~mdw / tripe / blob
? search:


92e67c058b924269704eb12725a0bf4c119ae01f
[tripe] / server / bulkcrypto.c
1 /* -*-c-*-
2 *
3 * Bulk crypto transformations
4 *
5 * (c) 2014 Straylight/Edgeware
6 */
7
8 /*----- Licensing notice --------------------------------------------------*
9 *
10 * This file is part of Trivial IP Encryption (TrIPE).
11 *
12 * TrIPE is free software: you can redistribute it and/or modify it under
13 * the terms of the GNU General Public License as published by the Free
14 * Software Foundation; either version 3 of the License, or (at your
15 * option) any later version.
16 *
17 * TrIPE is distributed in the hope that it will be useful, but WITHOUT
18 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
19 * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 *
22 * You should have received a copy of the GNU General Public License
23 * along with TrIPE. If not, see <https://www.gnu.org/licenses/>.
24 */
25
26 /*----- Header files ------------------------------------------------------*/
27
28 #include "tripe.h"
29
30 /*----- Utilities ---------------------------------------------------------*/
31
32 #define SEQSZ 4 /* Size of sequence number packet */
33
34 #define TRACE_IV(qiv, ivsz) do { IF_TRACING(T_KEYSET, { \
35 trace_block(T_CRYPTO, "crypto: initialization vector", \
36 (qiv), (ivsz)); \
37 }) } while (0)
38
39 #define TRACE_CT(qpk, sz) do { IF_TRACING(T_KEYSET, { \
40 trace_block(T_CRYPTO, "crypto: encrypted packet", (qpk), (sz)); \
41 }) } while (0)
42
43 #define TRACE_MAC(qmac, tagsz) do { IF_TRACING(T_KEYSET, { \
44 trace_block(T_CRYPTO, "crypto: computed MAC", (qmac), (tagsz)); \
45 }) } while (0)
46
47 #define TRACE_MACERR(pmac, tagsz) do { IF_TRACING(T_KEYSET, { \
48 trace(T_KEYSET, "keyset: incorrect MAC: decryption failed"); \
49 trace_block(T_CRYPTO, "crypto: provided MAC", (pmac), (tagsz)); \
50 }) } while (0)
51
52 /* --- @derivekey@ --- *
53 *
54 * Arguments: @octet *k@ = pointer to an output buffer of at least
55 * @MAXHASHSZ@ bytes
56 * @size_t ksz@ = actual size wanted (for tracing)
57 * @const deriveargs@ = derivation parameters, as passed into
58 * @genkeys@
59 * @int dir@ = direction for the key (@DIR_IN@ or @DIR_OUT@)
60 * @const char *what@ = label for the key (input to derivation)
61 *
62 * Returns: ---
63 *
64 * Use: Derives a session key, for use on incoming or outgoing data.
65 */
66
67 static void derivekey(octet *k, size_t ksz, const deriveargs *a,
68 int dir, const char *what)
69 {
70 const gchash *hc = a->hc;
71 ghash *h;
72
73 assert(ksz <= hc->hashsz);
74 assert(hc->hashsz <= MAXHASHSZ);
75 h = GH_INIT(hc);
76 GH_HASH(h, a->what, strlen(a->what)); GH_HASH(h, what, strlen(what) + 1);
77 switch (dir) {
78 case DIR_IN:
79 if (a->x) GH_HASH(h, a->k, a->x);
80 if (a->y != a->x) GH_HASH(h, a->k + a->x, a->y - a->x);
81 break;
82 case DIR_OUT:
83 if (a->y != a->x) GH_HASH(h, a->k + a->x, a->y - a->x);
84 if (a->x) GH_HASH(h, a->k, a->x);
85 break;
86 default:
