X-Git-Url: https://git.distorted.org.uk/~mdw/catacomb/blobdiff_plain/925ff94a516478164fdd01d53332637455e0074d..141c12847a1c2f8cc8db03d420551584e689fb87:/progs/cc-kem.c

diff --git a/progs/cc-kem.c b/progs/cc-kem.c
index 1e99e05d..36dfdb3d 100644
--- a/progs/cc-kem.c
+++ b/progs/cc-kem.c
@@ -33,9 +33,11 @@
 
 #include <mLib/alloc.h>
 #include <mLib/dstr.h>
+#include <mLib/macros.h>
 #include <mLib/report.h>
 #include <mLib/sub.h>
 
+#include "gaead.h"
 #include "mprand.h"
 #include "rand.h"
 
@@ -48,6 +50,7 @@
 
 #include "rmd160.h"
 #include "blowfish-cbc.h"
+#include "chacha20-poly1305.h"
 #include "poly1305.h"
 #include "salsa20.h"
 #include "chacha.h"
@@ -56,113 +59,180 @@
 
 /*----- Bulk crypto -------------------------------------------------------*/
 
-/* --- NaCl `secretbox' --- */
+/* --- Authenticated encryption schemes --- */
 
-typedef struct naclbox_encctx {
+typedef struct aead_encctx {
   bulk b;
-  const gccipher *cc;
-  gcipher *c;
-} naclbox_encctx;
+  const gcaead *aec;
+  gaead_key *key;
+  union { gaead_enc *enc; gaead_dec *dec; } ed;
+  octet *t;
+  size_t nsz, tsz;
+} aead_encctx;
 
-static bulk *naclbox_init(key *k, const char *calg, const char *halg)
+static bulk *aead_internalinit(key *k, const gcaead *aec)
 {
-  naclbox_encctx *ctx = CREATE(naclbox_encctx);
-  dstr t = DSTR_INIT;
+  aead_encctx *ctx = CREATE(aead_encctx);
+
+  ctx->key = 0;
+  ctx->aec = aec;
+  if ((ctx->nsz = keysz_pad(4, aec->noncesz)) == 0)
+    die(EXIT_FAILURE, "no suitable nonce size for `%s'", aec->name);
+  ctx->tsz = keysz(0, ctx->aec->tagsz);
+
+  return (&ctx->b);
+}
+
+static bulk *aead_init(key *k, const char *calg, const char *halg)
+{
+  const gcaead *aec;
   const char *q;
+  dstr t = DSTR_INIT;
 
   key_fulltag(k, &t);
 
   if ((q = key_getattr(0, k, "cipher")) != 0) calg = q;
-  if (!calg || strcmp(calg, "salsa20") == 0) ctx->cc = &salsa20;
-  else if (strcmp(calg, "salsa20/12") == 0) ctx->cc = &salsa2012;
-  else if (strcmp(calg, "salsa20/8") == 0) ctx->cc = &salsa208;
-  else if (strcmp(calg, "chacha20") == 0) ctx->cc = &chacha20;
-  else if (strcmp(calg, "chacha12") == 0) ctx->cc = &chacha12;
-  else if (strcmp(calg, "chacha8") == 0) ctx->cc = &chacha8;
-  else {
-    die(EXIT_FAILURE,
-	"unknown or inappropriate encryption scheme `%s' in key `%s'",
+  if (!calg) aec = &chacha20_poly1305;
+  else if ((aec = gaead_byname(calg)) == 0)
+    die(EXIT_FAILURE, "AEAD scheme `%s' not found in key `%s'",
 	calg, t.buf);
-  }
 
   dstr_destroy(&t);
-  return (&ctx->b);
+  return (aead_internalinit(k, aec));
 }
 
-static int naclbox_setup(bulk *b, gcipher *cx)
+static int aead_commonsetup(aead_encctx *ctx, gcipher *cx)
 {
-  naclbox_encctx *ctx = (naclbox_encctx *)b;
-  octet k[SALSA20_KEYSZ];
+  size_t ksz, n;
 
-  GC_ENCRYPT(cx, 0, k, sizeof(k));
-  ctx->c = GC_INIT(ctx->cc, k, sizeof(k));
+  n = ksz = keysz(0, ctx->aec->keysz);
+  if (n < ctx->nsz) n = ctx->nsz;
+  if (n < ctx->tsz) n = ctx->tsz;
+  ctx->t = xmalloc(n);
+
+  GC_ENCRYPT(cx, 0, ctx->t, ksz);
+  ctx->key = GAEAD_KEY(ctx->aec, ctx->t, ksz);
   return (0);
 }
 
-static size_t naclbox_overhead(bulk *b) { return (POLY1305_TAGSZ); }
+static size_t aead_overhead(bulk *b)
+  { aead_encctx *ctx = (aead_encctx *)b; return (ctx->aec->ohd + ctx->tsz); }
 
