~mdw / catacomb / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
pub/ed25519.[ch], etc.: Implement the `context' variant from RFC8032.
[catacomb] / progs / cc-sig.c
1 /* -*-c-*-
2 *
3 * Catcrypt signatures
4 *
5 * (c) 2004 Straylight/Edgeware
6 */
7
8 /*----- Licensing notice --------------------------------------------------*
9 *
10 * This file is part of Catacomb.
11 *
12 * Catacomb is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU Library General Public License as
14 * published by the Free Software Foundation; either version 2 of the
15 * License, or (at your option) any later version.
16 *
17 * Catacomb is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU Library General Public License for more details.
21 *
22 * You should have received a copy of the GNU Library General Public
23 * License along with Catacomb; if not, write to the Free
24 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
25 * MA 02111-1307, USA.
26 */
27
28 /*----- Header files ------------------------------------------------------*/
29
30 #define _FILE_OFFSET_BITS 64
31
32 #include <stdlib.h>
33
34 #include <mLib/report.h>
35
36 #include "rand.h"
37 #include "sha.h"
38 #include "has160.h"
39 #include "sha512.h"
40
41 #include "ct.h"
42 #include "ec.h"
43 #include "ec-keys.h"
44 #include "dh.h"
45 #include "gdsa.h"
46 #include "gkcdsa.h"
47 #include "rsa.h"
48 #include "ed25519.h"
49
50 #include "cc.h"
51
52 /*----- Main code ---------------------------------------------------------*/
53
54 /* --- RSA PKCS1 --- */
55
56 typedef struct rsap1_sigctx {
57 sig s;
58 rsa_privctx rp;
59 pkcs1 p1;
60 } rsap1_sigctx;
61
62 static sig *rsap1_siginit(key *k, void *kd, const gchash *hc)
63 {
64 rsap1_sigctx *rs = CREATE(rsap1_sigctx);
65 rsa_privcreate(&rs->rp, kd, &rand_global);
66 rs->p1.r = &rand_global;
67 rs->p1.ep = hc->name;
68 rs->p1.epsz = strlen(hc->name) + 1;
69 rs->s.h = 0;
70 return (&rs->s);
71 }
72
73 static int rsap1_sigdoit(sig *s, dstr *d)
74 {
75 rsap1_sigctx *rs = (rsap1_sigctx *)s;
76 size_t n;
77 mp *m = rsa_sign(&rs->rp, MP_NEW,
78 GH_DONE(s->h, 0), GH_CLASS(s->h)->hashsz,
79 pkcs1_sigencode, &rs->p1);
80 if (!m) return (-1);
81 n = mp_octets(rs->rp.rp->n); dstr_ensure(d, n); mp_storeb(m, d->buf, n);
82 d->len += n; mp_drop(m);
83 return (0);
84 }
85
86 static const char *rsa_lengthcheck(mp *n)
87 {
88 if (mp_bits(n) < 1024) return ("key too short");
89 return (0);
90 }
91
92 static const char *rsap1_sigcheck(sig *s)
93 {
94 rsap1_sigctx *rs = (rsap1_sigctx *)s;
95 const char *e;
96 if ((e = rsa_lengthcheck(rs->rp.rp->n)) != 0) return (e);
97 return (0);
98 }
99
100 static void rsap1_sigdestroy(sig *s)
101 {
102 rsap1_sigctx *rs = (rsap1_sigctx *)s;
103 rsa_privdestroy(&rs->rp);
104 DESTROY(rs);
105 }
106
107 static const sigops rsap1_sig = {
108 rsa_privfetch, sizeof(rsa_priv),
109 rsap1_siginit, rsap1_sigdoit, rsap1_sigcheck, rsap1_sigdestroy
110 };
111
112 typedef struct rsap1_vrfctx {