87 abort();
88 }
89 GH_HASH(h, a->k + a->y, a->z - a->y);
90 GH_DONE(h, k);
91 GH_DESTROY(h);
92 IF_TRACING(T_KEYSET, { IF_TRACING(T_CRYPTO, {
93 char _buf[32];
94 sprintf(_buf, "crypto: %s key %s", dir ? "outgoing" : "incoming", what);
95 trace_block(T_CRYPTO, _buf, k, ksz);
96 }) })
97 }
98
99 /*----- Common functionality for generic-composition transforms -----------*/
100
101 #define CHECK_MAC(h, pmac, tagsz) do { \
102 ghash *_h = (h); \
103 const octet *_pmac = (pmac); \
104 size_t _tagsz = (tagsz); \
105 octet *_mac = GH_DONE(_h, 0); \
106 int _eq = ct_memeq(_mac, _pmac, _tagsz); \
107 TRACE_MAC(_mac, _tagsz); \
108 GH_DESTROY(_h); \
109 if (!_eq) { \
110 TRACE_MACERR(_pmac, _tagsz); \
111 return (KSERR_DECRYPT); \
112 } \
113 } while (0)
114
115 typedef struct gencomp_algs {
116 const gccipher *c; size_t cksz;
117 const gcmac *m; size_t mksz; size_t tagsz;
118 } gencomp_algs;
119
120 typedef struct gencomp_chal {
121 bulkchal _b;
122 gmac *m;
123 } gencomp_chal;
124
125 static int gencomp_getalgs(gencomp_algs *a, const algswitch *asw,
126 dstr *e, key_file *kf, key *k)
127 {
128 const char *p;
129 char *q, *qq;
130 unsigned long n;
131 dstr d = DSTR_INIT;
132 int rc = -1;
133
134 /* --- Symmetric encryption --- */
135
136 if ((p = key_getattr(kf, k, "cipher")) == 0) p = "blowfish-cbc";
137 if ((a->c = gcipher_byname(p)) == 0) {
138 a_format(e, "unknown-cipher", "%s", p, A_END);
139 goto done;
140 }
141
142 /* --- Message authentication --- */
143
144 if ((p = key_getattr(kf, k, "mac")) != 0) {
145 dstr_reset(&d);
146 dstr_puts(&d, p);
147 if ((q = strrchr(d.buf, '/')) != 0)
148 *q++ = 0;
149 if ((a->m = gmac_byname(d.buf)) == 0) {
150 a_format(e, "unknown-mac", "%s", d.buf, A_END);
151 goto done;
152 }
153 if (!q)
154 a->tagsz = a->m->hashsz;
155 else {
156 n = strtoul(q, &qq, 0);
157 if (*qq) {
158 a_format(e, "bad-tag-length-string", "%s", q, A_END);
159 goto done;
160 }
161 if (n%8 || n/8 > a->m->hashsz) {
162 a_format(e, "bad-tag-length", "%lu", n, A_END);
163 goto done;
164 }
165 a->tagsz = n/8;
166 }
167 } else {
168 dstr_reset(&d);
169 dstr_putf(&d, "%s-hmac", asw->h->name);
170 if ((a->m = gmac_byname(d.buf)) == 0) {
171 a_format(e, "no-hmac-for-hash", "%s", asw->h->name, A_END);
172 goto done;
173 }
174 a->tagsz = asw->h->hashsz/2;
175 }
176
177 rc = 0;
178 done:
179 dstr_destroy(&d);
180 return (rc);
181 }
182
183 #ifndef NTRACE
184 static void gencomp_tracealgs(const gencomp_algs *a)
185 {
186 trace(T_CRYPTO, "crypto: cipher = %s", a->c->name);
187 trace(T_CRYPTO, "crypto: mac = %s/%lu",
188 a->m->name, (unsigned long)a->tagsz * 8);
189 }
190 #endif
191
192 static int gencomp_checkalgs(gencomp_algs *a, const algswitch *asw, dstr *e)
193 {
194 /* --- Derive the key sizes --- *
195 *
196 * Must ensure that we have non-empty keys. This isn't ideal, but it
197 * provides a handy sanity check. Also must be based on a 64- or 128-bit
198 * block cipher or we can't do the data expiry properly.
