#include <mLib/alloc.h>
#include <mLib/dstr.h>
+#include <mLib/macros.h>
#include <mLib/report.h>
#include <mLib/sub.h>
+#include "gaead.h"
#include "mprand.h"
#include "rand.h"
#include "ec-keys.h"
#include "dh.h"
#include "rsa.h"
+#include "x25519.h"
+#include "x448.h"
#include "rmd160.h"
#include "blowfish-cbc.h"
+#include "chacha20-poly1305.h"
+#include "poly1305.h"
+#include "salsa20.h"
+#include "chacha.h"
#include "cc.h"
+/*----- Bulk crypto -------------------------------------------------------*/
+
+/* --- Authenticated encryption schemes --- */
+
+typedef struct aead_encctx {
+ bulk b;
+ const gcaead *aec;
+ gaead_key *key;
+ union { gaead_enc *enc; gaead_dec *dec; } ed;
+ octet *t;
+ size_t nsz, tsz;
+} aead_encctx;
+
+static bulk *aead_internalinit(key *k, const gcaead *aec)
+{
+ aead_encctx *ctx = CREATE(aead_encctx);
+
+ ctx->key = 0;
+ ctx->aec = aec;
+ if ((ctx->nsz = keysz_pad(4, aec->noncesz)) == 0)
+ die(EXIT_FAILURE, "no suitable nonce size for `%s'", aec->name);
+ ctx->tsz = keysz(0, ctx->aec->tagsz);
+
+ return (&ctx->b);
+}
+
+static bulk *aead_init(key *k, const char *calg, const char *halg)
+{
+ const gcaead *aec;
+ const char *q;
+ dstr t = DSTR_INIT;
+
+ key_fulltag(k, &t);
+
+ if ((q = key_getattr(0, k, "cipher")) != 0) calg = q;
+ if (!calg) aec = &chacha20_poly1305;
+ else if ((aec = gaead_byname(calg)) == 0)
+ die(EXIT_FAILURE, "AEAD scheme `%s' not found in key `%s'",
+ calg, t.buf);
+
+ dstr_destroy(&t);
+ return (aead_internalinit(k, aec));
+}
+
+static int aead_commonsetup(aead_encctx *ctx, gcipher *cx)
+{
+ size_t ksz, n;
+
+ n = ksz = keysz(0, ctx->aec->keysz);
+ if (n < ctx->nsz) n = ctx->nsz;
+ if (n < ctx->tsz) n = ctx->tsz;
+ ctx->t = xmalloc(n);
+
+ GC_ENCRYPT(cx, 0, ctx->t, ksz);
+ ctx->key = GAEAD_KEY(ctx->aec, ctx->t, ksz);
+ return (0);
+}
+
+static size_t aead_overhead(bulk *b)
+ { aead_encctx *ctx = (aead_encctx *)b; return (ctx->aec->ohd + ctx->tsz); }
+
+static void aead_commondestroy(aead_encctx *ctx)
+{
+ if (ctx->key) GAEAD_DESTROY(ctx->key);
+ xfree(ctx->t);
+ DESTROY(ctx);
+}
+
+static int aead_encsetup(bulk *b, gcipher *cx)
+{
+ aead_encctx *ctx = (aead_encctx *)b;
+ ctx->ed.enc = 0; return (aead_commonsetup(ctx, cx));
+}
+
+static const char *aead_encdoit(bulk *b, uint32 seq, buf *bb,
+ const void *p, size_t sz)
+{
+ aead_encctx *ctx = (aead_encctx *)b;
+ octet *t;
+ int rc;
+
+ memset(ctx->t + 4, 0, ctx->nsz - 4); STORE32_B(ctx->t, seq);