113 sig s;
114 rsa_pubctx rp;
115 pkcs1 p1;
116 } rsap1_vrfctx;
117
118 static sig *rsap1_vrfinit(key *k, void *kd, const gchash *hc)
119 {
120 rsap1_vrfctx *rv = CREATE(rsap1_vrfctx);
121 rsa_pubcreate(&rv->rp, kd);
122 rv->p1.r = &rand_global;
123 rv->p1.ep = hc->name;
124 rv->p1.epsz = strlen(hc->name) + 1;
125 rv->s.h = 0;
126 return (&rv->s);
127 }
128
129 static int rsap1_vrfdoit(sig *s, dstr *d)
130 {
131 rsap1_vrfctx *rv = (rsap1_vrfctx *)s;
132 mp *m = mp_loadb(MP_NEW, d->buf, d->len);
133 int rc = rsa_verify(&rv->rp, m,
134 GH_DONE(s->h, 0), GH_CLASS(s->h)->hashsz,
135 0, pkcs1_sigdecode, &rv->p1);
136 mp_drop(m);
137 return (rc);
138 }
139
140 static const char *rsap1_vrfcheck(sig *s)
141 {
142 rsap1_vrfctx *rv = (rsap1_vrfctx *)s;
143 const char *e;
144 if ((e = rsa_lengthcheck(rv->rp.rp->n)) != 0) return (e);
145 return (0);
146 }
147
148 static void rsap1_vrfdestroy(sig *s)
149 {
150 rsap1_vrfctx *rv = (rsap1_vrfctx *)s;
151 rsa_pubdestroy(&rv->rp);
152 DESTROY(rv);
153 }
154
155 static const sigops rsap1_vrf = {
156 rsa_pubfetch, sizeof(rsa_pub),
157 rsap1_vrfinit, rsap1_vrfdoit, rsap1_vrfcheck, rsap1_vrfdestroy
158 };
159
160 /* --- RSA PSS --- */
161
162 static const gccipher *getmgf(key *k, const gchash *hc)
163 {
164 dstr d = DSTR_INIT;
165 const gccipher *gc;
166 const char *mm;
167
168 if ((mm = key_getattr(0, k, "mgf")) == 0) {
169 dstr_putf(&d, "%s-mgf", hc->name);
170 mm = d.buf;
171 }
172 if ((gc = gcipher_byname(mm)) == 0)
173 die(EXIT_FAILURE, "unknown encryption scheme `%s'", mm);
174 dstr_destroy(&d);
175 return (gc);
176 }
177
178 typedef struct rsapss_sigctx {
179 sig s;
180 rsa_privctx rp;
181 pss p;
182 } rsapss_sigctx;
183
184 static sig *rsapss_siginit(key *k, void *kd, const gchash *hc)
185 {
186 rsapss_sigctx *rs = CREATE(rsapss_sigctx);
187 rsa_privcreate(&rs->rp, kd, &rand_global);
188 rs->s.h = 0;
189 rs->p.r = &rand_global;
190 rs->p.cc = getmgf(k, hc);
191 rs->p.ch = hc;
192 rs->p.ssz = hc->hashsz;
193 return (&rs->s);
194 }
195
196 static int rsapss_sigdoit(sig *s, dstr *d)
197 {
198 rsapss_sigctx *rs = (rsapss_sigctx *)s;
199 size_t n;
200 mp *m = rsa_sign(&rs->rp, MP_NEW,
201 GH_DONE(s->h, 0), GH_CLASS(s->h)->hashsz,
202 pss_encode, &rs->p);
203 if (!m) return (-1);
204 n = mp_octets(rs->rp.rp->n); dstr_ensure(d, n); mp_storeb(m, d->buf, n);
205 d->len += n; mp_drop(m);
206 return (0);
207 }
208
209 static const char *rsapss_sigcheck(sig *s)
210 {
211 rsapss_sigctx *rs = (rsapss_sigctx *)s;
212 const char *e;
213 if ((e = rsa_lengthcheck(rs->rp.rp->n)) != 0) return (e);
214 return (0);
215 }
216
217 static void rsapss_sigdestroy(sig *s)
218 {
219 rsapss_sigctx *rs = (rsapss_sigctx *)s;
220 rsa_privdestroy(&rs->rp);
221 DESTROY(rs);
222 }
223
224 static const sigops rsapss_sig = {
225 rsa_privfetch, sizeof(rsa_priv),
226 rsapss_siginit, rsapss_sigdoit, rsapss_sigcheck, rsapss_sigdestroy
227 };
228
229 typedef struct rsapss_vrfctx {
