| 1 | /* -*-c-*- |
| 2 | * |
| 3 | * Diffie--Hellman groups |
| 4 | * |
| 5 | * (c) 2017 Straylight/Edgeware |
| 6 | */ |
| 7 | |
| 8 | /*----- Licensing notice --------------------------------------------------* |
| 9 | * |
| 10 | * This file is part of Trivial IP Encryption (TrIPE). |
| 11 | * |
| 12 | * TrIPE is free software; you can redistribute it and/or modify |
| 13 | * it under the terms of the GNU General Public License as published by |
| 14 | * the Free Software Foundation; either version 2 of the License, or |
| 15 | * (at your option) any later version. |
| 16 | * |
| 17 | * TrIPE is distributed in the hope that it will be useful, |
| 18 | * but WITHOUT ANY WARRANTY; without even the implied warranty of |
| 19 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
| 20 | * GNU General Public License for more details. |
| 21 | * |
| 22 | * You should have received a copy of the GNU General Public License |
| 23 | * along with TrIPE; if not, write to the Free Software Foundation, |
| 24 | * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. |
| 25 | */ |
| 26 | |
| 27 | /*----- Header files ------------------------------------------------------*/ |
| 28 | |
| 29 | #include "tripe.h" |
| 30 | |
| 31 | /*----- Common utilities --------------------------------------------------*/ |
| 32 | |
| 33 | /* --- @KLOAD@ --- * |
| 34 | * |
| 35 | * Arguments: @pre@ = prefix for defined functions |
| 36 | * @ty@, @TY@ = key type name (lower- and upper-case) |
| 37 | * @setgroup@ = code to initialize @kd->g@ |
| 38 | * @setpriv@ = code to initialize @kd->kpriv@ |
| 39 | * @setpub@ = code to initialize @kd->kpub@ |
| 40 | * |
| 41 | * Use: Generates the body of one of the (rather tedious) key loading |
| 42 | * functions. See the description of @KEYTYPES@ below for the |
| 43 | * details. |
| 44 | */ |
| 45 | |
| 46 | #define KLOAD_HALF(pre, ty, TY, which, WHICH, setgroup, setpriv, setpub) \ |
| 47 | static int pre##_ld##which(key_file *kf, key *k, key_data *d, \ |
| 48 | kdata *kd, dstr *t, dstr *e) \ |
| 49 | { \ |
| 50 | key_packstruct kps[TY##_##WHICH##FETCHSZ]; \ |
| 51 | key_packdef *kp; \ |
| 52 | ty##_##which p; \ |
| 53 | int rc; \ |
| 54 | \ |
| 55 | /* --- Initialize things we've not set up yet --- */ \ |
| 56 | \ |
| 57 | kd->grp = 0; kd->k = 0; kd->K = 0; \ |
| 58 | \ |
| 59 | /* --- Unpack the key --- */ \ |
| 60 | \ |
| 61 | kp = key_fetchinit(ty##_##which##fetch, kps, &p); \ |
| 62 | if ((rc = key_unpack(kp, d, t)) != 0) { \ |
| 63 | a_format(e, "unpack-failed", "%s", key_strerror(rc), A_END); \ |
| 64 | goto fail; \ |
| 65 | } \ |
| 66 | \ |
| 67 | /* --- Extract the pieces of the key --- */ \ |
| 68 | \ |
| 69 | setgroup; \ |
| 70 | setpriv; \ |
| 71 | setpub; \ |
| 72 | \ |
| 73 | /* --- We win --- */ \ |
| 74 | \ |
| 75 | rc = 0; \ |
| 76 | goto done; \ |
| 77 | \ |
| 78 | fail: \ |
| 79 | if (kd->grp) { \ |
| 80 | if (kd->K) pre##_freege(kd->grp, kd->K); \ |
| 81 | if (kd->k) pre##_freesc(kd->grp, kd->k); \ |
| 82 | pre##_freegrp(kd->grp); \ |
| 83 | } \ |
| 84 | rc = -1; \ |
| 85 | \ |
| 86 | done: \ |
| 87 | key_fetchdone(kp); \ |
| 88 | return (rc); \ |
| 89 | } |
| 90 | |
| 91 | #define KLOAD(pre, ty, TY, setgroup, setpriv, setpub) \ |
| 92 | static void pre##_freegrp(dhgrp *); \ |
| 93 | static void pre##_freesc(const dhgrp *, dhsc *); \ |
| 94 | static void pre##_freege(const dhgrp *, dhge *); \ |
| 95 | KLOAD_HALF(pre, ty, TY, priv, PRIV, setgroup, setpriv, setpub) \ |
| 96 | KLOAD_HALF(pre, ty, TY, pub, PUB, setgroup, { kd->k = 0; }, setpub) |
| 97 | |
| 98 | enum { DHSER_V0, DHSER_CONSTLEN }; |
| 99 | |
