kd = k->kd;
624
625 rand_get(RAND_GLOBAL, t, sizeof(t));
626 dstr_ensure(d, X25519_PUBSZ);
627 x25519((octet *)d->buf, t, x25519_base);
628 x25519(z, t, kd->pub.k);
629 d->len += X25519_PUBSZ;
630 GH_HASH(h, d->buf, X25519_PUBSZ);
631 GH_HASH(h, z, X25519_OUTSZ);
632 return (0);
633}
634
635static const char *x25519_deccheck(kem *k)
636{
637 x25519_priv *kd = k->kd;
638
639 if (kd->priv.sz != X25519_KEYSZ)
640 return ("incorrect X25519 private key length");
641 if (kd->pub.sz != X25519_PUBSZ)
642 return ("incorrect X25519 public key length");
643 return (0);
644}
645
646static int x25519_decdoit(kem *k, dstr *d, ghash *h)
647{
648 octet z[X25519_OUTSZ];
649 x25519_priv *kd = k->kd;
650 int rc = -1;
651
652 if (d->len != X25519_PUBSZ) goto done;
653 x25519(z, kd->priv.k, (const octet *)d->buf);
654 GH_HASH(h, d->buf, X25519_PUBSZ);
655 GH_HASH(h, z, X25519_OUTSZ);
656 rc = 0;
657done:
658 return (rc);
659}
660
661static const kemops x25519_encops = {
662 x25519_pubfetch, sizeof(x25519_pub),
663 x25519_encinit, x25519_encdoit, x25519_enccheck, x25519_encdestroy
664};
665
666static const kemops x25519_decops = {
667 x25519_privfetch, sizeof(x25519_priv),
668 x25519_encinit, x25519_decdoit, x25519_deccheck, x25519_encdestroy
669};
670
02dfbd5b
MW		 671/* --- Symmetric --- */
672
673typedef struct symm_ctx {
674 kem k;
675 key_packdef kp;
676 key_bin kb;
677} symm_ctx;
678
679static kem *symm_init(key *k, void *kd)
680{
681 symm_ctx *s;
682 dstr d = DSTR_INIT;
683 int err;
684
685 s = CREATE(symm_ctx);
686
687 key_fulltag(k, &d);
688 s->kp.e = KENC_BINARY;
689 s->kp.p = &s->kb;
690 s->kp.kd = 0;
691
692 if ((err = key_unpack(&s->kp, kd, &d)) != 0) {
693 die(EXIT_FAILURE, "failed to unpack symmetric key `%s': %s",
694 d.buf, key_strerror(err));
695 }
696 dstr_destroy(&d);
697 return (&s->k);
698}
699
700static int symm_decdoit(kem *k, dstr *d, ghash *h)
701{
702 symm_ctx *s = (symm_ctx *)k;
703
704 GH_HASH(h, s->kb.k, s->kb.sz);
705 GH_HASH(h, d->buf, d->len);
706 return (0);
707}
708
709static int symm_encdoit(kem *k, dstr *d, ghash *h)
710{
711 dstr_ensure(d, h->ops->c->hashsz);
712 d->len += h->ops->c->hashsz;
713 rand_get(RAND_GLOBAL, d->buf, d->len);
714 return (symm_decdoit(k, d, h));
715}
716
717static const char *symm_check(kem *k) { return (0); }
718
719static void symm_destroy(kem *k)
720 { symm_ctx *s = (symm_ctx *)k; key_unpackdone(&s->kp); }
721
722static const kemops symm_encops = {
723 0, 0,
724 symm_init, symm_encdoit, symm_check, symm_destroy
725};
726
727static const kemops symm_decops = {
728 0, 0,
729 symm_init, symm_decdoit, symm_check, symm_destroy
730};
731
5c3f75ec 732/* --- The switch table --- */
733
c65df279 734const struct kemtab kemtab[] = {
5c3f75ec 735 { "rsa", &rsa_encops, &rsa_decops },
736 { "dh", &dh_encops, &dh_decops },
3688eb75 737 { "bindh", &bindh_encops, &bindh_decops },
5c3f75ec 738 { "ec", &ec_encops, &ec_decops },
fc2d44af 739 { "x25519", &x25519_encops, &x25519_decops },
02dfbd5b 740 { "symm", &symm_encops, &symm_decops },
5c3f75ec 741 { 0, 0, 0 }
742};
743
744/* --- @getkem@ --- *
745 *
746 * Arguments: @key *k@ = the key to load
747 * @const char *app@ = application name
748 * @int wantpriv@ = nonzero if we want to decrypt
66ff643c 749 * @bulk **bc@ = bulk crypto context to set up
5c3f75ec 750 *
751 * Returns: A key-encapsulating thing.