199 */
200
201 if ((a->cksz = keysz(asw->hashsz, a->c->keysz)) == 0) {
202 a_format(e, "cipher", "%s", a->c->name,
203 "no-key-size", "%lu", (unsigned long)asw->hashsz,
204 A_END);
205 return (-1);
206 }
207 if ((a->mksz = keysz(asw->hashsz, a->m->keysz)) == 0) {
208 a_format(e, "mac", "%s", a->m->name,
209 "no-key-size", "%lu", (unsigned long)asw->hashsz,
210 A_END);
211 return (-1);
212 }
213
214 return (0);
215 }
216
217 static void gencomp_alginfo(const gencomp_algs *a, admin *adm)
218 {
219 a_info(adm,
220 "cipher=%s", a->c->name,
221 "cipher-keysz=%lu", (unsigned long)a->cksz,
222 "cipher-blksz=%lu", (unsigned long)a->c->blksz,
223 A_END);
224 a_info(adm,
225 "mac=%s", a->m->name,
226 "mac-keysz=%lu", (unsigned long)a->mksz,
227 "mac-tagsz=%lu", (unsigned long)a->tagsz,
228 A_END);
229 }
230
231 static int gencomp_samealgsp(const gencomp_algs *a, const gencomp_algs *aa)
232 {
233 return (a->c == aa->c &&
234 a->m == aa->m && a->tagsz == aa->tagsz);
235 }
236
237 static size_t gencomp_expsz(const gencomp_algs *a)
238 { return (a->c->blksz < 16 ? MEG(64) : MEG(2048)); }
239
240 static bulkchal *gencomp_genchal(const gencomp_algs *a)
241 {
242 gencomp_chal *gc = CREATE(gencomp_chal);
243
244 rand_get(RAND_GLOBAL, buf_t, a->mksz);
245 gc->m = GM_KEY(a->m, buf_t, a->mksz);
246 gc->_b.tagsz = a->tagsz;
247 IF_TRACING(T_CHAL, {
248 trace(T_CHAL, "chal: generated new challenge key");
249 trace_block(T_CRYPTO, "chal: new key", buf_t, a->mksz);
250 })
251 return (&gc->_b);
252 }
253
254 static int gencomp_chaltag(bulkchal *bc, const void *m, size_t msz,
255 uint32 seq, void *t)
256 {
257 gencomp_chal *gc = (gencomp_chal *)bc;
258 ghash *h = GM_INIT(gc->m);
259
260 GH_HASHU32(h, seq); if (msz) GH_HASH(h, m, msz);
261 memcpy(t, GH_DONE(h, 0), bc->tagsz);
262 GH_DESTROY(h);
263 return (0);
264 }
265
266 static int gencomp_chalvrf(bulkchal *bc, const void *m, size_t msz,
267 uint32 seq, const void *t)
268 {
269 gencomp_chal *gc = (gencomp_chal *)bc;
270 ghash *h = GM_INIT(gc->m);
271 int ok;
272
273 GH_HASHU32(h, seq); if (msz) GH_HASH(h, m, msz);
274 ok = ct_memeq(GH_DONE(h, 0), t, gc->_b.tagsz);
275 GH_DESTROY(h);
276 return (ok ? 0 : -1);
277 }
278
279 static void gencomp_freechal(bulkchal *bc)
280 { gencomp_chal *gc = (gencomp_chal *)bc; GM_DESTROY(gc->m); DESTROY(gc); }
281
282 /*----- The original transform --------------------------------------------*
283 *
284 * We generate a random initialization vector (if the cipher needs one). We
285 * encrypt the input message with the cipher, and format the type, sequence
286 * number, IV, and ciphertext as follows.
287 *
288 * +--------+ +--------+---...---+------...------+
289 * | type | | seq | iv | ciphertext |
290 * +--------+ +--------+---...---+------...------+
291 * 32 32 blksz sz
292 *
293 * All of this is fed into the MAC to compute a tag. The type is not
294 * transmitted: the other end knows what type of message it expects, and the
295 * type is only here to prevent us from being confused because some other
296 * kind of ciphertext has been substituted. The tag is prepended to the
297 * remainder, to yield the finished cryptogram, as follows.