230 sig s;
231 rsa_pubctx rp;
232 pss p;
233 } rsapss_vrfctx;
234
235 static sig *rsapss_vrfinit(key *k, void *kd, const gchash *hc)
236 {
237 rsapss_vrfctx *rv = CREATE(rsapss_vrfctx);
238 rsa_pubcreate(&rv->rp, kd);
239 rv->s.h = 0;
240 rv->p.r = &rand_global;
241 rv->p.cc = getmgf(k, hc);
242 rv->p.ch = hc;
243 rv->p.ssz = hc->hashsz;
244 return (&rv->s);
245 }
246
247 static int rsapss_vrfdoit(sig *s, dstr *d)
248 {
249 rsapss_vrfctx *rv = (rsapss_vrfctx *)s;
250 mp *m = mp_loadb(MP_NEW, d->buf, d->len);
251 int rc = rsa_verify(&rv->rp, m,
252 GH_DONE(s->h, 0), GH_CLASS(s->h)->hashsz,
253 0, pss_decode, &rv->p);
254 mp_drop(m);
255 return (rc);
256 }
257
258 static const char *rsapss_vrfcheck(sig *s)
259 {
260 rsapss_vrfctx *rv = (rsapss_vrfctx *)s;
261 const char *e;
262 if ((e = rsa_lengthcheck(rv->rp.rp->n)) != 0) return (e);
263 return (0);
264 }
265
266 static void rsapss_vrfdestroy(sig *s)
267 {
268 rsapss_vrfctx *rv = (rsapss_vrfctx *)s;
269 rsa_pubdestroy(&rv->rp);
270 DESTROY(rv);
271 }
272
273 static const sigops rsapss_vrf = {
274 rsa_pubfetch, sizeof(rsa_pub),
275 rsapss_vrfinit, rsapss_vrfdoit, rsapss_vrfcheck, rsapss_vrfdestroy
276 };
277
278 /* --- DSA and ECDSA --- */
279
280 typedef struct dsa_sigctx {
281 sig s;
282 gdsa g;
283 } dsa_sigctx;
284
285 static void dsa_initcommon(dsa_sigctx *ds, const gchash *hc,
286 const char *ktag)
287 {
288 ds->g.r = &rand_global;
289 ds->g.h = hc;
290 ds->g.u = MP_NEW;
291 ds->s.h = 0;
292 }
293
294 static dsa_sigctx *dsa_doinit(key *k, const gprime_param *gp,
295 mp *y, const gchash *hc,
296 group *(*makegroup)(const gprime_param *),
297 const char *what)
298 {
299 dsa_sigctx *ds = CREATE(dsa_sigctx);
300 dstr t = DSTR_INIT;
301
302 key_fulltag(k, &t);
303 if ((ds->g.g = makegroup(gp)) == 0)
304 die(EXIT_FAILURE, "bad %s group in key `%s'", what, t.buf);
305 ds->g.p = G_CREATE(ds->g.g);
306 if (G_FROMINT(ds->g.g, ds->g.p, y))
307 die(EXIT_FAILURE, "bad public key in key `%s'", t.buf);
308 dsa_initcommon(ds, hc, t.buf);
309 dstr_destroy(&t);
310 return (ds);
311 }
312
313 static dsa_sigctx *ecdsa_doinit(key *k, const char *cstr,
314 ec *y, const gchash *hc)
315 {
316 dsa_sigctx *ds = CREATE(dsa_sigctx);
317 ec_info ei;
318 const char *e;
319 dstr t = DSTR_INIT;
320
321 key_fulltag(k, &t);
322 if ((e = ec_getinfo(&ei, cstr)) != 0)
323 die(EXIT_FAILURE, "bad curve in key `%s': %s", t.buf, e);
324 ds->g.g = group_ec(&ei);
325 ds->g.p = G_CREATE(ds->g.g);
326 if (G_FROMEC(ds->g.g, ds->g.p, y))
327 die(EXIT_FAILURE, "bad public key in key `%s'", t.buf);
328 dsa_initcommon(ds, hc, t.buf);
329 dstr_destroy(&t);
330 return (ds);
331 }
332
333 static sig *dsa_siginit(key *k, void *kd, const gchash *hc)
334 {
335 dh_priv *dp = kd;
336 dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_prime, "prime");
337 ds->g.u = MP_COPY(dp->x);
338 return (&ds->s);
339 }
340
341 static sig *bindsa_siginit(key *k, void *kd, const gchash *hc)
342 {