+ if (!ctx->ed.enc)
+ ctx->ed.enc = GAEAD_ENC(ctx->key, ctx->t, ctx->nsz, 0, sz, ctx->tsz);
+ else
+ GAEAD_REINIT(ctx->ed.enc, ctx->t, ctx->nsz, 0, sz, ctx->tsz);
+ t = buf_get(bb, ctx->tsz); assert(t);
+ rc = GAEAD_ENCRYPT(ctx->ed.enc, p, sz, bb); assert(rc >= 0);
+ rc = GAEAD_DONE(ctx->ed.enc, 0, bb, t, ctx->tsz); assert(rc >= 0);
+ return (0);
+}
+
+static void aead_encdestroy(bulk *b)
+{
+ aead_encctx *ctx = (aead_encctx *)b;
+ if (ctx->ed.enc) GAEAD_DESTROY(ctx->ed.enc);
+ aead_commondestroy(ctx);
+}
+
+static int aead_decsetup(bulk *b, gcipher *cx)
+{
+ aead_encctx *ctx = (aead_encctx *)b;
+ ctx->ed.dec = 0; return (aead_commonsetup(ctx, cx));
+}
+
+static const char *aead_decdoit(bulk *b, uint32 seq, buf *bb,
+ const void *p, size_t sz)
+{
+ aead_encctx *ctx = (aead_encctx *)b;
+ buf bin;
+ const octet *t;
+ int rc;
+
+ memset(ctx->t + 4, 0, ctx->nsz - 4); STORE32_B(ctx->t, seq);
+ if (!ctx->ed.dec)
+ ctx->ed.dec = GAEAD_DEC(ctx->key, ctx->t, ctx->nsz, 0, sz, ctx->tsz);
+ else
+ GAEAD_REINIT(ctx->ed.enc, ctx->t, ctx->nsz, 0, sz, ctx->tsz);
+
+ buf_init(&bin, (/*unconst*/ void *)p, sz);
+ t = buf_get(&bin, ctx->tsz); if (!t) return ("no tag");
+ rc = GAEAD_DECRYPT(ctx->ed.dec, BCUR(&bin), BLEFT(&bin), bb);
+ assert(rc >= 0);
+ rc = GAEAD_DONE(ctx->ed.dec, 0, bb, t, ctx->tsz); assert(rc >= 0);
+ if (!rc) return ("authentication failure");
+ return (0);
+}
+
+static void aead_decdestroy(bulk *b)
+{
+ aead_encctx *ctx = (aead_encctx *)b;
+ if (ctx->ed.dec) GAEAD_DESTROY(ctx->ed.dec);
+ aead_commondestroy(ctx);
+}
+
+static const struct bulkops aead_encops = {
+ aead_init, aead_encsetup, aead_overhead,
+ aead_encdoit, aead_encdestroy
+}, aead_decops = {
+ aead_init, aead_decsetup, aead_overhead,
+ aead_decdoit, aead_decdestroy
+};
+
+/* --- NaCl `secretbox' in terms of AEAD --- */
+
+static bulk *naclbox_init(key *k, const char *calg, const char *halg)
+{
+ const gcaead *aec;
+ dstr t = DSTR_INIT;
+ const char *q;
+
+ key_fulltag(k, &t);
+
+ if ((q = key_getattr(0, k, "cipher")) != 0) calg = q;
+ if (!calg || STRCMP(calg, ==, "salsa20")) aec = &salsa20_naclbox;
+ else if (STRCMP(calg, ==, "salsa20/12")) aec = &salsa2012_naclbox;
+ else if (STRCMP(calg, ==, "salsa20/8")) aec = &salsa208_naclbox;
+ else if (STRCMP(calg, ==, "chacha20")) aec = &chacha20_naclbox;
+ else if (STRCMP(calg, ==, "chacha12")) aec = &chacha12_naclbox;