| 100 | static int get_serialization(key_file *kf, key *k, dstr *e) |
| 101 | { |
| 102 | const char *p = key_getattr(kf, k, "serialization"); |
| 103 | if (!p || strcmp(p, "v0") == 0) return (DHSER_V0); |
| 104 | else if (strcmp(p, "constlen") == 0) return (DHSER_CONSTLEN); |
| 105 | else { |
| 106 | a_format(e, "unknown-serialization-format", "%s", p, A_END); |
| 107 | return (-1); |
| 108 | } |
| 109 | } |
| 110 | |
| 111 | #ifndef NTRACE |
| 112 | static void setupstr(mptext_stringctx *sc) |
| 113 | { sc->buf = (char *)buf_u; sc->lim = sc->buf + sizeof(buf_u); } |
| 114 | |
| 115 | static const char *donestr(mptext_stringctx *sc) |
| 116 | { *sc->buf = 0; return ((const char *)buf_u); } |
| 117 | |
| 118 | static void addlitstr(const char *p, mptext_stringctx *sc) |
| 119 | { mptext_stringops.put(p, strlen(p), sc); } |
| 120 | |
| 121 | static void addmpstr(mp *x, int radix, mptext_stringctx *sc) |
| 122 | { |
| 123 | char b[12]; |
| 124 | |
| 125 | if (radix == 16) addlitstr("0x", sc); |
| 126 | else if (radix == 8) addlitstr("0", sc); |
| 127 | else if (radix != 10) { sprintf(b, "%d#", radix); addlitstr(b, sc); } |
| 128 | mp_write(x, radix, &mptext_stringops, sc); |
| 129 | } |
| 130 | |
| 131 | static const char *mpstr(mp *x, int radix) |
| 132 | { |
| 133 | mptext_stringctx sc; |
| 134 | |
| 135 | setupstr(&sc); |
| 136 | addmpstr(x, radix, &sc); |
| 137 | return (donestr(&sc)); |
| 138 | } |
| 139 | #endif |
| 140 | |
| 141 | /*----- Schnorr groups ----------------------------------------------------*/ |
| 142 | |
| 143 | typedef struct intdh_grp { |
| 144 | dhgrp _g; |
| 145 | mpmont mm; |
| 146 | mp *q, *G; |
| 147 | size_t gesz; |
| 148 | int ser; |
| 149 | } intdh_grp; |
| 150 | |
| 151 | typedef struct intdh_sc { mp *x; } intdh_sc; |
| 152 | typedef struct intdh_ge { mp *X; } intdh_ge; |
| 153 | |
| 154 | static dhgrp *intdh_mkgroup(key_file *kf, key *k, |
| 155 | const dh_param *dp, dstr *e) |
| 156 | { |
| 157 | intdh_grp *g; |
| 158 | int ser; |
| 159 | |
| 160 | if ((ser = get_serialization(kf, k, e)) < 0) return (0); |
| 161 | g = CREATE(intdh_grp); |
| 162 | g->ser = ser; |
| 163 | g->_g.scsz = mp_octets(dp->q); |
| 164 | g->gesz = mp_octets(dp->p); |
| 165 | mpmont_create(&g->mm, dp->p); |
| 166 | g->q = MP_COPY(dp->q); |
| 167 | g->G = mpmont_mul(&g->mm, MP_NEW, dp->g, g->mm.r2); |
| 168 | return (&g->_g); |
| 169 | } |
| 170 | |
| 171 | static dhsc *intdh_mptosc(const dhgrp *gg, mp *z) |
| 172 | { |
| 173 | const intdh_grp *g = (const intdh_grp *)gg; |
| 174 | intdh_sc *x = CREATE(intdh_sc); |
| 175 | x->x = MP_NEW; mp_div(0, &x->x, z, g->q); |
| 176 | return ((dhsc *)x); |
| 177 | } |
| 178 | |
| 179 | static dhge *intdh_mptoge(const dhgrp *gg, mp *z) |
| 180 | { |
| 181 | const intdh_grp *g = (const intdh_grp *)gg; |
| 182 | intdh_ge *Y = CREATE(intdh_ge); |
| 183 | mp *t = MP_NEW; mp_div(0, &t, z, g->mm.m); |
| 184 | Y->X = mpmont_mul(&g->mm, t, t, g->mm.r2); |
| 185 | return ((dhge *)Y); |
| 186 | } |
| 187 | |
| 188 | KLOAD(intdh, dh, DH, |
| 189 | { if ((kd->grp = intdh_mkgroup(kf, k, &p.dp, e)) == 0) goto fail; }, |
| 190 | { kd->k = intdh_mptosc(kd->grp, p.x); }, |
| 191 | { kd->K = intdh_mptoge(kd->grp, p.y); }) |
| 192 | |
| 193 | static const char *intdh_checkgrp(const dhgrp *gg) |
| 194 | { |
| 195 | const intdh_grp *g = (const intdh_grp *)gg; |
| 196 | mp *t = MP_NEW; |
| 197 | |
| 198 | if (!pgen_primep(g->mm.m, &rand_global)) return ("p is not prime"); |
| 199 | if (!pgen_primep(g->q, &rand_global)) return ("q is not prime"); |
| 200 | mp_div(0, &t, g->mm.m, g->q); |
| 201 | if (!MP_EQ(t, MP_ONE)) return ("q is not a subgroup order"); |