343 dh_priv *dp = kd;
344 dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_binary, "binary");
345 ds->g.u = MP_COPY(dp->x);
346 return (&ds->s);
347 }
348
349 static sig *ecdsa_siginit(key *k, void *kd, const gchash *hc)
350 {
351 ec_priv *ep = kd;
352 dsa_sigctx *ds = ecdsa_doinit(k, ep->cstr, &ep->p, hc);
353 ds->g.u = MP_COPY(ep->x);
354 return (&ds->s);
355 }
356
357 static int dsa_sigdoit(sig *s, dstr *d)
358 {
359 dsa_sigctx *ds = (dsa_sigctx *)s;
360 gdsa_sig ss = GDSA_SIG_INIT;
361 size_t n = mp_octets(ds->g.g->r);
362
363 gdsa_sign(&ds->g, &ss, GH_DONE(ds->s.h, 0), 0);
364 dstr_ensure(d, 2 * n);
365 mp_storeb(ss.r, d->buf, n);
366 mp_storeb(ss.s, d->buf + n, n);
367 d->len += 2 * n;
368 mp_drop(ss.r); mp_drop(ss.s);
369 return (0);
370 }
371
372 static const char *dsa_sigcheck(sig *s)
373 {
374 dsa_sigctx *ds = (dsa_sigctx *)s;
375 const char *e;
376 if ((e = G_CHECK(ds->g.g, &rand_global)) != 0)
377 return (0);
378 if (group_check(ds->g.g, ds->g.p))
379 return ("public key not in subgroup");
380 return (0);
381 }
382
383 static void dsa_sigdestroy(sig *s)
384 {
385 dsa_sigctx *ds = (dsa_sigctx *)s;
386 G_DESTROY(ds->g.g, ds->g.p);
387 mp_drop(ds->g.u);
388 G_DESTROYGROUP(ds->g.g);
389 DESTROY(ds);
390 }
391
392 static const sigops dsa_sig = {
393 dh_privfetch, sizeof(dh_priv),
394 dsa_siginit, dsa_sigdoit, dsa_sigcheck, dsa_sigdestroy
395 };
396
397 static const sigops bindsa_sig = {
398 dh_privfetch, sizeof(dh_priv),
399 bindsa_siginit, dsa_sigdoit, dsa_sigcheck, dsa_sigdestroy
400 };
401
402 static const sigops ecdsa_sig = {
403 ec_privfetch, sizeof(ec_priv),
404 ecdsa_siginit, dsa_sigdoit, dsa_sigcheck, dsa_sigdestroy
405 };
406
407 static sig *dsa_vrfinit(key *k, void *kd, const gchash *hc)
408 {
409 dh_pub *dp = kd;
410 dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_prime, "prime");
411 return (&ds->s);
412 }
413
414 static sig *bindsa_vrfinit(key *k, void *kd, const gchash *hc)
415 {
416 dh_pub *dp = kd;
417 dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_binary, "binary");
418 return (&ds->s);
419 }
420
421 static sig *ecdsa_vrfinit(key *k, void *kd, const gchash *hc)
422 {
423 ec_pub *ep = kd;
424 dsa_sigctx *ds = ecdsa_doinit(k, ep->cstr, &ep->p, hc);
425 return (&ds->s);
426 }
427
428 static int dsa_vrfdoit(sig *s, dstr *d)
429 {
430 dsa_sigctx *ds = (dsa_sigctx *)s;
431 gdsa_sig ss;
432 size_t n = d->len/2;
433 int rc;
434
435 ss.r = mp_loadb(MP_NEW, d->buf, n);
436 ss.s = mp_loadb(MP_NEW, d->buf + n, d->len - n);
437 rc = gdsa_verify(&ds->g, &ss, GH_DONE(ds->s.h, 0));
438 mp_drop(ss.r); mp_drop(ss.s);
439 return (rc);
440 }
441
442 static const sigops dsa_vrf = {
443 dh_pubfetch, sizeof(dh_pub),
444 dsa_vrfinit, dsa_vrfdoit, dsa_sigcheck, dsa_sigdestroy
445 };
446
447 static const sigops bindsa_vrf = {
448 dh_pubfetch, sizeof(dh_pub),
449 bindsa_vrfinit, dsa_vrfdoit, dsa_sigcheck, dsa_sigdestroy
450 };
451
452 static const sigops ecdsa_vrf = {