298 *
299 * +---...---+--------+---...---+------...------+
300 * | tag | seq | iv | ciphertext |
301 * +---...---+--------+---...---+------...------+
302 * tagsz 32 blksz sz
303 *
304 * Decryption: checks the overall size, verifies the tag, then decrypts the
305 * ciphertext and extracts the sequence number.
306 */
307
308 typedef struct v0_algs {
309 bulkalgs _b;
310 gencomp_algs ga;
311 } v0_algs;
312
313 typedef struct v0_ctx {
314 bulkctx _b;
315 size_t tagsz;
316 struct {
317 gcipher *c;
318 gmac *m;
319 } d[NDIR];
320 } v0_ctx;
321
322 static bulkalgs *v0_getalgs(const algswitch *asw, dstr *e,
323 key_file *kf, key *k)
324 {
325 v0_algs *a = CREATE(v0_algs);
326 if (gencomp_getalgs(&a->ga, asw, e, kf, k)) { DESTROY(a); return (0); }
327 return (&a->_b);
328 }
329
330 #ifndef NTRACE
331 static void v0_tracealgs(const bulkalgs *aa)
332 { const v0_algs *a = (const v0_algs *)aa; gencomp_tracealgs(&a->ga); }
333 #endif
334
335 static int v0_checkalgs(bulkalgs *aa, const algswitch *asw, dstr *e)
336 {
337 v0_algs *a = (v0_algs *)aa;
338 if (gencomp_checkalgs(&a->ga, asw, e)) return (-1);
339 return (0);
340 }
341
342 static int v0_samealgsp(const bulkalgs *aa, const bulkalgs *bb)
343 {
344 const v0_algs *a = (const v0_algs *)aa, *b = (const v0_algs *)bb;
345 return (gencomp_samealgsp(&a->ga, &b->ga));
346 }
347
348 static void v0_alginfo(const bulkalgs *aa, admin *adm)
349 { const v0_algs *a = (const v0_algs *)aa; gencomp_alginfo(&a->ga, adm); }
350
351 static size_t v0_overhead(const bulkalgs *aa)
352 {
353 const v0_algs *a = (const v0_algs *)aa;
354 return (a->ga.tagsz + SEQSZ + a->ga.c->blksz);
355 }
356
357 static size_t v0_expsz(const bulkalgs *aa)
358 { const v0_algs *a = (const v0_algs *)aa; return (gencomp_expsz(&a->ga)); }
359
360 static bulkctx *v0_genkeys(const bulkalgs *aa, const deriveargs *da)
361 {
362 const v0_algs *a = (const v0_algs *)aa;
363 v0_ctx *bc = CREATE(v0_ctx);
364 octet k[MAXHASHSZ];
365 int i;
366
367 bc->tagsz = a->ga.tagsz;
368 for (i = 0; i < NDIR; i++) {
369 if (!(da->f&(1 << i))) { bc->d[i].c = 0; bc->d[i].m = 0; continue; }
370 derivekey(k, a->ga.cksz, da, i, "encryption");
371 bc->d[i].c = GC_INIT(a->ga.c, k, a->ga.cksz);
372 derivekey(k, a->ga.mksz, da, i, "integrity");
373 bc->d[i].m = GM_KEY(a->ga.m, k, a->ga.mksz);
374 }
375 return (&bc->_b);
376 }
377
378 static bulkchal *v0_genchal(const bulkalgs *aa)
379 {
380 const v0_algs *a = (const v0_algs *)aa;
381 return (gencomp_genchal(&a->ga));
382 }
383 #define v0_chaltag gencomp_chaltag
384 #define v0_chalvrf gencomp_chalvrf
385 #define v0_freechal gencomp_freechal
386
387 static void v0_freealgs(bulkalgs *aa)
388 { v0_algs *a = (v0_algs *)aa; DESTROY(a); }
389
390 static void v0_freectx(bulkctx *bbc)
391 {
392 v0_ctx *bc = (v0_ctx *)bbc;
393 int i;
394
395 for (i = 0; i < NDIR; i++) {
396 if (bc->d[i].c) GC_DESTROY(bc->d[i].c);
397 if (bc->d[i].m) GM_DESTROY(bc->d[i].m);
398 }
399 DESTROY(bc);
400 }
401
402 static int v0_encrypt(bulkctx *bbc, unsigned ty,
403 buf *b, buf *bb, uint32 seq)
404 {
405 v0_ctx *bc = (v0_ctx *)bbc;
406 ghash *h;
407 gcipher *c = bc->d[DIR_OUT].c;
408 const octet *p = BCUR(b);
409 size_t sz = BLEFT(b);
410 octet *qmac, *qseq, *qiv, *qpk;
411 size_t ivsz;
412 size_t tagsz = bc->tagsz;
413 octet t[4];
414
415 assert(c);
416 ivsz = GC_CLASS(c)->blksz;
417
418 /* --- Determine the ciphertext layout --- */
419
420 if (buf_ensure(bb, tagsz + SEQSZ + ivsz + sz)) return (0);
421 qmac = BCUR(bb); qseq = qmac + tagsz; qiv = qseq + SEQSZ; qpk = qiv + ivsz;
422 BSTEP(bb, tagsz + SEQSZ + ivsz + sz);
423
424 /* --- Store the type --- *
425 *
426 * This isn't transmitted, but it's covered by the MAC.