+ else if (STRCMP(calg, ==, "chacha8")) aec = &chacha8_naclbox;
+ else {
+ die(EXIT_FAILURE,
+ "unknown or inappropriate encryption scheme `%s' in key `%s'",
+ calg, t.buf);
+ }
+
+ dstr_destroy(&t);
+ return (aead_internalinit(k, aec));
+}
+
+static const bulkops naclbox_encops = {
+ naclbox_init, aead_encsetup, aead_overhead,
+ aead_encdoit, aead_encdestroy
+}, naclbox_decops = {
+ naclbox_init, aead_decsetup, aead_overhead,
+ aead_decdoit, aead_decdestroy
+};
+
+/* --- Generic composition --- */
+
+typedef struct gencomp_encctx {
+ bulk b;
+ const gccipher *cc;
+ const gcmac *mc;
+ gcipher *c, *cx;
+ gmac *m;
+ octet *t; size_t tsz;
+} gencomp_encctx;
+
+static bulk *gencomp_init(key *k, const char *calg, const char *halg)
+{
+ gencomp_encctx *ctx = CREATE(gencomp_encctx);
+ const char *q;
+ dstr d = DSTR_INIT, t = DSTR_INIT;
+
+ key_fulltag(k, &t);
+
+ if ((q = key_getattr(0, k, "cipher")) != 0) calg = q;
+ if (!calg) ctx->cc = &blowfish_cbc;
+ else if ((ctx->cc = gcipher_byname(calg)) == 0) {
+ die(EXIT_FAILURE, "encryption scheme `%s' not found in key `%s'",
+ calg, t.buf);
+ }
+
+ dstr_reset(&d);
+ if ((q = key_getattr(0, k, "mac")) == 0) {
+ dstr_putf(&d, "%s-hmac", halg);
+ q = d.buf;
+ }
+ if ((ctx->mc = gmac_byname(q)) == 0) {
+ die(EXIT_FAILURE,
+ "message authentication code `%s' not found in key `%s'",
+ q, t.buf);
+ }
+
+ return (&ctx->b);
+}
+
+static int gencomp_setup(bulk *b, gcipher *cx)
+{
+ gencomp_encctx *ctx = (gencomp_encctx *)b;
+ size_t cn, mn, n;
+ octet *kd;
+
+ ctx->cx = cx;
+ n = ctx->cc->blksz;
+ cn = keysz(0, ctx->cc->keysz); if (cn > n) n = cn;
+ mn = keysz(0, ctx->mc->keysz); if (mn > n) n = mn;
+ ctx->t = kd = xmalloc(n); ctx->tsz = n;
+ GC_ENCRYPT(cx, 0, kd, cn);
+ ctx->c = GC_INIT(ctx->cc, kd, cn);
+ GC_ENCRYPT(cx, 0, kd, mn);
+ ctx->m = GM_KEY(ctx->mc, kd, mn);
+ return (0);
+}
+
+static size_t gencomp_overhead(bulk *b)
+{
+ gencomp_encctx *ctx = (gencomp_encctx *)b;
+ return (ctx->cc->blksz + ctx->mc->hashsz); }
+
+static void gencomp_destroy(bulk *b)
+{
+ gencomp_encctx *ctx = (gencomp_encctx *)b;
+
+ GC_DESTROY(ctx->c);
+ GC_DESTROY(ctx->m);
+ xfree(ctx->t);
+ DESTROY(ctx);
+}
+
+static const char *gencomp_encdoit(bulk *b, uint32 seq, buf *bb,
+ const void *p, size_t sz)
+{
+ gencomp_encctx *ctx = (gencomp_encctx *)b;
+ octet *tag, *ct;
+ ghash *h = GM_INIT(ctx->m);
+
+ GH_HASHU32(h, seq);
+ if (ctx->cc->blksz) {
+ GC_ENCRYPT(ctx->cx, 0, ctx->t, ctx->cc->blksz);
