X-Git-Url: https://git.distorted.org.uk/~mdw/catacomb/blobdiff_plain/66ff643c652defc000809488f58db090052ca75e..318c3c31be343fdba362cb60f33aab3e88798d8a:/progs/cc-kem.c diff --git a/progs/cc-kem.c b/progs/cc-kem.c index 6c4d7f30..36dfdb3d 100644 --- a/progs/cc-kem.c +++ b/progs/cc-kem.c @@ -33,9 +33,11 @@ #include #include +#include #include #include +#include "gaead.h" #include "mprand.h" #include "rand.h" @@ -43,14 +45,196 @@ #include "ec-keys.h" #include "dh.h" #include "rsa.h" +#include "x25519.h" +#include "x448.h" #include "rmd160.h" #include "blowfish-cbc.h" +#include "chacha20-poly1305.h" +#include "poly1305.h" +#include "salsa20.h" +#include "chacha.h" #include "cc.h" /*----- Bulk crypto -------------------------------------------------------*/ +/* --- Authenticated encryption schemes --- */ + +typedef struct aead_encctx { + bulk b; + const gcaead *aec; + gaead_key *key; + union { gaead_enc *enc; gaead_dec *dec; } ed; + octet *t; + size_t nsz, tsz; +} aead_encctx; + +static bulk *aead_internalinit(key *k, const gcaead *aec) +{ + aead_encctx *ctx = CREATE(aead_encctx); + + ctx->key = 0; + ctx->aec = aec; + if ((ctx->nsz = keysz_pad(4, aec->noncesz)) == 0) + die(EXIT_FAILURE, "no suitable nonce size for `%s'", aec->name); + ctx->tsz = keysz(0, ctx->aec->tagsz); + + return (&ctx->b); +} + +static bulk *aead_init(key *k, const char *calg, const char *halg) +{ + const gcaead *aec; + const char *q; + dstr t = DSTR_INIT; + + key_fulltag(k, &t); + + if ((q = key_getattr(0, k, "cipher")) != 0) calg = q; + if (!calg) aec = &chacha20_poly1305; + else if ((aec = gaead_byname(calg)) == 0) + die(EXIT_FAILURE, "AEAD scheme `%s' not found in key `%s'", + calg, t.buf); + + dstr_destroy(&t); + return (aead_internalinit(k, aec)); +} + +static int aead_commonsetup(aead_encctx *ctx, gcipher *cx) +{ + size_t ksz, n; + + n = ksz = keysz(0, ctx->aec->keysz); + if (n < ctx->nsz) n = ctx->nsz; + if (n < ctx->tsz) n = ctx->tsz; + ctx->t = xmalloc(n); + + GC_ENCRYPT(cx, 0, ctx->t, ksz); + ctx->key = GAEAD_KEY(ctx->aec, ctx->t, ksz); + return (0); +} + +static size_t aead_overhead(bulk *b) + { aead_encctx *ctx = (aead_encctx *)b; return (ctx->aec->ohd + ctx->tsz); } + +static void aead_commondestroy(aead_encctx *ctx) +{ + if (ctx->key) GAEAD_DESTROY(ctx->key); + xfree(ctx->t); + DESTROY(ctx); +} + +static int aead_encsetup(bulk *b, gcipher *cx) +{ + aead_encctx *ctx = (aead_encctx *)b; + ctx->ed.enc = 0; return (aead_commonsetup(ctx, cx)); +} + +static const char *aead_encdoit(bulk *b, uint32 seq, buf *bb, + const void *p, size_t sz) +{ + aead_encctx *ctx = (aead_encctx *)b; + octet *t; + int rc; + + memset(ctx->t + 4, 0, ctx->nsz - 4); STORE32_B(ctx->t, seq); + if (!ctx->ed.enc) + ctx->ed.enc = GAEAD_ENC(ctx->key, ctx->t, ctx->nsz, 0, sz, ctx->tsz); + else + GAEAD_REINIT(ctx->ed.enc, ctx->t, ctx->nsz, 0, sz, ctx->tsz); + t = buf_get(bb, ctx->tsz); assert(t); + rc = GAEAD_ENCRYPT(ctx->ed.enc, p, sz, bb); assert(rc >= 0); + rc = GAEAD_DONE(ctx->ed.enc, 0, bb, t, ctx->tsz); assert(rc >= 0); + return (0); +} + +static void aead_encdestroy(bulk *b) +{ + aead_encctx *ctx = (aead_encctx *)b; + if (ctx->ed.enc) GAEAD_DESTROY(ctx->ed.enc); + aead_commondestroy(ctx); +} + +static int aead_decsetup(bulk *b, gcipher *cx) +{ + aead_encctx *ctx = (aead_encctx *)b; + ctx->ed.dec = 0; return (aead_commonsetup(ctx, cx)); +} + +static const char *aead_decdoit(bulk *b, uint32 seq, buf *bb, + const void *p, size_t sz) +{ + aead_encctx *ctx = (aead_encctx *)b; + buf bin; + const octet *t; + int rc; + + memset(ctx->t + 4, 0, ctx->nsz - 4); STORE32_B(ctx->t, seq); + if (!ctx->ed.dec) + ctx->ed.dec = GAEAD_DEC(ctx->key, ctx->t, ctx->nsz, 0, sz, ctx->tsz); + else + GAEAD_REINIT(ctx->ed.enc, ctx->t, ctx->nsz, 0, sz, ctx->tsz); + + buf_init(&bin, (/*unconst*/ void *)p, sz); + t = buf_get(&bin, ctx->tsz); if (!t) return ("no tag"); + rc = GAEAD_DECRYPT(ctx->ed.dec, BCUR(&bin), BLEFT(&bin), bb); + assert(rc >= 0); + rc = GAEAD_DONE(ctx->ed.dec, 0, bb, t, ctx->tsz); assert(rc >= 0); + if (!rc) return ("authentication failure"); + return (0); +} + +static void aead_decdestroy(bulk *b) +{ + aead_encctx *ctx = (aead_encctx *)b; + if (ctx->ed.dec) GAEAD_DESTROY(ctx->ed.dec); + aead_commondestroy(ctx); +} + +static const struct bulkops aead_encops = { + aead_init, aead_encsetup, aead_overhead, + aead_encdoit, aead_encdestroy +}, aead_decops = { + aead_init, aead_decsetup, aead_overhead, + aead_decdoit, aead_decdestroy +}; + +/* --- NaCl `secretbox' in terms of AEAD --- */ + +static bulk *naclbox_init(key *k, const char *calg, const char *halg) +{ + const gcaead *aec; + dstr t = DSTR_INIT; + const char *q; + + key_fulltag(k, &t); + + if ((q = key_getattr(0, k, "cipher")) != 0) calg = q; + if (!calg || STRCMP(calg, ==, "salsa20")) aec = &salsa20_naclbox; + else if (STRCMP(calg, ==, "salsa20/12")) aec = &salsa2012_naclbox; + else if (STRCMP(calg, ==, "salsa20/8")) aec = &salsa208_naclbox; + else if (STRCMP(calg, ==, "chacha20")) aec = &chacha20_naclbox; + else if (STRCMP(calg, ==, "chacha12")) aec = &chacha12_naclbox; + else if (STRCMP(calg, ==, "chacha8")) aec = &chacha8_naclbox; + else { + die(EXIT_FAILURE, + "unknown or inappropriate encryption scheme `%s' in key `%s'", + calg, t.buf); + } + + dstr_destroy(&t); + return (aead_internalinit(k, aec)); +} + +static const bulkops naclbox_encops = { + naclbox_init, aead_encsetup, aead_overhead, + aead_encdoit, aead_encdestroy +}, naclbox_decops = { + naclbox_init, aead_decsetup, aead_overhead, + aead_decdoit, aead_decdestroy +}; + /* --- Generic composition --- */ typedef struct gencomp_encctx { @@ -185,6 +369,8 @@ static const bulkops gencomp_encops = { const struct bulktab bulktab[] = { { "gencomp", &gencomp_encops, &gencomp_decops }, + { "naclbox", &naclbox_encops, &naclbox_decops }, + { "aead", &aead_encops, &aead_decops }, { 0, 0, 0 } }; @@ -489,6 +675,80 @@ static const kemops ec_decops = { ec_decinit, dh_decdoit, dh_enccheck, dh_encdestroy }; +/* --- X25519 and similar schemes --- */ + +#define XDHS(_) \ + _(x25519, X25519) \ + _(x448, X448) + +#define XDHDEF(xdh, XDH) \ + \ + static kem *xdh##_encinit(key *k, void *kd) { return (CREATE(kem)); } \ + static void xdh##_encdestroy(kem *k) { DESTROY(k); } \ + \ + static const char *xdh##_enccheck(kem *k) \ + { \ + xdh##_pub *kd = k->kd; \ + \ + if (kd->pub.sz != XDH##_PUBSZ) \ + return ("incorrect " #XDH "public key length"); \ + return (0); \ + } \ + \ + static int xdh##_encdoit(kem *k, dstr *d, ghash *h) \ + { \ + octet t[XDH##_KEYSZ], z[XDH##_OUTSZ]; \ + xdh##_pub *kd = k->kd; \ + \ + rand_get(RAND_GLOBAL, t, sizeof(t)); \ + dstr_ensure(d, XDH##_PUBSZ); \ + xdh((octet *)d->buf, t, xdh##_base); \ + xdh(z, t, kd->pub.k); \ + d->len += XDH##_PUBSZ; \ + GH_HASH(h, d->buf, XDH##_PUBSZ); \ + GH_HASH(h, z, XDH##_OUTSZ); \ + return (0); \ + } \ + \ + static const char *xdh##_deccheck(kem *k) \ + { \ + xdh##_priv *kd = k->kd; \ + \ + if (kd->priv.sz != XDH##_KEYSZ) \ + return ("incorrect " #XDH " private key length"); \ + if (kd->pub.sz != XDH##_PUBSZ) \ + return ("incorrect " #XDH " public key length"); \ + return (0); \ + } \ + \ + static int xdh##_decdoit(kem *k, dstr *d, ghash *h) \ + { \ + octet z[XDH##_OUTSZ]; \ + xdh##_priv *kd = k->kd; \ + int rc = -1; \ + \ + if (d->len != XDH##_PUBSZ) goto done; \ + xdh(z, kd->priv.k, (const octet *)d->buf); \ + GH_HASH(h, d->buf, XDH##_PUBSZ); \ + GH_HASH(h, z, XDH##_OUTSZ); \ + rc = 0; \ + done: \ + return (rc); \ + } \ + \ + static const kemops xdh##_encops = { \ + xdh##_pubfetch, sizeof(xdh##_pub), \ + xdh##_encinit, xdh##_encdoit, xdh##_enccheck, xdh##_encdestroy \ + }; \ + \ + static const kemops xdh##_decops = { \ + xdh##_privfetch, sizeof(xdh##_priv), \ + xdh##_encinit, xdh##_decdoit, xdh##_deccheck, xdh##_encdestroy \ + }; + +XDHS(XDHDEF) +#undef XDHDEF + /* --- Symmetric --- */ typedef struct symm_ctx { @@ -557,6 +817,10 @@ const struct kemtab kemtab[] = { { "dh", &dh_encops, &dh_decops }, { "bindh", &bindh_encops, &bindh_decops }, { "ec", &ec_encops, &ec_decops }, +#define XDHTAB(xdh, XDH) \ + { #xdh, &xdh##_encops, &xdh##_decops }, + XDHS(XDHTAB) +#undef XDHTAB { "symm", &symm_encops, &symm_decops }, { 0, 0, 0 } }; @@ -603,7 +867,7 @@ kem *getkem(key *k, const char *app, int wantpriv, bulk **bc) if ((q = key_getattr(0, k, "kem")) != 0) { dstr_puts(&d, q); p = d.buf; - } else if (strncmp(k->type, app, n) == 0 && k->type[n] == '-') { + } else if (STRNCMP(k->type, ==, app, n) && k->type[n] == '-') { dstr_puts(&d, k->type); p = d.buf + n + 1; } else @@ -634,7 +898,7 @@ kem *getkem(key *k, const char *app, int wantpriv, bulk **bc) /* --- Instantiate the KEM --- */ for (kt = kemtab; kt->name; kt++) { - if (strcmp(kt->name, kalg) == 0) + if (STRCMP(kt->name, ==, kalg)) goto k_found; } die(EXIT_FAILURE, "key encapsulation mechanism `%s' not found in key `%s'", @@ -667,24 +931,14 @@ k_found:; halg, t.buf); } - dstr_reset(&d); - if ((q = key_getattr(0, k, "kdf")) == 0) { - dstr_putf(&d, "%s-mgf", kk->hc->name); - q = d.buf; - } - if ((kk->cxc = gcipher_byname(q)) == 0) { - die(EXIT_FAILURE, "encryption scheme (KDF) `%s' not found in key `%s'", - q, t.buf); - } - if (!balg) bt = bulktab; else { for (bt = bulktab, bo = 0; bt->name; bt++) { - if (strcmp(balg, bt->name) == 0) + if (STRCMP(balg, ==, bt->name)) { balg = 0; goto b_found; } n = strlen(bt->name); - if (strncmp(balg, bt->name, n) == 0 && balg[n] == '-') + if (STRNCMP(balg, ==, bt->name, n) && balg[n] == '-') { balg += n + 1; goto b_found; } } bt = bulktab; @@ -694,6 +948,16 @@ k_found:; *bc = bo->init(k, balg, kk->hc->name); (*bc)->ops = bo; + dstr_reset(&d); + if ((q = key_getattr(0, k, "kdf")) == 0) { + dstr_putf(&d, "%s-mgf", kk->hc->name); + q = d.buf; + } + if ((kk->cxc = gcipher_byname(q)) == 0) { + die(EXIT_FAILURE, "encryption scheme (KDF) `%s' not found in key `%s'", + q, t.buf); + } + /* --- Tidy up --- */ dstr_destroy(&d);