453 ec_pubfetch, sizeof(ec_pub),
454 ecdsa_vrfinit, dsa_vrfdoit, dsa_sigcheck, dsa_sigdestroy
455 };
456
457 /* --- KCDSA and ECKCDSA --- */
458
459 static void kcdsa_privkey(dsa_sigctx *ds, mp *x)
460 { ds->g.u = mp_modinv(MP_NEW, x, ds->g.g->r); }
461
462 static void kcdsa_sethash(dsa_sigctx *ds, const gchash *hc)
463 { ds->s.h = gkcdsa_beginhash(&ds->g); }
464
465 static sig *kcdsa_siginit(key *k, void *kd, const gchash *hc)
466 {
467 dh_priv *dp = kd;
468 dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_prime, "prime");
469 kcdsa_privkey(ds, dp->x);
470 kcdsa_sethash(ds, hc);
471 return (&ds->s);
472 }
473
474 static sig *binkcdsa_siginit(key *k, void *kd, const gchash *hc)
475 {
476 dh_priv *dp = kd;
477 dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_binary, "binary");
478 kcdsa_privkey(ds, dp->x);
479 kcdsa_sethash(ds, hc);
480 return (&ds->s);
481 }
482
483 static sig *eckcdsa_siginit(key *k, void *kd, const gchash *hc)
484 {
485 ec_priv *ep = kd;
486 dsa_sigctx *ds = ecdsa_doinit(k, ep->cstr, &ep->p, hc);
487 kcdsa_privkey(ds, ep->x);
488 kcdsa_sethash(ds, hc);
489 return (&ds->s);
490 }
491
492 static int kcdsa_sigdoit(sig *s, dstr *d)
493 {
494 dsa_sigctx *ds = (dsa_sigctx *)s;
495 gkcdsa_sig ss = GKCDSA_SIG_INIT;
496 size_t hsz = ds->g.h->hashsz, n = mp_octets(ds->g.g->r);
497
498 gkcdsa_sign(&ds->g, &ss, GH_DONE(ds->s.h, 0), 0);
499 dstr_ensure(d, hsz + n);
500 memcpy(d->buf, ss.r, hsz);
501 mp_storeb(ss.s, d->buf + hsz, n);
502 d->len += hsz + n;
503 xfree(ss.r); mp_drop(ss.s);
504 return (0);
505 }
506
507 static const sigops kcdsa_sig = {
508 dh_privfetch, sizeof(dh_priv),
509 kcdsa_siginit, kcdsa_sigdoit, dsa_sigcheck, dsa_sigdestroy
510 };
511
512 static const sigops binkcdsa_sig = {
513 dh_privfetch, sizeof(dh_priv),
514 binkcdsa_siginit, kcdsa_sigdoit, dsa_sigcheck, dsa_sigdestroy
515 };
516
517 static const sigops eckcdsa_sig = {
518 ec_privfetch, sizeof(ec_priv),
519 eckcdsa_siginit, kcdsa_sigdoit, dsa_sigcheck, dsa_sigdestroy
520 };
521
522 static sig *kcdsa_vrfinit(key *k, void *kd, const gchash *hc)
523 {
524 dh_pub *dp = kd;
525 dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_prime, "prime");
526 kcdsa_sethash(ds, hc);
527 return (&ds->s);
528 }
529
530 static sig *binkcdsa_vrfinit(key *k, void *kd, const gchash *hc)
531 {
532 dh_pub *dp = kd;
533 dsa_sigctx *ds = dsa_doinit(k, &dp->dp, dp->y, hc, group_binary, "binary");
534 kcdsa_sethash(ds, hc);
535 return (&ds->s);
536 }
537
538 static sig *eckcdsa_vrfinit(key *k, void *kd, const gchash *hc)
539 {
540 ec_pub *ep = kd;
541 dsa_sigctx *ds = ecdsa_doinit(k, ep->cstr, &ep->p, hc);
542 kcdsa_sethash(ds, hc);
543 return (&ds->s);
544 }
545
546 static int kcdsa_vrfdoit(sig *s, dstr *d)
547 {
548 dsa_sigctx *ds = (dsa_sigctx *)s;
549 gkcdsa_sig ss;
550 size_t hsz = ds->g.h->hashsz, n = d->len - hsz;
551 int rc;
552
553 if (d->len < hsz)
554 return (-1);
555 ss.r = (octet *)d->buf;