427 */
428
429 STORE32(t, ty);
430
431 /* --- Store the sequence number --- */
432
433 STORE32(qseq, seq);
434
435 /* --- Establish an initialization vector if necessary --- */
436
437 if (ivsz) {
438 rand_get(RAND_GLOBAL, qiv, ivsz);
439 GC_SETIV(c, qiv);
440 TRACE_IV(qiv, ivsz);
441 }
442
443 /* --- Encrypt the packet --- */
444
445 GC_ENCRYPT(c, p, qpk, sz);
446 TRACE_CT(qpk, sz);
447
448 /* --- Compute a MAC over type, sequence number, IV, and ciphertext --- */
449
450 if (tagsz) {
451 h = GM_INIT(bc->d[DIR_OUT].m);
452 GH_HASH(h, t, sizeof(t));
453 GH_HASH(h, qseq, SEQSZ + ivsz + sz);
454 memcpy(qmac, GH_DONE(h, 0), tagsz);
455 GH_DESTROY(h);
456 TRACE_MAC(qmac, tagsz);
457 }
458
459 /* --- We're done --- */
460
461 return (0);
462 }
463
464 static int v0_decrypt(bulkctx *bbc, unsigned ty,
465 buf *b, buf *bb, uint32 *seq)
466 {
467 v0_ctx *bc = (v0_ctx *)bbc;
468 const octet *pmac, *piv, *pseq, *ppk;
469 size_t psz = BLEFT(b);
470 size_t sz;
471 octet *q = BCUR(bb);
472 ghash *h;
473 gcipher *c = bc->d[DIR_IN].c;
474 size_t ivsz;
475 size_t tagsz = bc->tagsz;
476 octet t[4];
477
478 assert(c);
479 ivsz = GC_CLASS(c)->blksz;
480
481 /* --- Break up the packet into its components --- */
482
483 if (psz < ivsz + SEQSZ + tagsz) {
484 T( trace(T_KEYSET, "keyset: block too small for keyset"); )
485 return (KSERR_MALFORMED);
486 }
487 sz = psz - ivsz - SEQSZ - tagsz;
488 pmac = BCUR(b); pseq = pmac + tagsz; piv = pseq + SEQSZ; ppk = piv + ivsz;
489 STORE32(t, ty);
490
491 /* --- Verify the MAC on the packet --- */
492
493 if (tagsz) {
494 h = GM_INIT(bc->d[DIR_IN].m);
495 GH_HASH(h, t, sizeof(t));
496 GH_HASH(h, pseq, SEQSZ + ivsz + sz);
497 CHECK_MAC(h, pmac, tagsz);
498 }
499
500 /* --- Decrypt the packet --- */
501
502 if (ivsz) {
503 TRACE_IV(piv, ivsz);
504 GC_SETIV(c, piv);
505 }
506 GC_DECRYPT(c, ppk, q, sz);
507
508 /* --- Finished --- */
509
510 *seq = LOAD32(pseq);
511 BSTEP(bb, sz);
512 return (0);
513 }
514
515 /*----- The implicit-IV transform -----------------------------------------*
516 *
517 * The v0 transform makes everything explicit. There's an IV because the
518 * cipher needs an IV; there's a sequence number because replay prevention
519 * needs a sequence number.
