#include "ec-keys.h"
#include "dh.h"
#include "rsa.h"
+#include "x25519.h"
+#include "x448.h"
#include "rmd160.h"
#include "blowfish-cbc.h"
+#include "poly1305.h"
+#include "salsa20.h"
+#include "chacha.h"
#include "cc.h"
/*----- Bulk crypto -------------------------------------------------------*/
+/* --- NaCl `secretbox' --- */
+
+typedef struct naclbox_encctx {
+ bulk b;
+ const gccipher *cc;
+ gcipher *c;
+} naclbox_encctx;
+
+static bulk *naclbox_init(key *k, const char *calg, const char *halg)
+{
+ naclbox_encctx *ctx = CREATE(naclbox_encctx);
+ dstr t = DSTR_INIT;
+ const char *q;
+
+ key_fulltag(k, &t);
+
+ if ((q = key_getattr(0, k, "cipher")) != 0) calg = q;
+ if (!calg || strcmp(calg, "salsa20") == 0) ctx->cc = &salsa20;
+ else if (strcmp(calg, "salsa20/12") == 0) ctx->cc = &salsa2012;
+ else if (strcmp(calg, "salsa20/8") == 0) ctx->cc = &salsa208;
+ else if (strcmp(calg, "chacha20") == 0) ctx->cc = &chacha20;
+ else if (strcmp(calg, "chacha12") == 0) ctx->cc = &chacha12;
+ else if (strcmp(calg, "chacha8") == 0) ctx->cc = &chacha8;
+ else {
+ die(EXIT_FAILURE,
+ "unknown or inappropriate encryption scheme `%s' in key `%s'",
+ calg, t.buf);
+ }
+
+ dstr_destroy(&t);
+ return (&ctx->b);
+}
+
+static int naclbox_setup(bulk *b, gcipher *cx)
+{
+ naclbox_encctx *ctx = (naclbox_encctx *)b;
+ octet k[SALSA20_KEYSZ];
+
+ GC_ENCRYPT(cx, 0, k, sizeof(k));
+ ctx->c = GC_INIT(ctx->cc, k, sizeof(k));
+ return (0);
+}
+
+static size_t naclbox_overhead(bulk *b) { return (POLY1305_TAGSZ); }
+
+static void naclbox_destroy(bulk *b)
+{
+ naclbox_encctx *ctx = (naclbox_encctx *)b;
+
+ GC_DESTROY(ctx->c);
+ DESTROY(ctx);
+}
+
+static const char *naclbox_encdoit(bulk *b, uint32 seq, buf *bb,
+ const void *p, size_t sz)
+{
+ naclbox_encctx *ctx = (naclbox_encctx *)b;
+ octet t[32];
+ poly1305_key ak;
+ poly1305_ctx a;
+ octet *tag, *ct;
+
+ STORE32(t, seq); STORE32(t + 4, 0); GC_SETIV(ctx->c, t);
+ GC_ENCRYPT(ctx->c, 0, t, POLY1305_KEYSZ + POLY1305_MASKSZ);
+ poly1305_keyinit(&ak, t, POLY1305_KEYSZ);
+ poly1305_macinit(&a, &ak, t + POLY1305_KEYSZ);
+
+ tag = buf_get(bb, POLY1305_TAGSZ); assert(tag);
+ ct = buf_get(bb, sz); assert(ct);
+ GC_ENCRYPT(ctx->c, p, ct, sz);
+ poly1305_hash(&a, ct, sz);
+ poly1305_done(&a, tag);
+ return (0);
+}
+
+static const char *naclbox_decdoit(bulk *b, uint32 seq, buf *bb,
+ const void *p, size_t sz)
+{
+ naclbox_encctx *ctx = (naclbox_encctx *)b;
+ buf bin;
+ octet t[32];
+ poly1305_key ak;
+ poly1305_ctx a;
+ octet *tag, *ct, *pt;
+
+ STORE32(t, seq); STORE32(t + 4, 0); GC_SETIV(ctx->c, t);
+ GC_ENCRYPT(ctx->c, 0, t, POLY1305_KEYSZ + POLY1305_MASKSZ);
+ poly1305_keyinit(&ak, t, POLY1305_KEYSZ);
+ poly1305_macinit(&a, &ak, t + POLY1305_KEYSZ);
+
+ buf_init(&bin, (/*unconst*/ void *)p, sz);
+ if ((tag = buf_get(&bin, POLY1305_TAGSZ)) == 0) return ("no tag");
+ ct = BCUR(&bin); sz = BLEFT(&bin);
+ poly1305_hash(&a, ct, sz);
+ poly1305_done(&a, t);
+ if (!ct_memeq(t, tag, POLY1305_TAGSZ)) return ("authentication failure");
+ pt = buf_get(bb, sz); assert(pt);
+ GC_DECRYPT(ctx->c, ct, pt, sz);
+ return (0);
+}
+
+static const bulkops naclbox_encops = {
+ naclbox_init, naclbox_setup, naclbox_overhead,
+ naclbox_encdoit, naclbox_destroy
+}, naclbox_decops = {
+ naclbox_init, naclbox_setup, naclbox_overhead,
+ naclbox_decdoit, naclbox_destroy
+};
+
/* --- Generic composition --- */
typedef struct gencomp_encctx {
const struct bulktab bulktab[] = {
{ "gencomp", &gencomp_encops, &gencomp_decops },
+ { "naclbox", &naclbox_encops, &naclbox_decops },