| 202 | t = mpmont_expr(&g->mm, t, g->G, g->q); |
| 203 | if (!MP_EQ(t, g->mm.r)) return ("g not in the subgroup"); |
| 204 | return (0); |
| 205 | } |
| 206 | |
| 207 | static void intdh_grpinfo(const dhgrp *gg, admin *adm) |
| 208 | { |
| 209 | const intdh_grp *g = (const intdh_grp *)gg; |
| 210 | a_info(adm, |
| 211 | "kx-group=prime", |
| 212 | "kx-group-order-bits=%lu", (unsigned long)mp_bits(g->q), |
| 213 | "kx-group-elt-bits=%lu", (unsigned long)mp_bits(g->mm.m), |
| 214 | A_END); |
| 215 | } |
| 216 | |
| 217 | #ifndef NTRACE |
| 218 | static void intdh_tracegrp(const dhgrp *gg) |
| 219 | { |
| 220 | const intdh_grp *g = (const intdh_grp *)gg; |
| 221 | mp *t = MP_NEW; |
| 222 | trace(T_CRYPTO, "crypto: group type `dh'"); |
| 223 | trace(T_CRYPTO, "crypto: p = %s", mpstr(g->mm.m, 10)); |
| 224 | trace(T_CRYPTO, "crypto: q = %s", mpstr(g->q, 10)); |
| 225 | t = mpmont_reduce(&g->mm, t, g->G); |
| 226 | trace(T_CRYPTO, "crypto: g = %s", mpstr(t, 10)); |
| 227 | MP_DROP(t); |
| 228 | } |
| 229 | #endif |
| 230 | |
| 231 | static int intdh_samegrpp(const dhgrp *gg, const dhgrp *hh) |
| 232 | { |
| 233 | const intdh_grp *g = (const intdh_grp *)gg, *h = (const intdh_grp *)hh; |
| 234 | return (MP_EQ(g->mm.m, h->mm.m) && |
| 235 | MP_EQ(g->q, h->q) && MP_EQ(g->G, h->G) && |
| 236 | g->ser == h->ser); |
| 237 | } |
| 238 | |
| 239 | static void intdh_freegrp(dhgrp *gg) |
| 240 | { |
| 241 | intdh_grp *g = (intdh_grp *)gg; |
| 242 | mpmont_destroy(&g->mm); MP_DROP(g->q); MP_DROP(g->G); |
| 243 | DESTROY(g); |
| 244 | } |
| 245 | |
| 246 | static dhsc *intdh_ldsc(const dhgrp *gg, const void *p, size_t sz) |
| 247 | { const intdh_grp *g = (const intdh_grp *)gg; |
| 248 | intdh_sc *x = CREATE(intdh_sc); |
| 249 | mp *t = mp_loadb(MP_NEW, p, sz); |
| 250 | mp_div(0, &t, t, g->q); x->x = t; |
| 251 | return ((dhsc *)x); |
| 252 | } |
| 253 | |
| 254 | static int intdh_stsc(const dhgrp *gg, void *p, size_t sz, const dhsc *xx) |
| 255 | { |
| 256 | const intdh_sc *x = (const intdh_sc *)xx; |
| 257 | mp_storeb(x->x, p, sz); |
| 258 | return (0); |
| 259 | } |
| 260 | |
| 261 | static dhsc *intdh_randsc(const dhgrp *gg) |
| 262 | { |
| 263 | const intdh_grp *g = (const intdh_grp *)gg; |
| 264 | intdh_sc *x = CREATE(intdh_sc); |
| 265 | x->x = mprand_range(MP_NEW, g->q, &rand_global, 0); |
| 266 | return ((dhsc *)x); |
| 267 | } |
| 268 | |
| 269 | #ifndef NTRACE |
| 270 | static const char *intdh_scstr(const dhgrp *gg, const dhsc *xx) |
| 271 | { const intdh_sc *x = (const intdh_sc *)xx; return (mpstr(x->x, 10)); } |
| 272 | #endif |
| 273 | |
| 274 | static void intdh_freesc(const dhgrp *gg, dhsc *xx) |
| 275 | { |
| 276 | intdh_sc *x = (intdh_sc *)xx; |
| 277 | MP_DROP(x->x); DESTROY(x); |
| 278 | } |
| 279 | |
| 280 | static dhge *intdh_ldge(const dhgrp *gg, buf *b, int fmt) |
| 281 | { |
| 282 | const intdh_grp *g = (const intdh_grp *)gg; |
| 283 | intdh_ge *Y; |
| 284 | mp *t; |
| 285 | const octet *p; |
| 286 | |
| 287 | switch (fmt) { |
| 288 | case DHFMT_HASH: if (g->ser == DHSER_CONSTLEN) goto std; |
| 289 | case DHFMT_VAR: |
| 290 | if ((t = buf_getmp(b)) == 0) return (0); |
| 291 | break; |
| 292 | case DHFMT_STD: std: |
| 293 | if ((p = buf_get(b, g->gesz)) == 0) return (0); |
| 294 | t = mp_loadb(MP_NEW, p, g->gesz); |
| 295 | break; |
| 296 | default: |
| 297 | abort(); |
| 298 | } |
| 299 | Y = CREATE(intdh_ge); |
| 300 | mp_div(0, &t, t, g->mm.m); |
| 301 | Y->X = mpmont_mul(&g->mm, t, t, g->mm.r2); |
| 302 | return ((dhge *)Y); |
| 303 | } |
| 304 | |
| 305 | static int intdh_stge(const dhgrp *gg, buf *b, const dhge *YY, int fmt) |