752 *
753 * Use: Loads a key.
754 */
755
66ff643c 756kem *getkem(key *k, const char *app, int wantpriv, bulk **bc)
5c3f75ec 757{
66ff643c 758 const char *kalg, *halg = 0, *balg = 0;
5c3f75ec 759 dstr d = DSTR_INIT;
760 dstr t = DSTR_INIT;
761 size_t n;
762 char *p = 0;
763 const char *q;
764 kem *kk;
765 const struct kemtab *kt;
766 const kemops *ko;
66ff643c
MW		 767 const struct bulktab *bt;
768 const bulkops *bo;
5c3f75ec 769 void *kd;
770 int e;
771 key_packdef *kp;
772
773 /* --- Setup stuff --- */
774
775 key_fulltag(k, &t);
776
777 /* --- Get the KEM name --- *
778 *
779 * Take the attribute if it's there; otherwise use the key type.
780 */
781
782 n = strlen(app);
783 if ((q = key_getattr(0, k, "kem")) != 0) {
784 dstr_puts(&d, q);
785 p = d.buf;
786 } else if (strncmp(k->type, app, n) == 0 && k->type[n] == '-') {
787 dstr_puts(&d, k->type);
788 p = d.buf + n + 1;
789 } else
790 die(EXIT_FAILURE, "no KEM for key `%s'", t.buf);
791 kalg = p;
792
66ff643c 793 /* --- Grab the bulk encryption scheme --- *
5c3f75ec 794 *
795 * Grab it from the KEM if it's there, but override it from the attribute.
796 */
797
798 if (p && (p = strchr(p, '/')) != 0) {
799 *p++ = 0;
66ff643c 800 balg = p;
5c3f75ec 801 }
66ff643c
MW		 802 if ((q = key_getattr(0, k, "bulk")) != 0)
803 balg = q;
5c3f75ec 804
805 /* --- Grab the hash function --- */
806
807 if (p && (p = strchr(p, '/')) != 0) {
808 *p++ = 0;
809 halg = p;
810 }
811 if ((q = key_getattr(0, k, "hash")) != 0)
812 halg = q;
813
814 /* --- Instantiate the KEM --- */
815
816 for (kt = kemtab; kt->name; kt++) {
817 if (strcmp(kt->name, kalg) == 0)
818 goto k_found;
819 }
820 die(EXIT_FAILURE, "key encapsulation mechanism `%s' not found in key `%s'",
821 kalg, t.buf);
822k_found:;
823 ko = wantpriv ? kt->decops : kt->encops;
02dfbd5b
MW		 824 if (!ko->kf) {
825 kd = k->k;
826 key_incref(kd);
78ec50fa 827 kp = 0;
02dfbd5b
MW		 828 } else {
829 kd = xmalloc(ko->kdsz);
830 kp = key_fetchinit(ko->kf, 0, kd);
831 if ((e = key_fetch(kp, k)) != 0) {
832 die(EXIT_FAILURE, "error fetching key `%s': %s",
833 t.buf, key_strerror(e));
834 }
835 }
5c3f75ec 836 kk = ko->init(k, kd);
837 kk->kp = kp;
838 kk->ops = ko;
839 kk->kd = kd;
840
66ff643c 841 /* --- Set up the bulk crypto --- */
5c3f75ec 842
843 if (!halg)
66ff643c
MW		 844 kk->hc = &rmd160;
845 else if ((kk->hc = ghash_byname(halg)) == 0) {