520 *
521 * This new transform works rather differently. We make use of a block
522 * cipher to encrypt the sequence number, and use that as the IV. We
523 * transmit the sequence number in the clear, as before. This reduces
524 * overhead; and it's not a significant privacy leak because the adversary
525 * can see the order in which the messages are transmitted -- i.e., the
526 * sequence numbers are almost completely predictable anyway.
527 *
528 * So, a MAC is computed over
529 *
530 * +--------+ +--------+------...------+
531 * | type | | seq | ciphertext |
532 * +--------+ +--------+------...------+
533 * 32 32 sz
534 *
535 * and we actually transmit the following as the cryptogram.
536 *
537 * +---...---+------+------...------+
538 * | tag | seq | ciphertext |
539 * +---...---+------+------...------+
540 * tagsz 32 sz
541 */
542
543 typedef struct iiv_algs {
544 bulkalgs _b;
545 gencomp_algs ga;
546 const gccipher *b; size_t bksz;
547 } iiv_algs;
548
549 typedef struct iiv_ctx {
550 bulkctx _b;
551 size_t tagsz;
552 struct {
553 gcipher *c, *b;
554 gmac *m;
555 } d[NDIR];
556 } iiv_ctx;
557
558
559 static bulkalgs *iiv_getalgs(const algswitch *asw, dstr *e,
560 key_file *kf, key *k)
561 {
562 iiv_algs *a = CREATE(iiv_algs);
563 dstr d = DSTR_INIT, dd = DSTR_INIT;
564 const char *p;
565 char *q;
566
567 if (gencomp_getalgs(&a->ga, asw, e, kf, k)) goto fail;
568
569 if ((p = key_getattr(kf, k, "blkc")) == 0) {
570 dstr_puts(&dd, a->ga.c->name);
571 if ((q = strrchr(dd.buf, '-')) != 0) *q = 0;
572 p = dd.buf;
573 }
574 dstr_putf(&d, "%s-ecb", p);
575 if ((a->b = gcipher_byname(d.buf)) == 0) {
576 a_format(e, "unknown-blkc", "%s", p, A_END);
577 goto fail;
578 }
579
580 dstr_destroy(&d); dstr_destroy(&dd);
581 return (&a->_b);
582 fail:
583 dstr_destroy(&d); dstr_destroy(&dd);
584 DESTROY(a);
585 return (0);
586 }
587
588 #ifndef NTRACE
589 static void iiv_tracealgs(const bulkalgs *aa)
590 {
591 const iiv_algs *a = (const iiv_algs *)aa;
592
593 gencomp_tracealgs(&a->ga);
594 trace(T_CRYPTO,
595 "crypto: blkc = %.*s", (int)strlen(a->b->name) - 4, a->b->name);
596 }
597 #endif
598
599 static int iiv_checkalgs(bulkalgs *aa, const algswitch *asw, dstr *e)
600 {
601 iiv_algs *a = (iiv_algs *)aa;
602
603 if (gencomp_checkalgs(&a->ga, asw, e)) return (-1);
604
605 if ((a->bksz = keysz(asw->hashsz, a->b->keysz)) == 0) {
606 a_format(e, "blkc", "%.*s", strlen(a->b->name) - 4, a->b->name,
607 "no-key-size", "%lu", (unsigned long)asw->hashsz,
608 A_END);
609 return (-1);
610 }
611 if (a->b->blksz < a->ga.c->blksz) {
612 a_format(e, "blkc", "%.*s", strlen(a->b->name) - 4, a->b->name,
613 "blksz-insufficient", A_END);
614 return (-1);
615 }
616 return (0);
617 }
618
619 static int iiv_samealgsp(const bulkalgs *aa, const bulkalgs *bb)
620 {
621 const iiv_algs *a = (const iiv_algs *)aa, *b = (const iiv_algs *)bb;
622 return (gencomp_samealgsp(&a->ga, &b->ga) && a->b == b->b);