| 306 | { |
| 307 | const intdh_grp *g = (const intdh_grp *)gg; |
| 308 | const intdh_ge *Y = (const intdh_ge *)YY; |
| 309 | octet *p; |
| 310 | mp *t; |
| 311 | int rc; |
| 312 | |
| 313 | t = mpmont_reduce(&g->mm, MP_NEW, Y->X); |
| 314 | switch (fmt) { |
| 315 | case DHFMT_HASH: if (g->ser == DHSER_CONSTLEN) goto std; |
| 316 | case DHFMT_VAR: |
| 317 | rc = buf_putmp(b, t); |
| 318 | break; |
| 319 | case DHFMT_STD: std: |
| 320 | if ((p = buf_get(b, g->gesz)) == 0) |
| 321 | rc = -1; |
| 322 | else { |
| 323 | mp_storeb(t, p, g->gesz); |
| 324 | rc = 0; |
| 325 | } |
| 326 | break; |
| 327 | default: |
| 328 | abort(); |
| 329 | } |
| 330 | MP_DROP(t); |
| 331 | return (rc); |
| 332 | } |
| 333 | |
| 334 | static int intdh_checkge(const dhgrp *gg, const dhge *YY) |
| 335 | { |
| 336 | const intdh_grp *g = (const intdh_grp *)gg; |
| 337 | const intdh_ge *Y = (const intdh_ge *)YY; |
| 338 | mp *T; |
| 339 | int rc = 0; |
| 340 | |
| 341 | if (MP_EQ(Y->X, g->mm.r)) rc = -1; |
| 342 | T = mpmont_expr(&g->mm, MP_NEW, Y->X, g->q); |
| 343 | if (!MP_EQ(T, g->mm.r)) rc = -1; |
| 344 | MP_DROP(T); |
| 345 | return (rc); |
| 346 | } |
| 347 | |
| 348 | static int intdh_eq(const dhgrp *gg, const dhge *YY, const dhge *ZZ) |
| 349 | { |
| 350 | const intdh_ge *Y = (const intdh_ge *)YY, *Z = (const intdh_ge *)ZZ; |
| 351 | return (MP_EQ(Y->X, Z->X)); |
| 352 | } |
| 353 | |
| 354 | static dhge *intdh_mul(const dhgrp *gg, const dhsc *xx, const dhge *YY) |
| 355 | { |
| 356 | const intdh_grp *g = (const intdh_grp *)gg; |
| 357 | const intdh_sc *x = (const intdh_sc *)xx; |
| 358 | const intdh_ge *Y = (const intdh_ge *)YY; |
| 359 | intdh_ge *Z = CREATE(intdh_ge); |
| 360 | |
| 361 | Z->X = mpmont_expr(&g->mm, MP_NEW, Y ? Y->X : g->G, x->x); |
| 362 | return ((dhge *)Z); |
| 363 | } |
| 364 | |
| 365 | #ifndef NTRACE |
| 366 | static const char *intdh_gestr(const dhgrp *gg, const dhge *YY) |
| 367 | { |
| 368 | const intdh_grp *g = (const intdh_grp *)gg; |
| 369 | const intdh_ge *Y = (const intdh_ge *)YY; |
| 370 | mp *t = mpmont_reduce(&g->mm, MP_NEW, Y->X); |
| 371 | const char *p = mpstr(t, 10); |
| 372 | MP_DROP(t); |
| 373 | return (p); |
| 374 | } |
| 375 | #endif |
| 376 | |
| 377 | static void intdh_freege(const dhgrp *gg, dhge *YY) |
| 378 | { intdh_ge *Y = (intdh_ge *)YY; MP_DROP(Y->X); DESTROY(Y); } |
| 379 | |
| 380 | /*----- Elliptic curve groups ---------------------------------------------*/ |
| 381 | |
| 382 | typedef struct ecdh_grp { |
| 383 | dhgrp _g; |
| 384 | ec_info ei; |
| 385 | ec P; |
| 386 | int ser; |
| 387 | } ecdh_grp; |
| 388 | |
| 389 | typedef struct ecdh_sc { mp *x; } ecdh_sc; |
| 390 | typedef struct ecdh_ge { ec Q; } ecdh_ge; |
| 391 | |
| 392 | static dhgrp *ecdh_mkgroup(key_file *kf, key *k, const char *cstr, dstr *e) |
| 393 | { |
| 394 | ecdh_grp *g; |
| 395 | ec_info ei; |
| 396 | int ser; |
| 397 | const char *err; |
| 398 | |
| 399 | if ((ser = get_serialization(kf, k, e)) < 0) return (0); |
| 400 | if ((err = ec_getinfo(&ei, cstr)) != 0) { |
| 401 | a_format(e, "decode-failed", "%s", err, A_END); |
| 402 | return (0); |
| 403 | } |
| 404 | g = CREATE(ecdh_grp); |
| 405 | g->ser = ser; |
| 406 | g->ei = ei; |
| 407 | EC_CREATE(&g->P); EC_IN(g->ei.c, &g->P, &g->ei.g); |
| 408 | g->_g.scsz = mp_octets(g->ei.r); |
| 409 | return (&g->_g); |
| 410 | } |
| 411 | |
| 412 | static dhsc *ecdh_mptosc(const dhgrp *gg, mp *z) |
| 413 | { |
| 414 | const ecdh_grp *g = (const ecdh_grp *)gg; |
| 415 | ecdh_sc *x = CREATE(ecdh_sc); |
| 416 | x->x = MP_NEW; mp_div(0, &x->x, z, g->ei.r); |
| 417 | return ((dhsc *)x); |