5c3f75ec 846 die(EXIT_FAILURE, "hash algorithm `%s' not found in key `%s'",
847 halg, t.buf);
848 }
849
5c3f75ec 850 dstr_reset(&d);
851 if ((q = key_getattr(0, k, "kdf")) == 0) {
66ff643c 852 dstr_putf(&d, "%s-mgf", kk->hc->name);
5c3f75ec 853 q = d.buf;
854 }
66ff643c 855 if ((kk->cxc = gcipher_byname(q)) == 0) {
5c3f75ec 856 die(EXIT_FAILURE, "encryption scheme (KDF) `%s' not found in key `%s'",
857 q, t.buf);
858 }
45c0fd36 859
66ff643c
MW		 860 if (!balg)
861 bt = bulktab;
862 else {
863 for (bt = bulktab, bo = 0; bt->name; bt++) {
864 if (strcmp(balg, bt->name) == 0)
865 { balg = 0; goto b_found; }
866 n = strlen(bt->name);
867 if (strncmp(balg, bt->name, n) == 0 && balg[n] == '-')
868 { balg += n + 1; goto b_found; }
869 }
870 bt = bulktab;
871 b_found:;
5c3f75ec 872 }
66ff643c
MW		 873 bo = wantpriv ? bt->decops : bt->encops;
874 *bc = bo->init(k, balg, kk->hc->name);
875 (*bc)->ops = bo;
5c3f75ec 876
877 /* --- Tidy up --- */
878
879 dstr_destroy(&d);
880 dstr_destroy(&t);
881 return (kk);
882}
883
884/* --- @setupkem@ --- *
885 *
886 * Arguments: @kem *k@ = key-encapsulation thing
887 * @dstr *d@ = key-encapsulation data
66ff643c 888 * @bulk *bc@ = bulk crypto context to set up
5c3f75ec 889 *
890 * Returns: Zero on success, nonzero on failure.
891 *
892 * Use: Initializes all the various symmetric things from a KEM.
893 */
894
66ff643c 895int setupkem(kem *k, dstr *d, bulk *bc)
5c3f75ec 896{
897 octet *kd;
66ff643c 898 size_t n;
5c3f75ec 899 ghash *h;
c65df279 900 int rc = -1;
5c3f75ec 901
66ff643c 902 h = GH_INIT(k->hc);
5c3f75ec 903 if (k->ops->doit(k, d, h))
904 goto done;
66ff643c 905 n = keysz(GH_CLASS(h)->hashsz, k->cxc->keysz);
5c3f75ec 906 if (!n)
907 goto done;
908 kd = GH_DONE(h, 0);
66ff643c
MW		 909 k->cx = GC_INIT(k->cxc, kd, n);
910 bc->ops->setup(bc, k->cx);
5c3f75ec 911
912 rc = 0;
913done:
914 GH_DESTROY(h);
915 return (rc);
916}
917
918/* --- @freekem@ --- *
919 *
920 * Arguments: @kem *k@ = key-encapsulation thing
921 *
922 * Returns: ---
923 *
924 * Use: Frees up a key-encapsulation thing.
925 */
926
927void freekem(kem *k)
928{
02dfbd5b
MW		 929 if (!k->ops->kf)
930 key_drop(k->kd);
931 else {
932 key_fetchdone(k->kp);
933 xfree(k->kd);
934 }
66ff643c 935 GC_DESTROY(k->cx);
5c3f75ec 936 k->ops->destroy(k);
937}
938
939/*----- That's all, folks -------------------------------------------------*/
Catacomb cryptographic library