623 }
624
625 static void iiv_alginfo(const bulkalgs *aa, admin *adm)
626 {
627 const iiv_algs *a = (const iiv_algs *)aa;
628 gencomp_alginfo(&a->ga, adm);
629 a_info(adm,
630 "blkc=%.*s", strlen(a->b->name) - 4, a->b->name,
631 "blkc-keysz=%lu", (unsigned long)a->bksz,
632 "blkc-blksz=%lu", (unsigned long)a->b->blksz,
633 A_END);
634 }
635
636 static size_t iiv_overhead(const bulkalgs *aa)
637 { const iiv_algs *a = (const iiv_algs *)aa; return (a->ga.tagsz + SEQSZ); }
638
639 static size_t iiv_expsz(const bulkalgs *aa)
640 {
641 const iiv_algs *a = (const iiv_algs *)aa;
642 return (gencomp_expsz(&a->ga));
643 }
644
645 static bulkctx *iiv_genkeys(const bulkalgs *aa, const deriveargs *da)
646 {
647 const iiv_algs *a = (const iiv_algs *)aa;
648 iiv_ctx *bc = CREATE(iiv_ctx);
649 octet k[MAXHASHSZ];
650 int i;
651
652 bc->tagsz = a->ga.tagsz;
653 for (i = 0; i < NDIR; i++) {
654 if (!(da->f&(1 << i)))
655 { bc->d[i].c = 0; bc->d[i].b = 0; bc->d[i].m = 0; continue; }
656 derivekey(k, a->ga.cksz, da, i, "encryption");
657 bc->d[i].c = GC_INIT(a->ga.c, k, a->ga.cksz);
658 derivekey(k, a->bksz, da, i, "blkc");
659 bc->d[i].b = GC_INIT(a->b, k, a->bksz);
660 derivekey(k, a->ga.mksz, da, i, "integrity");
661 bc->d[i].m = GM_KEY(a->ga.m, k, a->ga.mksz);
662 }
663 return (&bc->_b);
664 }
665
666 static bulkchal *iiv_genchal(const bulkalgs *aa)
667 {
668 const iiv_algs *a = (const iiv_algs *)aa;
669 return (gencomp_genchal(&a->ga));
670 }
671 #define iiv_chaltag gencomp_chaltag
672 #define iiv_chalvrf gencomp_chalvrf
673 #define iiv_freechal gencomp_freechal
674
675 static void iiv_freealgs(bulkalgs *aa)
676 { iiv_algs *a = (iiv_algs *)aa; DESTROY(a); }
677
678 static void iiv_freectx(bulkctx *bbc)
679 {
680 iiv_ctx *bc = (iiv_ctx *)bbc;
681 int i;
682
683 for (i = 0; i < NDIR; i++) {
684 if (bc->d[i].c) GC_DESTROY(bc->d[i].c);
685 if (bc->d[i].b) GC_DESTROY(bc->d[i].b);
686 if (bc->d[i].m) GM_DESTROY(bc->d[i].m);
687 }
688 DESTROY(bc);
689 }
690
691 #define TRACE_PRESEQ(qseq, ivsz) do { IF_TRACING(T_KEYSET, { \
692 trace_block(T_CRYPTO, "crypto: IV derivation input", (qseq), (ivsz)); \
693 }) } while (0)
694
695 static int iiv_encrypt(bulkctx *bbc, unsigned ty,
696 buf *b, buf *bb, uint32 seq)
697 {
698 iiv_ctx *bc = (iiv_ctx *)bbc;
699 ghash *h;
700 gcipher *c = bc->d[DIR_OUT].c, *blkc = bc->d[DIR_OUT].b;
701 const octet *p = BCUR(b);
702 size_t sz = BLEFT(b);
703 octet *qmac, *qseq, *qpk;
704 size_t ivsz, blkcsz;
705 size_t tagsz = bc->tagsz;
706 octet t[4];
707
708 assert(c); assert(blkc);
709 ivsz = GC_CLASS(c)->blksz;
710 blkcsz = GC_CLASS(blkc)->blksz;
711
712 /* --- Determine the ciphertext layout --- */
713
714 if (buf_ensure(bb, tagsz + SEQSZ + sz)) return (0);
715 qmac = BCUR(bb); qseq = qmac + tagsz; qpk = qseq + SEQSZ;
716 BSTEP(bb, tagsz + SEQSZ + sz);
717
718 /* --- Store the type --- *
719 *
720 * This isn't transmitted, but it's covered by the MAC.