-static void naclbox_destroy(bulk *b)
+static void aead_commondestroy(aead_encctx *ctx)
 {
-  naclbox_encctx *ctx = (naclbox_encctx *)b;
-
-  GC_DESTROY(ctx->c);
+  if (ctx->key) GAEAD_DESTROY(ctx->key);
+  xfree(ctx->t);
   DESTROY(ctx);
 }
 
-static const char *naclbox_encdoit(bulk *b, uint32 seq, buf *bb,
-				   const void *p, size_t sz)
+static int aead_encsetup(bulk *b, gcipher *cx)
 {
-  naclbox_encctx *ctx = (naclbox_encctx *)b;
-  octet t[32];
-  poly1305_key ak;
-  poly1305_ctx a;
-  octet *tag, *ct;
+  aead_encctx *ctx = (aead_encctx *)b;
+  ctx->ed.enc = 0; return (aead_commonsetup(ctx, cx));
+}
 
-  STORE32(t, seq); STORE32(t + 4, 0); GC_SETIV(ctx->c, t);
-  GC_ENCRYPT(ctx->c, 0, t, POLY1305_KEYSZ + POLY1305_MASKSZ);
-  poly1305_keyinit(&ak, t, POLY1305_KEYSZ);
-  poly1305_macinit(&a, &ak, t + POLY1305_KEYSZ);
+static const char *aead_encdoit(bulk *b, uint32 seq, buf *bb,
+				const void *p, size_t sz)
+{
+  aead_encctx *ctx = (aead_encctx *)b;
+  octet *t;
+  int rc;
 
-  tag = buf_get(bb, POLY1305_TAGSZ); assert(tag);
-  ct = buf_get(bb, sz); assert(ct);
-  GC_ENCRYPT(ctx->c, p, ct, sz);
-  poly1305_hash(&a, ct, sz);
-  poly1305_done(&a, tag);
+  memset(ctx->t + 4, 0, ctx->nsz - 4); STORE32_B(ctx->t, seq);
+  if (!ctx->ed.enc)
+    ctx->ed.enc = GAEAD_ENC(ctx->key, ctx->t, ctx->nsz, 0, sz, ctx->tsz);
+  else
+    GAEAD_REINIT(ctx->ed.enc, ctx->t, ctx->nsz, 0, sz, ctx->tsz);
+  t = buf_get(bb, ctx->tsz); assert(t);
+  rc = GAEAD_ENCRYPT(ctx->ed.enc, p, sz, bb); assert(rc >= 0);
+  rc = GAEAD_DONE(ctx->ed.enc, 0, bb, t, ctx->tsz); assert(rc >= 0);
   return (0);
 }
 
-static const char *naclbox_decdoit(bulk *b, uint32 seq, buf *bb,
-				   const void *p, size_t sz)
+static void aead_encdestroy(bulk *b)
+{
+  aead_encctx *ctx = (aead_encctx *)b;
+  if (ctx->ed.enc) GAEAD_DESTROY(ctx->ed.enc);
+  aead_commondestroy(ctx);
+}
+
+static int aead_decsetup(bulk *b, gcipher *cx)
 {
-  naclbox_encctx *ctx = (naclbox_encctx *)b;
+  aead_encctx *ctx = (aead_encctx *)b;
+  ctx->ed.dec = 0; return (aead_commonsetup(ctx, cx));
+}
+
+static const char *aead_decdoit(bulk *b, uint32 seq, buf *bb,
+				const void *p, size_t sz)
+{
+  aead_encctx *ctx = (aead_encctx *)b;
   buf bin;
-  octet t[32];
-  poly1305_key ak;
-  poly1305_ctx a;
-  octet *tag, *ct, *pt;
+  const octet *t;
+  int rc;
 
-  STORE32(t, seq); STORE32(t + 4, 0); GC_SETIV(ctx->c, t);
-  GC_ENCRYPT(ctx->c, 0, t, POLY1305_KEYSZ + POLY1305_MASKSZ);
-  poly1305_keyinit(&ak, t, POLY1305_KEYSZ);
-  poly1305_macinit(&a, &ak, t + POLY1305_KEYSZ);
+  memset(ctx->t + 4, 0, ctx->nsz - 4); STORE32_B(ctx->t, seq);
+  if (!ctx->ed.dec)
+    ctx->ed.dec = GAEAD_DEC(ctx->key, ctx->t, ctx->nsz, 0, sz, ctx->tsz);
+  else
+    GAEAD_REINIT(ctx->ed.enc, ctx->t, ctx->nsz, 0, sz, ctx->tsz);
 
   buf_init(&bin, (/*unconst*/ void *)p, sz);
-  if ((tag = buf_get(&bin, POLY1305_TAGSZ)) == 0) return ("no tag");
-  ct = BCUR(&bin); sz = BLEFT(&bin);
-  poly1305_hash(&a, ct, sz);
-  poly1305_done(&a, t);
-  if (!ct_memeq(t, tag, POLY1305_TAGSZ)) return ("authentication failure");
-  pt = buf_get(bb, sz); assert(pt);
-  GC_DECRYPT(ctx->c, ct, pt, sz);
+  t = buf_get(&bin, ctx->tsz); if (!t) return ("no tag");
+  rc = GAEAD_DECRYPT(ctx->ed.dec, BCUR(&bin), BLEFT(&bin), bb);
+  assert(rc >= 0);
+  rc = GAEAD_DONE(ctx->ed.dec, 0, bb, t, ctx->tsz); assert(rc >= 0);
+  if (!rc) return ("authentication failure");
   return (0);
 }
 
