X-Git-Url: https://git.distorted.org.uk/~mdw/catacomb/blobdiff_plain/0f00dc4c8eb47e67bc0f148c2dd109f73a451e0a..a90d420cbe87490c844ae422c966e746d3134b07:/progs/cc-kem.c diff --git a/progs/cc-kem.c b/progs/cc-kem.c index e1653897..36dfdb3d 100644 --- a/progs/cc-kem.c +++ b/progs/cc-kem.c @@ -33,9 +33,11 @@ #include #include +#include #include #include +#include "gaead.h" #include "mprand.h" #include "rand.h" @@ -43,12 +45,335 @@ #include "ec-keys.h" #include "dh.h" #include "rsa.h" +#include "x25519.h" +#include "x448.h" #include "rmd160.h" #include "blowfish-cbc.h" +#include "chacha20-poly1305.h" +#include "poly1305.h" +#include "salsa20.h" +#include "chacha.h" #include "cc.h" +/*----- Bulk crypto -------------------------------------------------------*/ + +/* --- Authenticated encryption schemes --- */ + +typedef struct aead_encctx { + bulk b; + const gcaead *aec; + gaead_key *key; + union { gaead_enc *enc; gaead_dec *dec; } ed; + octet *t; + size_t nsz, tsz; +} aead_encctx; + +static bulk *aead_internalinit(key *k, const gcaead *aec) +{ + aead_encctx *ctx = CREATE(aead_encctx); + + ctx->key = 0; + ctx->aec = aec; + if ((ctx->nsz = keysz_pad(4, aec->noncesz)) == 0) + die(EXIT_FAILURE, "no suitable nonce size for `%s'", aec->name); + ctx->tsz = keysz(0, ctx->aec->tagsz); + + return (&ctx->b); +} + +static bulk *aead_init(key *k, const char *calg, const char *halg) +{ + const gcaead *aec; + const char *q; + dstr t = DSTR_INIT; + + key_fulltag(k, &t); + + if ((q = key_getattr(0, k, "cipher")) != 0) calg = q; + if (!calg) aec = &chacha20_poly1305; + else if ((aec = gaead_byname(calg)) == 0) + die(EXIT_FAILURE, "AEAD scheme `%s' not found in key `%s'", + calg, t.buf); + + dstr_destroy(&t); + return (aead_internalinit(k, aec)); +} + +static int aead_commonsetup(aead_encctx *ctx, gcipher *cx) +{ + size_t ksz, n; + + n = ksz = keysz(0, ctx->aec->keysz); + if (n < ctx->nsz) n = ctx->nsz; + if (n < ctx->tsz) n = ctx->tsz; + ctx->t = xmalloc(n); + + GC_ENCRYPT(cx, 0, ctx->t, ksz); + ctx->key = GAEAD_KEY(ctx->aec, ctx->t, ksz); + return (0); +} + +static size_t aead_overhead(bulk *b) + { aead_encctx *ctx = (aead_encctx *)b; return (ctx->aec->ohd + ctx->tsz); } + +static void aead_commondestroy(aead_encctx *ctx) +{ + if (ctx->key) GAEAD_DESTROY(ctx->key); + xfree(ctx->t); + DESTROY(ctx); +} + +static int aead_encsetup(bulk *b, gcipher *cx) +{ + aead_encctx *ctx = (aead_encctx *)b; + ctx->ed.enc = 0; return (aead_commonsetup(ctx, cx)); +} + +static const char *aead_encdoit(bulk *b, uint32 seq, buf *bb, + const void *p, size_t sz) +{ + aead_encctx *ctx = (aead_encctx *)b; + octet *t; + int rc; + + memset(ctx->t + 4, 0, ctx->nsz - 4); STORE32_B(ctx->t, seq); + if (!ctx->ed.enc) + ctx->ed.enc = GAEAD_ENC(ctx->key, ctx->t, ctx->nsz, 0, sz, ctx->tsz); + else + GAEAD_REINIT(ctx->ed.enc, ctx->t, ctx->nsz, 0, sz, ctx->tsz); + t = buf_get(bb, ctx->tsz); assert(t); + rc = GAEAD_ENCRYPT(ctx->ed.enc, p, sz, bb); assert(rc >= 0); + rc = GAEAD_DONE(ctx->ed.enc, 0, bb, t, ctx->tsz); assert(rc >= 0); + return (0); +} + +static void aead_encdestroy(bulk *b) +{ + aead_encctx *ctx = (aead_encctx *)b; + if (ctx->ed.enc) GAEAD_DESTROY(ctx->ed.enc); + aead_commondestroy(ctx); +} + +static