+ GC_SETIV(ctx->c, ctx->t);
+ }
+ tag = buf_get(bb, ctx->mc->hashsz); assert(tag);
+ ct = buf_get(bb, sz); assert(ct);
+ GC_ENCRYPT(ctx->c, p, ct, sz);
+ GH_HASH(h, ct, sz);
+ GH_DONE(h, tag);
+ GH_DESTROY(h);
+ return (0);
+}
+
+static const char *gencomp_decdoit(bulk *b, uint32 seq, buf *bb,
+ const void *p, size_t sz)
+{
+ gencomp_encctx *ctx = (gencomp_encctx *)b;
+ buf bin;
+ const octet *tag, *ct;
+ octet *pt;
+ ghash *h;
+ int ok;
+
+ buf_init(&bin, (/*unconst*/ void *)p, sz);
+ if ((tag = buf_get(&bin, ctx->mc->hashsz)) == 0) return ("no tag");
+ ct = BCUR(&bin); sz = BLEFT(&bin);
+ pt = buf_get(bb, sz); assert(pt);
+
+ h = GM_INIT(ctx->m);
+ GH_HASHU32(h, seq);
+ GH_HASH(h, ct, sz);
+ ok = ct_memeq(tag, GH_DONE(h, 0), ctx->mc->hashsz);
+ GH_DESTROY(h);
+ if (!ok) return ("authentication failure");
+
+ if (ctx->cc->blksz) {
+ GC_ENCRYPT(ctx->cx, 0, ctx->t, ctx->cc->blksz);
+ GC_SETIV(ctx->c, ctx->t);
+ }
+ GC_DECRYPT(ctx->c, ct, pt, sz);
+ return (0);
+}
+
+static const bulkops gencomp_encops = {
+ gencomp_init, gencomp_setup, gencomp_overhead,
+ gencomp_encdoit, gencomp_destroy
+}, gencomp_decops = {
+ gencomp_init, gencomp_setup, gencomp_overhead,
+ gencomp_decdoit, gencomp_destroy
+};
+
+const struct bulktab bulktab[] = {
+ { "gencomp", &gencomp_encops, &gencomp_decops },
+ { "naclbox", &naclbox_encops, &naclbox_decops },
+ { "aead", &aead_encops, &aead_decops },
+ { 0, 0, 0 }
+};
+
/*----- Key encapsulation -------------------------------------------------*/
/* --- RSA --- */
ec_decinit, dh_decdoit, dh_enccheck, dh_encdestroy
};
+/* --- X25519 and similar schemes --- */
+
+#define XDHS(_) \
+ _(x25519, X25519) \
+ _(x448, X448)
+
+#define XDHDEF(xdh, XDH) \
+ \
+ static kem *xdh##_encinit(key *k, void *kd) { return (CREATE(kem)); } \
+ static void xdh##_encdestroy(kem *k) { DESTROY(k); } \
+ \
+ static const char *xdh##_enccheck(kem *k) \
+ { \
+ xdh##_pub *kd = k->kd; \
+ \
+ if (kd->pub.sz != XDH##_PUBSZ) \
+ return ("incorrect " #XDH "public key length"); \
+ return (0); \
+ } \
+ \
+ static int xdh##_encdoit(kem *k, dstr *d, ghash *h) \
+ { \
+ octet t[XDH##_KEYSZ], z[XDH##_OUTSZ]; \
+ xdh##_pub *kd = k->kd; \
+ \
+ rand_get(RAND_GLOBAL, t, sizeof(t)); \
+ dstr_ensure(d, XDH##_PUBSZ); \
+ xdh((octet *)d->buf, t, xdh##_base); \
+ xdh(z, t, kd->pub.k); \
+ d->len += XDH##_PUBSZ; \
+ GH_HASH(h, d->buf, XDH##_PUBSZ); \
+ GH_HASH(h, z, XDH##_OUTSZ); \
+ return (0); \