| 418 | } |
| 419 | |
| 420 | static dhge *ecdh_ectoge(const dhgrp *gg, ec *Q) |
| 421 | { |
| 422 | const ecdh_grp *g = (const ecdh_grp *)gg; |
| 423 | ecdh_ge *Y = CREATE(ecdh_ge); EC_CREATE(&Y->Q); |
| 424 | EC_IN(g->ei.c, &Y->Q, Q); |
| 425 | if (EC_CHECK(g->ei.c, &Y->Q)) |
| 426 | { EC_DESTROY(&Y->Q); DESTROY(Y); return (0); } |
| 427 | return ((dhge *)Y); |
| 428 | } |
| 429 | |
| 430 | KLOAD(ecdh, ec, EC, |
| 431 | { if ((kd->grp = ecdh_mkgroup(kf, k, p.cstr, e)) == 0) goto fail; }, |
| 432 | { kd->k = ecdh_mptosc(kd->grp, p.x); }, |
| 433 | { if ((kd->K = ecdh_ectoge(kd->grp, &p.p)) == 0) { |
| 434 | a_format(e, "bad-public-vector", A_END); |
| 435 | goto fail; |
| 436 | } |
| 437 | }) |
| 438 | |
| 439 | static const char *ecdh_checkgrp(const dhgrp *gg) |
| 440 | { |
| 441 | const ecdh_grp *g = (const ecdh_grp *)gg; |
| 442 | return (ec_checkinfo(&g->ei, &rand_global)); |
| 443 | } |
| 444 | |
| 445 | static void ecdh_grpinfo(const dhgrp *gg, admin *adm) |
| 446 | { |
| 447 | const ecdh_grp *g = (const ecdh_grp *)gg; |
| 448 | a_info(adm, |
| 449 | "kx-group=ec", |
| 450 | "kx-group-order-bits=%lu", (unsigned long)mp_bits(g->ei.r), |
| 451 | "kx-group-elt-bits=%lu", (unsigned long)2*g->ei.c->f->nbits, |
| 452 | A_END); |
| 453 | } |
| 454 | |
| 455 | #ifndef NTRACE |
| 456 | static void addfestr(field *f, mp *x, mptext_stringctx *sc) |
| 457 | { addmpstr(x, F_TYPE(f) == FTY_PRIME ? 10 : 16, sc); } |
| 458 | |
| 459 | static void addintfestr(field *f, mp *x, mptext_stringctx *sc) |
| 460 | { mp *t = F_OUT(f, MP_NEW, x); addfestr(f, x, sc); MP_DROP(t); } |
| 461 | |
| 462 | static const char *intfestr(field *f, mp *x) |
| 463 | { |
| 464 | mptext_stringctx sc; |
| 465 | setupstr(&sc); |
| 466 | addintfestr(f, x, &sc); |
| 467 | return (donestr(&sc)); |
| 468 | } |
| 469 | |
| 470 | static void ecdh_tracegrp(const dhgrp *gg) |
| 471 | { |
| 472 | const ecdh_grp *g = (const ecdh_grp *)gg; |
| 473 | const ec_curve *c = g->ei.c; |
| 474 | field *f = c->f; |
| 475 | |
| 476 | trace(T_CRYPTO, "crypto: group type `ec'"); |
| 477 | switch (F_TYPE(f)) { |
| 478 | case FTY_PRIME: |
| 479 | trace(T_CRYPTO, "crypto: prime field `%s'", F_NAME(f)); |
| 480 | trace(T_CRYPTO, "crypto: p = %s", mpstr(f->q, 10)); |
| 481 | break; |
| 482 | case FTY_BINARY: |
| 483 | trace(T_CRYPTO, "crypto: binary field `%s'", F_NAME(f)); |
| 484 | trace(T_CRYPTO, "crypto: degree = %lu", f->nbits - 1); |
| 485 | break; |
| 486 | default: |
| 487 | trace(T_CRYPTO, "crypto: unknown field type! `%s'", F_NAME(f)); |
| 488 | break; |
| 489 | } |
| 490 | trace(T_CRYPTO, "crypto: curve type `%s'", EC_NAME(c)); |
| 491 | trace(T_CRYPTO, "crypto: curve a = %s", intfestr(f, c->a)); |
| 492 | trace(T_CRYPTO, "crypto: curve b = %s", intfestr(f, c->b)); |
| 493 | trace(T_CRYPTO, "crypto: n = %s", mpstr(g->ei.r, 10)); |
| 494 | trace(T_CRYPTO, "crypto: h = %s", mpstr(g->ei.h, 10)); |
| 495 | } |
| 496 | #endif |
| 497 | |
| 498 | static int ecdh_samegrpp(const dhgrp *gg, const dhgrp *hh) |
| 499 | { |
| 500 | const ecdh_grp *g = (const ecdh_grp *)gg, *h = (const ecdh_grp *)hh; |
| 501 | return (ec_sameinfop(&g->ei, &h->ei) && |
| 502 | g->ser == h->ser); |
| 503 | } |
| 504 | |
| 505 | static void ecdh_freegrp(dhgrp *gg) |
| 506 | { |
| 507 | ecdh_grp *g = (ecdh_grp *)gg; |
| 508 | EC_DESTROY(&g->P); ec_freeinfo(&g->ei); |
| 509 | DESTROY(g); |
| 510 | } |
| 511 | |
| 512 | static dhsc *ecdh_ldsc(const dhgrp *gg, const void *p, size_t sz) |
| 513 | { |
| 514 | const ecdh_grp *g = (const ecdh_grp *)gg; |
| 515 | ecdh_sc *x = CREATE(ecdh_sc); |
| 516 | mp *t = mp_loadb(MP_NEW, p, sz); |