int aead_decsetup(bulk *b, gcipher *cx) +{ + aead_encctx *ctx = (aead_encctx *)b; + ctx->ed.dec = 0; return (aead_commonsetup(ctx, cx)); +} + +static const char *aead_decdoit(bulk *b, uint32 seq, buf *bb, + const void *p, size_t sz) +{ + aead_encctx *ctx = (aead_encctx *)b; + buf bin; + const octet *t; + int rc; + + memset(ctx->t + 4, 0, ctx->nsz - 4); STORE32_B(ctx->t, seq); + if (!ctx->ed.dec) + ctx->ed.dec = GAEAD_DEC(ctx->key, ctx->t, ctx->nsz, 0, sz, ctx->tsz); + else + GAEAD_REINIT(ctx->ed.enc, ctx->t, ctx->nsz, 0, sz, ctx->tsz); + + buf_init(&bin, (/*unconst*/ void *)p, sz); + t = buf_get(&bin, ctx->tsz); if (!t) return ("no tag"); + rc = GAEAD_DECRYPT(ctx->ed.dec, BCUR(&bin), BLEFT(&bin), bb); + assert(rc >= 0); + rc = GAEAD_DONE(ctx->ed.dec, 0, bb, t, ctx->tsz); assert(rc >= 0); + if (!rc) return ("authentication failure"); + return (0); +} + +static void aead_decdestroy(bulk *b) +{ + aead_encctx *ctx = (aead_encctx *)b; + if (ctx->ed.dec) GAEAD_DESTROY(ctx->ed.dec); + aead_commondestroy(ctx); +} + +static const struct bulkops aead_encops = { + aead_init, aead_encsetup, aead_overhead, + aead_encdoit, aead_encdestroy +}, aead_decops = { + aead_init, aead_decsetup, aead_overhead, + aead_decdoit, aead_decdestroy +}; + +/* --- NaCl `secretbox' in terms of AEAD --- */ + +static bulk *naclbox_init(key *k, const char *calg, const char *halg) +{ + const gcaead *aec; + dstr t = DSTR_INIT; + const char *q; + + key_fulltag(k, &t); + + if ((q = key_getattr(0, k, "cipher")) != 0) calg = q; + if (!calg || STRCMP(calg, ==, "salsa20")) aec = &salsa20_naclbox; + else if (STRCMP(calg, ==, "salsa20/12")) aec = &salsa2012_naclbox; + else if (STRCMP(calg, ==, "salsa20/8")) aec = &salsa208_naclbox; + else if (STRCMP(calg, ==, "chacha20")) aec = &chacha20_naclbox; + else if (STRCMP(calg, ==, "chacha12")) aec = &chacha12_naclbox; + else if (STRCMP(calg, ==, "chacha8")) aec = &chacha8_naclbox; + else { + die(EXIT_FAILURE, + "unknown or inappropriate encryption scheme `%s' in key `%s'", + calg, t.buf); + } + + dstr_destroy(&t); + return (aead_internalinit(k, aec)); +} + +static const bulkops naclbox_encops = { + naclbox_init, aead_encsetup, aead_overhead, + aead_encdoit, aead_encdestroy +}, naclbox_decops = { + naclbox_init, aead_decsetup, aead_overhead, + aead_decdoit, aead_decdestroy +}; + +/* --- Generic composition --- */ + +typedef struct gencomp_encctx { + bulk b; + const gccipher *cc; + const gcmac *mc; + gcipher *c, *cx; + gmac *m; + octet *t; size_t tsz; +} gencomp_encctx; + +static bulk *gencomp_init(key *k, const char *calg, const char *halg) +{ + gencomp_encctx *ctx = CREATE(gencomp_encctx); + const char *q; + dstr d = DSTR_INIT, t = DSTR_INIT; + + key_fulltag(k, &t); + + if ((q = key_getattr(0, k, "cipher")) != 0) calg = q; + if (!calg) ctx->cc = &blowfish_cbc; + else if ((ctx->cc = gcipher_byname(calg)) == 0) { + die(EXIT_FAILURE, "encryption scheme `%s' not found in key `%s'", + calg, t.buf); + } + + dstr_reset(&d); + if ((q = key_getattr(0, k, "mac")) == 0) { + dstr_putf(&d, "%s-hmac", halg); + q = d.buf; + } + if ((ctx->mc = gmac_byname(q)) == 0) { + die(EXIT_FAILURE, + "message authentication code `%s' not found in key `%s'", + q, t.buf); + } + + return (&ctx->b); +} + +static int gencomp_setup(bulk *b, gcipher *cx) +{ + gencomp_encctx *ctx = (gencomp_encctx *)b; + size_t cn, mn, n; + octet *kd; + + ctx->cx = cx; + n = ctx->cc->blksz; + cn = keysz(0, ctx->cc->keysz); if (cn > n) n = cn; + mn = keysz(0, ctx->mc->keysz); if (mn > n) n = mn; + ctx->t = kd = xmalloc(n); ctx->tsz = n; + GC_ENCRYPT(cx, 0, kd, cn); + ctx->c = GC_INIT(ctx->cc, kd, cn); + GC_ENCRYPT(cx, 0, kd, mn); + ctx->m = GM_KEY(ctx->mc, kd, mn); + return (0); +} + +static size_t gencomp_overhead(bulk *b) +{ + gencomp_encctx *ctx = (gencomp_encctx *)b; + return (ctx->cc->blksz + ctx->mc->hashsz); } + +static void gencomp_destroy(bulk *b) +{ + gencomp_encctx *ctx = (gencomp_encctx *)b; + + GC_DESTROY(ctx->c); + GC_DESTROY(ctx->m); + xfree(ctx->t); + DESTROY(ctx); +} + +static const char *gencomp_encdoit(bulk *b, uint32 seq, buf *bb, + const void *p, size_t sz) +{ + gencomp_encctx *ctx = (gencomp_encctx *)b; + octet *tag, *ct; + ghash *h = GM_INIT(ctx->m); + + GH_HASHU32(h, seq); + if (ctx->cc->blksz) { + GC_ENCRYPT(ctx->cx, 0, ctx->t, ctx->cc->blksz); + GC_SETIV(ctx->c, ctx->t); + } + tag = buf_get(bb, ctx->mc->hashsz); assert(tag); + ct = buf_get(bb, sz); assert(ct); + GC_ENCRYPT(ctx->c, p, ct, sz); + GH_HASH(h, ct, sz); + GH_DONE(h, tag); + GH_DESTROY(h); + return (0); +} + +static const char *gencomp_decdoit(bulk *b, uint32 seq, buf *bb, + const void *p, size_t sz) +{ + gencomp_encctx *ctx = (gencomp_encctx *)b; + buf bin; + const octet *tag, *ct; + octet *pt; + ghash *h; + int ok; + + buf_init(&bin, (/*unconst*/ void *)p, sz); + if ((tag = buf_get(&bin, ctx->mc->hashsz)) == 0) return ("no tag"); + ct = BCUR(&bin); sz = BLEFT(&bin); + pt = buf_get(bb, sz); assert(pt); + + h = GM_INIT(ctx->m); + GH_HASHU32(h, seq); + GH_HASH(h, ct, sz); + ok = ct_memeq(tag, GH_DONE(h, 0), ctx->mc->hashsz); + GH_DESTROY(h); + if (!ok) return ("authentication failure"); + + if (ctx->cc->blksz) { + GC_ENCRYPT(ctx->cx, 0, ctx->t, ctx->cc->blksz); + GC_SETIV(ctx->c, ctx->t); + } + GC_DECRYPT(ctx->c, ct, pt, sz); + return (0); +} + +static const bulkops gencomp_encops = { + gencomp_init, gencomp_setup, gencomp_overhead, + gencomp_encdoit, gencomp_destroy +}, gencomp_decops = { + gencomp_init, gencomp_setup, gencomp_overhead, + gencomp_decdoit, gencomp_destroy +}; + +const struct bulktab bulktab[] = { + { "gencomp", &gencomp_encops, &gencomp_decops }, + { "naclbox", &naclbox_encops, &naclbox_decops }, + { "aead", &aead_encops, &aead_decops }, + { 0, 0, 0 } +}; + /*----- Key encapsulation -------------------------------------------------*/ /* --- RSA --- */ @@ -350,6 +675,80 @@ static const kemops ec_decops = { ec_decinit, dh_decdoit, dh_enccheck, dh_encdestroy }; +/* --- X25519 and similar schemes --- */ + +#define XDHS(_) \ + _(x25519, X25519) \ + _(x448, X448) + +#define XDHDEF(xdh, XDH) \ + \ + static kem *xdh##_encinit(key *k, void *kd) { return (CREATE(kem)); } \ + static void xdh##_encdestroy(kem *k) { DESTROY(k); } \ + \ + static const char *xdh##_enccheck(kem *k) \ + { \ + xdh##_pub *kd = k->kd; \ + \ + if (kd->pub.sz != XDH##_PUBSZ) \ + return ("incorrect " #XDH "public key length"); \ + return (0); \ + } \ + \ + static int xdh##_encdoit(kem *k, dstr *d, ghash *h) \ + { \ + octet t[XDH##_KEYSZ], z[XDH##_OUTSZ]; \ + xdh##_pub *kd = k->kd; \ + \ + rand_get(RAND_GLOBAL, t, sizeof(t)); \ + dstr_ensure(d, XDH##_PUBSZ); \ + xdh((octet *)d->buf, t, xdh##_base); \ + xdh(z, t, kd->pub.k); \ + d->len += XDH##_PUBSZ; \ + GH_HASH(h, d->buf, XDH##_PUBSZ); \ + GH_HASH(h, z, XDH##_OUTSZ); \ + return (0); \ + } \ + \ + static const char *xdh##_deccheck(kem *k) \ + { \ + xdh##_priv *kd = k->kd; \ + \ + if (kd->priv.sz != XDH##_KEYSZ) \ + return ("incorrect " #XDH " private key length"); \ + if (kd->pub.sz != XDH##_PUBSZ) \ + return ("incorrect " #XDH " public key length"); \ + return (0); \ + } \ + \ + static int xdh##_decdoit(kem *k, dstr *d, ghash *h) \ + { \ + octet z[XDH##_OUTSZ]; \ + xdh##_priv *kd = k->kd; \ + int rc = -1; \ + \ + if (d->len != XDH##_PUBSZ) goto done; \ + xdh(z, kd->priv.k, (const octet *)d->buf); \ + GH_HASH(h, d->buf, XDH##_PUBSZ); \ + GH_HASH(h, z, XDH##_OUTSZ); \ + rc = 0; \ + done: \ + return (rc); \ + } \ + \ + static const kemops xdh##_encops = { \ + xdh##_pubfetch, sizeof(xdh##_pub), \ + xdh##_encinit, xdh##_encdoit, xdh##_enccheck, xdh##_encdestroy \ + }; \ + \ + static const kemops xdh##_decops = { \ + xdh##_privfetch, sizeof(xdh##_priv), \ + xdh##_encinit, xdh##_decdoit, xdh##_deccheck, xdh##_encdestroy \ + }; + +XDHS(XDHDEF) +#undef XDHDEF + /* --- Symmetric --- */ typedef struct symm_ctx { @@ -418,6 +817,10 @@ const struct kemtab kemtab[] = { { "dh", &dh_encops, &dh_decops }, { "bindh", &bindh_encops, &bindh_decops }, { "ec", &ec_encops, &ec_decops }, +#define XDHTAB(xdh, XDH) \ + { #xdh, &xdh##_encops, &xdh##_decops }, + XDHS(XDHTAB) +#undef XDHTAB { "symm", &symm_encops, &symm_decops }, { 0, 0, 0 } }; @@ -427,15 +830,16 @@ const struct kemtab kemtab[] = { * Arguments: @key *k@ = the key to load * @const char *app@ = application name * @int wantpriv@ = nonzero if we want to decrypt + * @bulk **bc@ = bulk crypto context to set up * * Returns: A key-encapsulating thing. * * Use: Loads a key. */ -kem *getkem(key *k, const char *app, int wantpriv) +kem *getkem(key *k, const char *app, int wantpriv, bulk **bc) { - const char *kalg, *halg = 0, *calg = 0; + const char *kalg, *halg = 0, *balg = 0; dstr d = DSTR_INIT; dstr t = DSTR_INIT; size_t n; @@ -444,6 +848,8 @@ kem *getkem(key *k, const char *app, int wantpriv) kem *kk; const struct kemtab *kt; const kemops *ko; + const struct bulktab *bt; + const bulkops *bo; void *kd; int e; key_packdef *kp; @@ -461,24 +867,24 @@ kem *getkem(key *k, const char *app, int wantpriv) if ((q = key_getattr(0, k, "kem")) != 0) { dstr_puts(&d, q); p = d.buf; - } else if (strncmp(k->type, app, n) == 0 && k->type[n] == '-') { + } else if (STRNCMP(k->type, ==, app, n) && k->type[n] == '-') { dstr_puts(&d, k->type); p = d.buf + n + 1; } else die(EXIT_FAILURE, "no KEM for key `%s'", t.buf); kalg = p; - /* --- Grab the encryption scheme --- * + /* --- Grab the bulk encryption scheme --- * * * Grab it from the KEM if it's there, but override it from the attribute. */ if (p && (p = strchr(p, '/')) != 0) { *p++ = 0; - calg = p; + balg = p; } - if ((q = key_getattr(0, k, "cipher")) != 0) - calg = q; + if ((q = key_getattr(0, k, "bulk")) != 0) + balg = q; /* --- Grab the hash function --- */ @@ -492,7 +898,7 @@ kem *getkem(key *k, const char *app, int wantpriv) /* --- Instantiate the KEM --- */ for (kt = kemtab; kt->name; kt++) { - if (strcmp(kt->name, kalg) == 0) + if (STRCMP(kt->name, ==, kalg)) goto k_found; } die(EXIT_FAILURE, "key encapsulation mechanism `%s' not found in key `%s'", @@ -516,43 +922,42 @@ k_found:; kk->ops = ko; kk->kd = kd; - /* --- Set up the algorithms --- */ + /* --- Set up the bulk crypto --- */ if (!halg) - kk->h = &rmd160; - else if ((kk->h = ghash_byname(halg)) == 0) { + kk->hc = &rmd160; + else if ((kk->hc = ghash_byname(halg)) == 0) { die(EXIT_FAILURE, "hash algorithm `%s' not found in key `%s'", halg, t.buf); } - if (!calg) - kk->c = &blowfish_cbc; - else if ((kk->c = gcipher_byname(calg)) == 0) { - die(EXIT_FAILURE, "encryption scheme `%s' not found in key `%s'", - calg, t.buf); + if (!balg) + bt = bulktab; + else { + for (bt = bulktab, bo = 0; bt->name; bt++) { + if (STRCMP(balg, ==, bt->name)) + { balg = 0; goto b_found; } + n = strlen(bt->name); + if (STRNCMP(balg, ==, bt->name, n) && balg[n] == '-') + { balg += n + 1; goto b_found; } + } + bt = bulktab; + b_found:; } + bo = wantpriv ? bt->decops : bt->encops; + *bc = bo->init(k, balg, kk->hc->name); + (*bc)->ops = bo; dstr_reset(&d); if ((q = key_getattr(0, k, "kdf")) == 0) { - dstr_putf(&d, "%s-mgf", kk->h->name); + dstr_putf(&d, "%s-mgf", kk->hc->name); q = d.buf; } - if ((kk->cx = gcipher_byname(q)) == 0) { + if ((kk->cxc = gcipher_byname(q)) == 0) { die(EXIT_FAILURE, "encryption scheme (KDF) `%s' not found in key `%s'", q, t.buf); } - dstr_reset(&d); - if ((q = key_getattr(0, k, "mac")) == 0) { - dstr_putf(&d, "%s-hmac", kk->h->name); - q = d.buf; - } - if ((kk->m = gmac_byname(q)) == 0) { - die(EXIT_FAILURE, - "message authentication code `%s' not found in key `%s'", - q, t.buf); - } - /* --- Tidy up --- */ dstr_destroy(&d); @@ -564,39 +969,29 @@ k_found:; * * Arguments: @kem *k@ = key-encapsulation thing * @dstr *d@ = key-encapsulation data - * @gcipher **cx@ = key-expansion function (for IVs) - * @gcipher **c@ = where to put initialized encryption scheme - * @gmac **m@ = where to put initialized MAC + * @bulk *bc@ = bulk crypto context to set up * * Returns: Zero on success, nonzero on failure. * * Use: Initializes all the various symmetric things from a KEM. */ -int setupkem(kem *k, dstr *d, gcipher **cx, gcipher **c, gmac **m) +int setupkem(kem *k, dstr *d, bulk *bc) { octet *kd; - size_t n, cn, mn; + size_t n; ghash *h; int rc = -1; - h = GH_INIT(k->h); + h = GH_INIT(k->hc); if (k->ops->doit(k, d, h)) goto done; - n = keysz(GH_CLASS(h)->hashsz, k->cx->keysz); + n = keysz(GH_CLASS(h)->hashsz, k->cxc->keysz); if (!n) goto done; kd = GH_DONE(h, 0); - *cx = GC_INIT(k->cx, kd, n); - - cn = keysz(0, k->c->keysz); n = cn; - mn = keysz(0, k->m->keysz); if (mn > n) n = mn; - kd = xmalloc(n); - GC_ENCRYPT(*cx, 0, kd, cn); - *c = GC_INIT(k->c, kd, cn); - GC_ENCRYPT(*cx, 0, kd, mn); - *m = GM_KEY(k->m, kd, mn); - xfree(kd); + k->cx = GC_INIT(k->cxc, kd, n); + bc->ops->setup(bc, k->cx); rc = 0; done: @@ -621,6 +1016,7 @@ void freekem(kem *k) key_fetchdone(k->kp); xfree(k->kd); } + GC_DESTROY(k->cx); k->ops->destroy(k); }