+ } \
+ \
+ static const char *xdh##_deccheck(kem *k) \
+ { \
+ xdh##_priv *kd = k->kd; \
+ \
+ if (kd->priv.sz != XDH##_KEYSZ) \
+ return ("incorrect " #XDH " private key length"); \
+ if (kd->pub.sz != XDH##_PUBSZ) \
+ return ("incorrect " #XDH " public key length"); \
+ return (0); \
+ } \
+ \
+ static int xdh##_decdoit(kem *k, dstr *d, ghash *h) \
+ { \
+ octet z[XDH##_OUTSZ]; \
+ xdh##_priv *kd = k->kd; \
+ int rc = -1; \
+ \
+ if (d->len != XDH##_PUBSZ) goto done; \
+ xdh(z, kd->priv.k, (const octet *)d->buf); \
+ GH_HASH(h, d->buf, XDH##_PUBSZ); \
+ GH_HASH(h, z, XDH##_OUTSZ); \
+ rc = 0; \
+ done: \
+ return (rc); \
+ } \
+ \
+ static const kemops xdh##_encops = { \
+ xdh##_pubfetch, sizeof(xdh##_pub), \
+ xdh##_encinit, xdh##_encdoit, xdh##_enccheck, xdh##_encdestroy \
+ }; \
+ \
+ static const kemops xdh##_decops = { \
+ xdh##_privfetch, sizeof(xdh##_priv), \
+ xdh##_encinit, xdh##_decdoit, xdh##_deccheck, xdh##_encdestroy \
+ };
+
+XDHS(XDHDEF)
+#undef XDHDEF
+
/* --- Symmetric --- */
typedef struct symm_ctx {
{ "dh", &dh_encops, &dh_decops },
{ "bindh", &bindh_encops, &bindh_decops },
{ "ec", &ec_encops, &ec_decops },
+#define XDHTAB(xdh, XDH) \
+ { #xdh, &xdh##_encops, &xdh##_decops },
+ XDHS(XDHTAB)
+#undef XDHTAB
{ "symm", &symm_encops, &symm_decops },
{ 0, 0, 0 }
};
* Arguments: @key *k@ = the key to load
* @const char *app@ = application name
* @int wantpriv@ = nonzero if we want to decrypt
+ * @bulk **bc@ = bulk crypto context to set up
*
* Returns: A key-encapsulating thing.
*
* Use: Loads a key.
*/
-kem *getkem(key *k, const char *app, int wantpriv)
+kem *getkem(key *k, const char *app, int wantpriv, bulk **bc)
{
- const char *kalg, *halg = 0, *calg = 0;
+ const char *kalg, *halg = 0, *balg = 0;
dstr d = DSTR_INIT;
dstr t = DSTR_INIT;
size_t n;
kem *kk;
const struct kemtab *kt;
const kemops *ko;
+ const struct bulktab *bt;
+ const bulkops *bo;
void *kd;
int e;
key_packdef *kp;
if ((q = key_getattr(0, k, "kem")) != 0) {
dstr_puts(&d, q);
p = d.buf;
- } else if (strncmp(k->type, app, n) == 0 && k->type[n] == '-') {
+ } else if (STRNCMP(k->type, ==, app, n) && k->type[n] == '-') {
dstr_puts(&d, k->type);
p = d.buf + n + 1;
} else
die(EXIT_FAILURE, "no KEM for key `%s'", t.buf);
kalg = p;
- /* --- Grab the encryption scheme --- *
+ /* --- Grab the bulk encryption scheme --- *
*
* Grab it from the KEM if it's there, but override it from the attribute.