556 ss.s = mp_loadb(MP_NEW, d->buf + hsz, n);
557 rc = gkcdsa_verify(&ds->g, &ss, GH_DONE(ds->s.h, 0));
558 mp_drop(ss.s);
559 return (rc);
560 }
561
562 static const sigops kcdsa_vrf = {
563 dh_pubfetch, sizeof(dh_pub),
564 kcdsa_vrfinit, kcdsa_vrfdoit, dsa_sigcheck, dsa_sigdestroy
565 };
566
567 static const sigops binkcdsa_vrf = {
568 dh_pubfetch, sizeof(dh_pub),
569 binkcdsa_vrfinit, kcdsa_vrfdoit, dsa_sigcheck, dsa_sigdestroy
570 };
571
572 static const sigops eckcdsa_vrf = {
573 ec_pubfetch, sizeof(ec_pub),
574 eckcdsa_vrfinit, kcdsa_vrfdoit, dsa_sigcheck, dsa_sigdestroy
575 };
576
577 /* --- EdDSA --- */
578
579 #define EDDSAS(_) \
580 _(ed25519, ed25519ctx, ED25519, "Ed25519", sha512)
581
582 typedef struct eddsa_sigctx {
583 sig s;
584 const char *perso;
585 } eddsa_sigctx;
586
587 static sig *eddsa_siginit(key *k, void *kd, const gchash *hc)
588 {
589 eddsa_sigctx *es = CREATE(eddsa_sigctx);
590 es->s.h = 0;
591 es->perso = key_getattr(0, k, "perso");
592 if (es->perso && strlen(es->perso) > ED25519_MAXPERSOSZ) {
593 die(1, "EdDSA personalization string too long (max length %d)",
594 ED25519_MAXPERSOSZ);
595 }
596 return (&es->s);
597 }
598
599 static void eddsa_sigdestroy(sig *s)
600 { eddsa_sigctx *es = (eddsa_sigctx *)s; DESTROY(es); }
601
602 #define EDDSADEF(ed, sigver, ED, name, hash) \
603 \
604 static int ed##_sigdoit(sig *s, dstr *d) \
605 { \
606 eddsa_sigctx *es = (eddsa_sigctx *)s; \
607 ed##_priv *k = es->s.kd; \
608 \
609 dstr_ensure(d, ED##_SIGSZ); \
610 sigver##_sign((octet *)d->buf, k->priv.k, k->priv.sz, k->pub.k, \
611 es->perso ? 1 : -1, es->perso, \
612 es->perso ? strlen(es->perso) : 0, \
613 GH_DONE(es->s.h, 0), GH_CLASS(es->s.h)->hashsz); \
614 d->len += ED##_SIGSZ; \
615 return (0); \
616 } \
617 \
618 static const char *ed##_sigcheck(sig *s) \
619 { \
620 eddsa_sigctx *es = (eddsa_sigctx *)s; \
621 ed##_priv *k = es->s.kd; \
622 \
623 if (k->pub.sz != ED##_PUBSZ) \
624 return ("incorrect " #name " public key length"); \
625 return (0); \
626 } \
627 \
628 static const sigops ed##_sig = { \
629 ed##_privfetch, sizeof(ed##_priv), \
630 eddsa_siginit, ed##_sigdoit, ed##_sigcheck, eddsa_sigdestroy \
631 }; \
632 \
633 static int ed##_vrfdoit(sig *s, dstr *d) \
634 { \
635 eddsa_sigctx *es = (eddsa_sigctx *)s; \
636 ed##_pub *k = es->s.kd; \
637 \
638 if (d->len != ED##_SIGSZ) return (-1); \
639 return (sigver##_verify(k->pub.k, \
640 es->perso ? 1 : -1, es->perso, \
641 es->perso ? strlen(es->perso) : 0, \
642 GH_DONE(s->h, 0), GH_CLASS(s->h)->hashsz, \
643 (const octet *)d->buf)); \
644 } \
645 \
646 static const char *ed##_vrfcheck(sig *s) \
647 { \
648 ed##_pub *k = s->kd; \
649 \
650 if (k->pub.sz != ED##_PUBSZ) \
651 return ("incorrect " #name " public key length"); \
652 return (0); \
653 } \
654 \
655 static const sigops ed##_vrf = { \
656 ed##_pubfetch, sizeof(ed##_pub), \
657 eddsa_siginit, ed##_vrfdoit, ed##_vrfcheck, eddsa_sigdestroy \
658 };
659