| 517 | mp_div(0, &t, t, g->ei.r); x->x = t; |
| 518 | return ((dhsc *)x); |
| 519 | } |
| 520 | |
| 521 | static int ecdh_stsc(const dhgrp *gg, void *p, size_t sz, const dhsc *xx) |
| 522 | { |
| 523 | const ecdh_sc *x = (const ecdh_sc *)xx; |
| 524 | mp_storeb(x->x, p, sz); |
| 525 | return (0); |
| 526 | } |
| 527 | |
| 528 | static dhsc *ecdh_randsc(const dhgrp *gg) |
| 529 | { |
| 530 | const ecdh_grp *g = (const ecdh_grp *)gg; |
| 531 | ecdh_sc *x = CREATE(ecdh_sc); |
| 532 | x->x = mprand_range(MP_NEW, g->ei.r, &rand_global, 0); |
| 533 | return ((dhsc *)x); |
| 534 | } |
| 535 | |
| 536 | #ifndef NTRACE |
| 537 | static const char *ecdh_scstr(const dhgrp *gg, const dhsc *xx) |
| 538 | { |
| 539 | const ecdh_sc *x = (const ecdh_sc *)xx; |
| 540 | return (mpstr(x->x, 10)); |
| 541 | } |
| 542 | #endif |
| 543 | |
| 544 | static void ecdh_freesc(const dhgrp *gg, dhsc *xx) |
| 545 | { ecdh_sc *x = (ecdh_sc *)xx; MP_DROP(x->x); DESTROY(x); } |
| 546 | |
| 547 | static dhge *ecdh_ldge(const dhgrp *gg, buf *b, int fmt) |
| 548 | { |
| 549 | const ecdh_grp *g = (const ecdh_grp *)gg; |
| 550 | ecdh_ge *Y; |
| 551 | ec T = EC_INIT; |
| 552 | |
| 553 | switch (fmt) { |
| 554 | case DHFMT_HASH: if (g->ser == DHSER_CONSTLEN) goto std; |
| 555 | case DHFMT_VAR: if (buf_getec(b, &T)) return (0); break; |
| 556 | case DHFMT_STD: std: if (ec_getraw(g->ei.c, b, &T)) return (0); break; |
| 557 | default: |
| 558 | abort(); |
| 559 | } |
| 560 | EC_IN(g->ei.c, &T, &T); |
| 561 | Y = CREATE(ecdh_ge); Y->Q = T; |
| 562 | return ((dhge *)Y); |
| 563 | } |
| 564 | |
| 565 | static int ecdh_stge(const dhgrp *gg, buf *b, const dhge *YY, int fmt) |
| 566 | { |
| 567 | const ecdh_grp *g = (const ecdh_grp *)gg; |
| 568 | const ecdh_ge *Y = (const ecdh_ge *)YY; |
| 569 | ec T = EC_INIT; |
| 570 | int rc; |
| 571 | |
| 572 | EC_OUT(g->ei.c, &T, &Y->Q); |
| 573 | switch (fmt) { |
| 574 | case DHFMT_HASH: if (g->ser == DHSER_CONSTLEN) goto std; |
| 575 | case DHFMT_VAR: rc = buf_putec(b, &T); break; |
| 576 | case DHFMT_STD: std: rc = ec_putraw(g->ei.c, b, &T); break; |
| 577 | default: abort(); |
| 578 | } |
| 579 | EC_DESTROY(&T); |
| 580 | return (rc); |
| 581 | } |
| 582 | |
| 583 | static int ecdh_checkge(const dhgrp *gg, const dhge *YY) |
| 584 | { |
| 585 | const ecdh_grp *g = (const ecdh_grp *)gg; |
| 586 | const ecdh_ge *Y = (const ecdh_ge *)YY; |
| 587 | ec T = EC_INIT; |
| 588 | int rc = 0; |
| 589 | |
| 590 | if (EC_ATINF(&Y->Q)) rc = -1; |
| 591 | ec_imul(g->ei.c, &T, &Y->Q, g->ei.r); |
| 592 | if (!EC_ATINF(&T)) rc = -1; |
| 593 | EC_DESTROY(&T); |
| 594 | return (rc); |
| 595 | } |
| 596 | |
| 597 | static int ecdh_eq(const dhgrp *gg, const dhge *YY, const dhge *ZZ) |
| 598 | { |
| 599 | const ecdh_grp *g = (const ecdh_grp *)gg; |
| 600 | const ecdh_ge *Y = (const ecdh_ge *)YY, *Z = (const ecdh_ge *)ZZ; |
| 601 | ec T = EC_INIT, U = EC_INIT; int rc; |
| 602 | EC_FIX(g->ei.c, &T, &Y->Q); EC_FIX(g->ei.c, &U, &Z->Q); |
| 603 | rc = EC_EQ(&T, &U); |
| 604 | EC_DESTROY(&T); EC_DESTROY(&U); |
| 605 | return (rc); |
| 606 | } |
| 607 | |
| 608 | static dhge *ecdh_mul(const dhgrp *gg, const dhsc *xx, const dhge *YY) |
| 609 | { |
| 610 | const ecdh_grp *g = (const ecdh_grp *)gg; |
| 611 | const ecdh_sc *x = (const ecdh_sc *)xx; |
| 612 | const ecdh_ge *Y = (const ecdh_ge *)YY; |
| 613 | ecdh_ge *Z = CREATE(ecdh_ge); EC_CREATE(&Z->Q); |
| 614 | |
| 615 | ec_imul(g->ei.c, &Z->Q, Y ? &Y->Q : &g->P, x->x); |
| 616 | return ((dhge *)Z); |
| 617 | } |
| 618 | |
| 619 | #ifndef NTRACE |
| 620 | static const char *ecdh_gestr(const dhgrp *gg, const dhge *YY) |