*/
if (p && (p = strchr(p, '/')) != 0) {
*p++ = 0;
- calg = p;
+ balg = p;
}
- if ((q = key_getattr(0, k, "cipher")) != 0)
- calg = q;
+ if ((q = key_getattr(0, k, "bulk")) != 0)
+ balg = q;
/* --- Grab the hash function --- */
/* --- Instantiate the KEM --- */
for (kt = kemtab; kt->name; kt++) {
- if (strcmp(kt->name, kalg) == 0)
+ if (STRCMP(kt->name, ==, kalg))
goto k_found;
}
die(EXIT_FAILURE, "key encapsulation mechanism `%s' not found in key `%s'",
kk->ops = ko;
kk->kd = kd;
- /* --- Set up the algorithms --- */
+ /* --- Set up the bulk crypto --- */
if (!halg)
- kk->h = &rmd160;
- else if ((kk->h = ghash_byname(halg)) == 0) {
+ kk->hc = &rmd160;
+ else if ((kk->hc = ghash_byname(halg)) == 0) {
die(EXIT_FAILURE, "hash algorithm `%s' not found in key `%s'",
halg, t.buf);
}
- if (!calg)
- kk->c = &blowfish_cbc;
- else if ((kk->c = gcipher_byname(calg)) == 0) {
- die(EXIT_FAILURE, "encryption scheme `%s' not found in key `%s'",
- calg, t.buf);
+ if (!balg)
+ bt = bulktab;
+ else {
+ for (bt = bulktab, bo = 0; bt->name; bt++) {
+ if (STRCMP(balg, ==, bt->name))
+ { balg = 0; goto b_found; }
+ n = strlen(bt->name);
+ if (STRNCMP(balg, ==, bt->name, n) && balg[n] == '-')
+ { balg += n + 1; goto b_found; }
+ }
+ bt = bulktab;
+ b_found:;
}
+ bo = wantpriv ? bt->decops : bt->encops;
+ *bc = bo->init(k, balg, kk->hc->name);
+ (*bc)->ops = bo;
dstr_reset(&d);
if ((q = key_getattr(0, k, "kdf")) == 0) {
- dstr_putf(&d, "%s-mgf", kk->h->name);
+ dstr_putf(&d, "%s-mgf", kk->hc->name);
q = d.buf;
}
- if ((kk->cx = gcipher_byname(q)) == 0) {
+ if ((kk->cxc = gcipher_byname(q)) == 0) {
die(EXIT_FAILURE, "encryption scheme (KDF) `%s' not found in key `%s'",
q, t.buf);
}
- dstr_reset(&d);
- if ((q = key_getattr(0, k, "mac")) == 0) {
- dstr_putf(&d, "%s-hmac", kk->h->name);
- q = d.buf;
- }
- if ((kk->m = gmac_byname(q)) == 0) {
- die(EXIT_FAILURE,
- "message authentication code `%s' not found in key `%s'",
- q, t.buf);
- }
-
/* --- Tidy up --- */
dstr_destroy(&d);
*
* Arguments: @kem *k@ = key-encapsulation thing
* @dstr *d@ = key-encapsulation data
- * @gcipher **cx@ = key-expansion function (for IVs)
- * @gcipher **c@ = where to put initialized encryption scheme
- * @gmac **m@ = where to put initialized MAC
+ * @bulk *bc@ = bulk crypto context to set up
*
* Returns: Zero on success, nonzero on failure.
*
* Use: Initializes all the various symmetric things from a KEM.
*/
-int setupkem(kem *k, dstr *d, gcipher **cx, gcipher **c, gmac **m)
+int setupkem(kem *k, dstr *d, bulk *bc)
{
octet *kd;
- size_t n, cn, mn;
+ size_t n;
ghash *h;
int rc = -1;
- h = GH_INIT(k->h);
+ h = GH_INIT(k->hc);
if (k->ops->doit(k, d, h))
goto done;
- n = keysz(GH_CLASS(h)->hashsz, k->cx->keysz);
+ n = keysz(GH_CLASS(h)->hashsz, k->cxc->keysz);
if (!n)
goto done;
kd = GH_DONE(h, 0);
- *cx = GC_INIT(k->cx, kd, n);
-
- cn = keysz(0, k->c->keysz); n = cn;
- mn = keysz(0, k->m->keysz); if (mn > n) n = mn;
- kd = xmalloc(n);
- GC_ENCRYPT(*cx, 0, kd, cn);
- *c = GC_INIT(k->c, kd, cn);
- GC_ENCRYPT(*cx, 0, kd, mn);
- *m = GM_KEY(k->m, kd, mn);
- xfree(kd);
+ k->cx = GC_INIT(k->cxc, kd, n);
+ bc->ops->setup(bc, k->cx);
rc = 0;
done:
key_fetchdone(k->kp);
xfree(k->kd);
}
+ GC_DESTROY(k->cx);
k->ops->destroy(k);
}