+static void aead_decdestroy(bulk *b)
+{
+  aead_encctx *ctx = (aead_encctx *)b;
+  if (ctx->ed.dec) GAEAD_DESTROY(ctx->ed.dec);
+  aead_commondestroy(ctx);
+}
+
+static const struct bulkops aead_encops = {
+  aead_init, aead_encsetup, aead_overhead,
+  aead_encdoit, aead_encdestroy
+}, aead_decops = {
+  aead_init, aead_decsetup, aead_overhead,
+  aead_decdoit, aead_decdestroy
+};
+
+/* --- NaCl `secretbox' in terms of AEAD --- */
+
+static bulk *naclbox_init(key *k, const char *calg, const char *halg)
+{
+  const gcaead *aec;
+  dstr t = DSTR_INIT;
+  const char *q;
+
+  key_fulltag(k, &t);
+
+  if ((q = key_getattr(0, k, "cipher")) != 0) calg = q;
+  if (!calg || STRCMP(calg, ==, "salsa20")) aec = &salsa20_naclbox;
+  else if (STRCMP(calg, ==, "salsa20/12")) aec = &salsa2012_naclbox;
+  else if (STRCMP(calg, ==, "salsa20/8")) aec = &salsa208_naclbox;
+  else if (STRCMP(calg, ==, "chacha20")) aec = &chacha20_naclbox;
+  else if (STRCMP(calg, ==, "chacha12")) aec = &chacha12_naclbox;
+  else if (STRCMP(calg, ==, "chacha8")) aec = &chacha8_naclbox;
+  else {
+    die(EXIT_FAILURE,
+	"unknown or inappropriate encryption scheme `%s' in key `%s'",
+	calg, t.buf);
+  }
+
+  dstr_destroy(&t);
+  return (aead_internalinit(k, aec));
+}
+
 static const bulkops naclbox_encops = {
-  naclbox_init, naclbox_setup, naclbox_overhead,
-  naclbox_encdoit, naclbox_destroy
+  naclbox_init, aead_encsetup, aead_overhead,
+  aead_encdoit, aead_encdestroy
 }, naclbox_decops = {
-  naclbox_init, naclbox_setup, naclbox_overhead,
-  naclbox_decdoit, naclbox_destroy
+  naclbox_init, aead_decsetup, aead_overhead,
+  aead_decdoit, aead_decdestroy
 };
 
 /* --- Generic composition --- */
@@ -300,6 +370,7 @@ static const bulkops gencomp_encops = {
 const struct bulktab bulktab[] = {
   { "gencomp",	&gencomp_encops,	&gencomp_decops },
   { "naclbox",	&naclbox_encops,	&naclbox_decops },
+  { "aead",	&aead_encops,		&aead_decops },
   { 0,		0,			0 }
 };
 
@@ -796,7 +867,7 @@ kem *getkem(key *k, const char *app, int wantpriv, bulk **bc)
   if ((q = key_getattr(0, k, "kem")) != 0) {
     dstr_puts(&d, q);
     p = d.buf;
-  } else if (strncmp(k->type, app, n) == 0 && k->type[n] == '-') {
+  } else if (STRNCMP(k->type, ==, app, n) && k->type[n] == '-') {
     dstr_puts(&d, k->type);
     p = d.buf + n + 1;
   } else
@@ -827,7 +898,7 @@ kem *getkem(key *k, const char *app, int wantpriv, bulk **bc)
   /* --- Instantiate the KEM --- */
 
   for (kt = kemtab; kt->name; kt++) {
-    if (strcmp(kt->name, kalg) == 0)
+    if (STRCMP(kt->name, ==, kalg))
       goto k_found;
   }
   die(EXIT_FAILURE, "key encapsulation mechanism `%s' not found in key `%s'",
@@ -864,10 +935,10 @@ k_found:;
     bt = bulktab;
   else {
     for (bt = bulktab, bo = 0; bt->name; bt++) {
-      if (strcmp(balg, bt->name) == 0)
+      if (STRCMP(balg, ==, bt->name))
 	{ balg = 0; goto b_found; }
       n = strlen(bt->name);
-      if (strncmp(balg, bt->name, n) == 0 && balg[n] == '-')
+      if (STRNCMP(balg, ==, bt->name, n) && balg[n] == '-')
 	{ balg += n + 1; goto b_found; }
     }
     bt = bulktab;