| 621 | { |
| 622 | const ecdh_grp *g = (const ecdh_grp *)gg; |
| 623 | const ecdh_ge *Y = (const ecdh_ge *)YY; |
| 624 | ec T = EC_INIT; |
| 625 | field *f = g->ei.c->f; |
| 626 | mptext_stringctx sc; |
| 627 | |
| 628 | if (EC_ATINF(&Y->Q)) return ("inf"); |
| 629 | setupstr(&sc); |
| 630 | EC_OUT(g->ei.c, &T, &Y->Q); |
| 631 | addfestr(f, T.x, &sc); |
| 632 | addlitstr(", ", &sc); |
| 633 | addfestr(f, T.y, &sc); |
| 634 | EC_DESTROY(&T); |
| 635 | return (donestr(&sc)); |
| 636 | } |
| 637 | #endif |
| 638 | |
| 639 | static void ecdh_freege(const dhgrp *gg, dhge *YY) |
| 640 | { ecdh_ge *Y = (ecdh_ge *)YY; EC_DESTROY(&Y->Q); DESTROY(Y); } |
| 641 | |
| 642 | /*----- The X25519 and similar groups -------------------------------------*/ |
| 643 | |
| 644 | #define XDHS(_) \ |
| 645 | _(x25519, X25519, "curve25519", 252, 255) \ |
| 646 | _(x448, X448, "ed448-goldilocks", 446, 448) |
| 647 | |
| 648 | #ifdef NTRACE |
| 649 | # define XDHTRACE(xdh, XDH, gname) |
| 650 | #else |
| 651 | |
| 652 | static const char *binstr(const octet *p, size_t sz) |
| 653 | { |
| 654 | char *q; |
| 655 | |
| 656 | for (q = (char *)buf_u; sz--; p++, q += 2) sprintf(q, "%02x", *p); |
| 657 | return ((const char *)buf_u); |
| 658 | } |
| 659 | |
| 660 | # define XDHTRACE(xdh, XDH, gname) \ |
| 661 | static void xdh##_tracegrp(const dhgrp *g) \ |
| 662 | { trace(T_CRYPTO, "crypto: group type `" gname "'"); } \ |
| 663 | \ |
| 664 | static const char *xdh##_scstr(const dhgrp *g, const dhsc *xx) \ |
| 665 | { \ |
| 666 | const xdh##_sc *x = (const xdh##_sc *)xx; \ |
| 667 | return (binstr(x->x, XDH##_KEYSZ)); \ |
| 668 | } \ |
| 669 | \ |
| 670 | static const char *xdh##_gestr(const dhgrp *g, const dhge *YY) \ |
| 671 | { \ |
| 672 | const xdh##_ge *Y = (const xdh##_ge *)YY; \ |
| 673 | return (binstr(Y->X, XDH##_PUBSZ)); \ |
| 674 | } |
| 675 | #endif |
| 676 | |
| 677 | #define XDHDEF(xdh, XDH, gname, groupbits, fieldbits) \ |
| 678 | \ |
| 679 | typedef struct xdh##_sc { octet x[XDH##_KEYSZ]; } xdh##_sc; \ |
| 680 | typedef struct xdh##_ge { octet X[XDH##_PUBSZ]; } xdh##_ge; \ |
| 681 | \ |
| 682 | XDHTRACE(xdh, XDH, gname) \ |
| 683 | \ |
| 684 | static dhsc *xdh##_bintosc(const key_bin *b) \ |
| 685 | { \ |
| 686 | xdh##_sc *x; \ |
| 687 | \ |
| 688 | if (b->sz != XDH##_KEYSZ) return (0); \ |
| 689 | x = CREATE(xdh##_sc); \ |
| 690 | memcpy(x->x, b->k, XDH##_KEYSZ); \ |
| 691 | return ((dhsc *)x); \ |
| 692 | } \ |
| 693 | \ |
| 694 | static dhge *xdh##_bintoge(const key_bin *b) \ |
| 695 | { \ |
| 696 | xdh##_ge *Y; \ |
| 697 | \ |
| 698 | if (b->sz != XDH##_PUBSZ) return (0); \ |
| 699 | Y = CREATE(xdh##_ge); \ |
| 700 | memcpy(Y->X, b->k, XDH##_PUBSZ); \ |
| 701 | return ((dhge *)Y); \ |
| 702 | } \ |
| 703 | \ |
| 704 | KLOAD(xdh, xdh, XDH, \ |
| 705 | { kd->grp = CREATE(dhgrp); kd->grp->scsz = 32; }, \ |
| 706 | { if ((kd->k = xdh##_bintosc(&p.priv)) == 0) { \ |
| 707 | a_format(e, "bad-private-key", A_END); \ |
| 708 | goto fail; \ |
| 709 | } \ |
| 710 | }, \ |
| 711 | { if ((kd->K = xdh##_bintoge(&p.pub)) == 0) { \ |
| 712 | a_format(e, "bad-public-vector", A_END); \ |
| 713 | goto fail; \ |
| 714 | } \ |
| 715 | }) \ |
| 716 | \ |
| 717 | static const char *xdh##_checkgrp(const dhgrp *g) \ |
| 718 | { return (0); } \ |
| 719 | \ |
| 720 | static void xdh##_grpinfo(const dhgrp *g, admin *adm) \ |
| 721 | { \ |
| 722 | a_info(adm, \ |
| 723 | "kx-group=" gname, \ |
| 724 | "kx-group-order-bits=%d", (groupbits), \ |
| 725 | "kx-group-elt-bits=%d", (fieldbits), \ |
| 726 | A_END); \ |
| 727 | } \ |
| 728 | \ |
| 729 | static int xdh##_samegrpp(const dhgrp *g, const dhgrp *hh) \ |