{ 0, 0, 0 }
};
ec_decinit, dh_decdoit, dh_enccheck, dh_encdestroy
};
+/* --- X25519 --- */
+
+static kem *x25519_encinit(key *k, void *kd) { return (CREATE(kem)); }
+static void x25519_encdestroy(kem *k) { DESTROY(k); }
+
+static const char *x25519_enccheck(kem *k)
+{
+ x25519_pub *kd = k->kd;
+
+ if (kd->pub.sz != X25519_PUBSZ)
+ return ("incorrect X25519 public key length");
+ return (0);
+}
+
+static int x25519_encdoit(kem *k, dstr *d, ghash *h)
+{
+ octet t[X25519_KEYSZ], z[X25519_OUTSZ];
+ x25519_pub *kd = k->kd;
+
+ rand_get(RAND_GLOBAL, t, sizeof(t));
+ dstr_ensure(d, X25519_PUBSZ);
+ x25519((octet *)d->buf, t, x25519_base);
+ x25519(z, t, kd->pub.k);
+ d->len += X25519_PUBSZ;
+ GH_HASH(h, d->buf, X25519_PUBSZ);
+ GH_HASH(h, z, X25519_OUTSZ);
+ return (0);
+}
+
+static const char *x25519_deccheck(kem *k)
+{
+ x25519_priv *kd = k->kd;
+
+ if (kd->priv.sz != X25519_KEYSZ)
+ return ("incorrect X25519 private key length");
+ if (kd->pub.sz != X25519_PUBSZ)
+ return ("incorrect X25519 public key length");
+ return (0);
+}
+
+static int x25519_decdoit(kem *k, dstr *d, ghash *h)
+{
+ octet z[X25519_OUTSZ];
+ x25519_priv *kd = k->kd;
+ int rc = -1;
+
+ if (d->len != X25519_PUBSZ) goto done;
+ x25519(z, kd->priv.k, (const octet *)d->buf);
+ GH_HASH(h, d->buf, X25519_PUBSZ);
+ GH_HASH(h, z, X25519_OUTSZ);
+ rc = 0;
+done:
+ return (rc);
+}
+
+static const kemops x25519_encops = {
+ x25519_pubfetch, sizeof(x25519_pub),
+ x25519_encinit, x25519_encdoit, x25519_enccheck, x25519_encdestroy
+};
+
+static const kemops x25519_decops = {
+ x25519_privfetch, sizeof(x25519_priv),
+ x25519_encinit, x25519_decdoit, x25519_deccheck, x25519_encdestroy
+};
+
+/* --- X448 --- */
+
+static kem *x448_encinit(key *k, void *kd) { return (CREATE(kem)); }
+static void x448_encdestroy(kem *k) { DESTROY(k); }
+
+static const char *x448_enccheck(kem *k)
+{
+ x448_pub *kd = k->kd;
+
+ if (kd->pub.sz != X448_PUBSZ)
+ return ("incorrect X448 public key length");
+ return (0);
+}
+
+static int x448_encdoit(kem *k, dstr *d, ghash *h)
+{
+ octet t[X448_KEYSZ], z[X448_OUTSZ];
+ x448_pub *kd = k->kd;
+
+ rand_get(RAND_GLOBAL, t, sizeof(t));
+ dstr_ensure(d, X448_PUBSZ);
+ x448((octet *)d->buf, t, x448_base);
+ x448(z, t, kd->pub.k);
+ d->len += X448_PUBSZ;
+ GH_HASH(h, d->buf, X448_PUBSZ);
+ GH_HASH(h, z, X448_OUTSZ);
+ return (0);
+}
+
+static const char *x448_deccheck(kem *k)
+{
+ x448_priv *kd = k->kd;
+
+ if (kd->priv.sz != X448_KEYSZ)
+ return ("incorrect X448 private key length");
+ if (kd->pub.sz != X448_PUBSZ)
+ return ("incorrect X448 public key length");
+ return (0);
+}
+
+static int x448_decdoit(kem *k, dstr *d, ghash *h)
+{
+ octet z[X448_OUTSZ];
+ x448_priv *kd = k->kd;
+ int rc = -1;
+
+ if (d->len != X448_PUBSZ) goto done;
+ x448(z, kd->priv.k, (const octet *)d->buf);
+ GH_HASH(h, d->buf, X448_PUBSZ);
+ GH_HASH(h, z, X448_OUTSZ);
+ rc = 0;
+done:
+ return (rc);
+}
+
+static const kemops x448_encops = {
+ x448_pubfetch, sizeof(x448_pub),
+ x448_encinit, x448_encdoit, x448_enccheck, x448_encdestroy
+};
+
+static const kemops x448_decops = {
+ x448_privfetch, sizeof(x448_priv),
+ x448_encinit, x448_decdoit, x448_deccheck, x448_encdestroy
+};
+
/* --- Symmetric --- */
typedef struct symm_ctx {
{ "dh", &dh_encops, &dh_decops },
{ "bindh", &bindh_encops, &bindh_decops },
{ "ec", &ec_encops, &ec_decops },
+ { "x25519", &x25519_encops, &x25519_decops },
+ { "x448", &x448_encops, &x448_decops },
{ "symm", &symm_encops, &symm_decops },
{ 0, 0, 0 }
};
~mdw / catacomb / blobdiff