660 EDDSAS(EDDSADEF)
661 #undef EDDSADEF
662
663 /* --- Symmetric message authentication --- */
664
665 typedef struct mac_ctx {
666 sig s;
667 const gcmac *mc;
668 gmac *m;
669 key_packdef kp;
670 key_bin kb;
671 } mac_ctx;
672
673 static sig *mac_init(key *k, void *kd, const gchash *hc)
674 {
675 mac_ctx *m;
676 dstr d = DSTR_INIT;
677 int err;
678 const char *mm;
679
680 m = CREATE(mac_ctx);
681
682 key_fulltag(k, &d);
683 m->kp.e = KENC_BINARY;
684 m->kp.p = &m->kb;
685 m->kp.kd = 0;
686
687 if ((mm = key_getattr(0 /*yik*/, k, "mac")) == 0) {
688 dstr_putf(&d, "%s-hmac", hc->name);
689 mm = d.buf;
690 }
691 if ((m->mc = gmac_byname(mm)) == 0)
692 die(EXIT_FAILURE, "unknown message authentication scheme `%s'", mm);
693 dstr_reset(&d);
694
695 if ((err = key_unpack(&m->kp, kd, &d)) != 0) {
696 die(EXIT_FAILURE, "failed to unpack symmetric key `%s': %s",
697 d.buf, key_strerror(err));
698 }
699 dstr_destroy(&d);
700
701 if (keysz(m->kb.sz, m->mc->keysz) != m->kb.sz) {
702 die(EXIT_FAILURE, "bad key size %lu for `%s'",
703 (unsigned long)m->kb.sz, m->mc->name);
704 }
705 m->m = GM_KEY(m->mc, m->kb.k, m->kb.sz);
706 m->s.h = GM_INIT(m->m);
707 return (&m->s);
708 }
709
710 static int mac_sigdoit(sig *s, dstr *d)
711 {
712 mac_ctx *m = (mac_ctx *)s;
713
714 dstr_ensure(d, m->mc->hashsz);
715 GH_DONE(m->s.h, d->buf);
716 d->len += m->mc->hashsz;
717 return (0);
718 }
719
720 static int mac_vrfdoit(sig *s, dstr *d)
721 {
722 mac_ctx *m = (mac_ctx *)s;
723 const octet *t;
724
725 t = GH_DONE(m->s.h, 0);
726 if (d->len != m->mc->hashsz || !ct_memeq(d->buf, t, d->len))
727 return (-1);
728 return (0);
729 }
730
731 static const char *mac_check(sig *s) { return (0); }
732
733 static void mac_destroy(sig *s)
734 {
735 mac_ctx *m = (mac_ctx *)s;
736 GM_DESTROY(m->m);
737 key_unpackdone(&m->kp);
738 }
739
740 static const sigops mac_sig = {
741 0, 0,
742 mac_init, mac_sigdoit, mac_check, mac_destroy
743 };
744
745 static const sigops mac_vrf = {
746 0, 0,
747 mac_init, mac_vrfdoit, mac_check, mac_destroy
748 };
749
750 /* --- The switch table --- */
751
752 const struct sigtab sigtab[] = {
753 { "rsapkcs1", &rsap1_sig, &rsap1_vrf, &sha },
754 { "rsapss", &rsapss_sig, &rsapss_vrf, &sha },
755 { "dsa", &dsa_sig, &dsa_vrf, &sha },
756 { "bindsa", &bindsa_sig, &bindsa_vrf, &sha },
757 { "ecdsa", &ecdsa_sig, &ecdsa_vrf, &sha },
758 { "kcdsa", &kcdsa_sig, &kcdsa_vrf, &has160 },
759 { "binkcdsa", &binkcdsa_sig, &binkcdsa_vrf, &has160 },
760 { "eckcdsa", &eckcdsa_sig, &eckcdsa_vrf, &has160 },
761 #define EDDSATAB(ed, sigver, ED, name, hash) \
762 { #ed, &ed##_sig, &ed##_vrf, &hash },
763 EDDSAS(EDDSATAB)
764 #undef EDDSATAB
765 { "mac", &mac_sig, &mac_vrf, &rmd160 },
766 { 0, 0, 0 }
767 };
768
769 /* --- @getsig@ --- *
770 *
771 * Arguments: @key *k@ = the key to load
772 * @const char *app@ = application name
773 * @int wantpriv@ = nonzero if we want to sign
774 *
775 * Returns: A signature-making thing.