| 730 | { return (1); } \ |
| 731 | \ |
| 732 | static void xdh##_freegrp(dhgrp *g) \ |
| 733 | { DESTROY(g); } \ |
| 734 | \ |
| 735 | static dhsc *xdh##_ldsc(const dhgrp *g, const void *p, size_t sz) \ |
| 736 | { \ |
| 737 | xdh##_sc *x; \ |
| 738 | if (sz != XDH##_KEYSZ) return (0); \ |
| 739 | x = CREATE(xdh##_sc); \ |
| 740 | memcpy(x->x, p, XDH##_KEYSZ); \ |
| 741 | return ((dhsc *)x); \ |
| 742 | } \ |
| 743 | \ |
| 744 | static int xdh##_stsc(const dhgrp *g, void *p, size_t sz, \ |
| 745 | const dhsc *xx) \ |
| 746 | { \ |
| 747 | const xdh##_sc *x = (const xdh##_sc *)xx; \ |
| 748 | if (sz != XDH##_KEYSZ) return (-1); \ |
| 749 | memcpy(p, x->x, XDH##_KEYSZ); \ |
| 750 | return (0); \ |
| 751 | } \ |
| 752 | \ |
| 753 | static dhsc *xdh##_randsc(const dhgrp *g) \ |
| 754 | { \ |
| 755 | xdh##_sc *x = CREATE(xdh##_sc); \ |
| 756 | rand_get(RAND_GLOBAL, x->x, XDH##_KEYSZ); \ |
| 757 | return ((dhsc *)x); \ |
| 758 | } \ |
| 759 | \ |
| 760 | static void xdh##_freesc(const dhgrp *g, dhsc *xx) \ |
| 761 | { xdh##_sc *x = (xdh##_sc *)xx; DESTROY(x); } \ |
| 762 | \ |
| 763 | static dhge *xdh##_ldge(const dhgrp *g, buf *b, int fmt) \ |
| 764 | { \ |
| 765 | xdh##_ge *Y; \ |
| 766 | const octet *p; \ |
| 767 | \ |
| 768 | if ((p = buf_get(b, XDH##_PUBSZ)) == 0) return (0); \ |
| 769 | Y = CREATE(xdh##_ge); memcpy(Y->X, p, XDH##_PUBSZ); \ |
| 770 | return ((dhge *)Y); \ |
| 771 | } \ |
| 772 | \ |
| 773 | static int xdh##_stge(const dhgrp *g, buf *b, \ |
| 774 | const dhge *YY, int fmt) \ |
| 775 | { \ |
| 776 | const xdh##_ge *Y = (const xdh##_ge *)YY; \ |
| 777 | return (buf_put(b, Y->X, XDH##_PUBSZ)); \ |
| 778 | } \ |
| 779 | \ |
| 780 | static int xdh##_checkge(const dhgrp *g, const dhge *YY) \ |
| 781 | { return (0); } \ |
| 782 | \ |
| 783 | static int xdh##_eq(const dhgrp *g, const dhge *YY, const dhge *ZZ) \ |
| 784 | { \ |
| 785 | const xdh##_ge \ |
| 786 | *Y = (const xdh##_ge *)YY, *Z = (const xdh##_ge *)ZZ; \ |
| 787 | return (ct_memeq(Y->X, Z->X, XDH##_PUBSZ)); \ |
| 788 | } \ |
| 789 | \ |
| 790 | static dhge *xdh##_mul(const dhgrp *g, \ |
| 791 | const dhsc *xx, const dhge *YY) \ |
| 792 | { \ |
| 793 | const xdh##_sc *x = (const xdh##_sc *)xx; \ |
| 794 | const xdh##_ge *Y = (const xdh##_ge *)YY; \ |
| 795 | xdh##_ge *Z = CREATE(xdh##_ge); \ |
| 796 | \ |
| 797 | xdh(Z->X, x->x, Y ? Y->X : xdh##_base); \ |
| 798 | return ((dhge *)Z); \ |
| 799 | } \ |
| 800 | \ |
| 801 | static void xdh##_freege(const dhgrp *g, dhge *YY) \ |
| 802 | { xdh##_ge *Y = (xdh##_ge *)YY; DESTROY(Y); } |
| 803 | |
| 804 | XDHS(XDHDEF) |
| 805 | |
| 806 | #undef XDHDEF |
| 807 | |
| 808 | /*----- Diffie--Hellman group table ---------------------------------------*/ |
| 809 | |
| 810 | const dhops dhtab[] = { |
| 811 | |
| 812 | #define COMMA , |
| 813 | |
| 814 | #define DH(name, pre) \ |
| 815 | { name, pre##_ldpriv, pre##_ldpub, pre##_checkgrp, \ |
| 816 | pre##_grpinfo, T( pre##_tracegrp COMMA ) pre##_samegrpp, \ |
| 817 | pre##_freegrp, \ |
| 818 | pre##_ldsc, pre##_stsc, pre##_randsc, T( pre##_scstr COMMA ) \ |
| 819 | pre##_freesc, \ |
| 820 | pre##_ldge, pre##_stge, pre##_checkge, pre##_eq, pre##_mul, \ |
| 821 | T( pre##_gestr COMMA ) pre##_freege }, \ |
| 822 | |
| 823 | DH("dh", intdh) |
| 824 | DH("ec", ecdh) |
| 825 | |
| 826 | #define XDHDH(xdh, XDH, gname, groupbits, fieldbits) DH(#xdh, xdh) |
| 827 | XDHS(XDHDH) |
| 828 | #undef XDHDH |
| 829 | |
| 830 | #undef DH |
| 831 | |
| 832 | { 0 } |
| 833 | }; |
| 834 | |
| 835 | /*----- That's all, folks -------------------------------------------------*/ |