776 *
777 * Use: Loads a key and starts hashing.
778 */
779
780 sig *getsig(key *k, const char *app, int wantpriv)
781 {
782 const char *salg, *halg = 0;
783 dstr d = DSTR_INIT;
784 dstr t = DSTR_INIT;
785 char *p = 0;
786 const char *q;
787 sig *s;
788 size_t n;
789 const struct sigtab *st;
790 const sigops *so;
791 const gchash *ch;
792 void *kd;
793 int e;
794 key_packdef *kp;
795
796 /* --- Setup stuff --- */
797
798 key_fulltag(k, &t);
799
800 /* --- Get the signature algorithm --- *
801 *
802 * Take the attribute if it's there; otherwise use the key type.
803 */
804
805 n = strlen(app);
806 if ((q = key_getattr(0, k, "sig")) != 0) {
807 dstr_puts(&d, q);
808 p = d.buf;
809 } else if (strncmp(k->type, app, n) == 0 && k->type[n] == '-') {
810 dstr_puts(&d, k->type);
811 p = d.buf + n + 1;
812 } else
813 die(EXIT_FAILURE, "no signature algorithm for key `%s'", t.buf);
814
815 /* --- Grab the hash algorithm --- *
816 *
817 * Grab it from the signature algorithm if it's there. But override that
818 * from the attribute.
819 */
820
821 salg = p;
822 if ((p = strchr(p, '/')) != 0) {
823 *p++ = 0;
824 halg = p;
825 }
826 if ((q = key_getattr(0, k, "hash")) != 0)
827 halg = q;
828
829 /* --- Look up the algorithms in the table --- */
830
831 for (st = sigtab; st->name; st++) {
832 if (strcmp(st->name, salg) == 0)
833 goto s_found;
834 }
835 die(EXIT_FAILURE, "signature algorithm `%s' not found in key `%s'",
836 salg, t.buf);
837 s_found:;
838 if (!halg)
839 ch = st->ch;
840 else {
841 if ((ch = ghash_byname(halg)) == 0) {
842 die(EXIT_FAILURE, "hash algorithm `%s' not found in key `%s'",
843 halg, t.buf);
844 }
845 }
846 so = wantpriv ? st->signops : st->verifyops;
847
848 /* --- Load the key --- */
849
850 if (!so->kf) {
851 kd = k->k;
852 key_incref(kd);
853 kp = 0;
854 } else {
855 kd = xmalloc(so->kdsz);
856 kp = key_fetchinit(so->kf, 0, kd);
857 if ((e = key_fetch(kp, k)) != 0) {
858 die(EXIT_FAILURE, "error fetching key `%s': %s",
859 t.buf, key_strerror(e));
860 }
861 }
862 s = so->init(k, kd, ch);
863 if (!s->h)
864 s->h = GH_INIT(ch);
865 s->kp = kp;
866 s->ops = so;
867 s->kd = kd;
868 s->ch = ch;
869
870 /* --- Free stuff up --- */
871
872 dstr_destroy(&d);
873 dstr_destroy(&t);
874 return (s);
875 }
876
877 /* --- @freesig@ --- *
878 *
879 * Arguments: @sig *s@ = signature-making thing
880 *
881 * Returns: ---
882 *
883 * Use: Frees up a signature-making thing
884 */
885
886 void freesig(sig *s)
887 {
888 GH_DESTROY(s->h);
889 if (!s->ops->kf)
890 key_drop(s->kd);
891 else {
892 key_fetchdone(s->kp);
893 xfree(s->kd);
894 }
895 s->ops->destroy(s);
896 }
897
898 /*----- That's all, folks -------------------------------------------------*/
Catacomb cryptographic library