721 */
722
723 STORE32(t, ty);
724
725 /* --- Store the sequence number --- */
726
727 STORE32(qseq, seq);
728
729 /* --- Establish an initialization vector if necessary --- */
730
731 if (ivsz) {
732 memset(buf_u, 0, blkcsz - SEQSZ);
733 memcpy(buf_u + blkcsz - SEQSZ, qseq, SEQSZ);
734 TRACE_PRESEQ(buf_u, ivsz);
735 GC_ENCRYPT(blkc, buf_u, buf_u, blkcsz);
736 GC_SETIV(c, buf_u);
737 TRACE_IV(buf_u, ivsz);
738 }
739
740 /* --- Encrypt the packet --- */
741
742 GC_ENCRYPT(c, p, qpk, sz);
743 TRACE_CT(qpk, sz);
744
745 /* --- Compute a MAC over type, sequence number, and ciphertext --- */
746
747 if (tagsz) {
748 h = GM_INIT(bc->d[DIR_OUT].m);
749 GH_HASH(h, t, sizeof(t));
750 GH_HASH(h, qseq, SEQSZ + sz);
751 memcpy(qmac, GH_DONE(h, 0), tagsz);
752 GH_DESTROY(h);
753 TRACE_MAC(qmac, tagsz);
754 }
755
756 /* --- We're done --- */
757
758 return (0);
759 }
760
761 static int iiv_decrypt(bulkctx *bbc, unsigned ty,
762 buf *b, buf *bb, uint32 *seq)
763 {
764 iiv_ctx *bc = (iiv_ctx *)bbc;
765 const octet *pmac, *pseq, *ppk;
766 size_t psz = BLEFT(b);
767 size_t sz;
768 octet *q = BCUR(bb);
769 ghash *h;
770 gcipher *c = bc->d[DIR_IN].c, *blkc = bc->d[DIR_IN].b;
771 size_t ivsz, blkcsz;
772 size_t tagsz = bc->tagsz;
773 octet t[4];
774
775 assert(c); assert(blkc);
776 ivsz = GC_CLASS(c)->blksz;
777 blkcsz = GC_CLASS(blkc)->blksz;
778
779 /* --- Break up the packet into its components --- */
780
781 if (psz < SEQSZ + tagsz) {
782 T( trace(T_KEYSET, "keyset: block too small for keyset"); )
783 return (KSERR_MALFORMED);
784 }
785 sz = psz - SEQSZ - tagsz;
786 pmac = BCUR(b); pseq = pmac + tagsz; ppk = pseq + SEQSZ;
787 STORE32(t, ty);
788
789 /* --- Verify the MAC on the packet --- */
790
791 if (tagsz) {
792 h = GM_INIT(bc->d[DIR_IN].m);
793 GH_HASH(h, t, sizeof(t));
794 GH_HASH(h, pseq, SEQSZ + sz);
795 CHECK_MAC(h, pmac, tagsz);
796 }
797
798 /* --- Decrypt the packet --- */
799
800 if (ivsz) {
801 memset(buf_u, 0, blkcsz - SEQSZ);
802 memcpy(buf_u + blkcsz - SEQSZ, pseq, SEQSZ);
803 TRACE_PRESEQ(buf_u, ivsz);
804 GC_ENCRYPT(blkc, buf_u, buf_u, blkcsz);
805 GC_SETIV(c, buf_u);
806 TRACE_IV(buf_u, ivsz);
807 }
808 GC_DECRYPT(c, ppk, q, sz);
809
810 /* --- Finished --- */
811
812 *seq = LOAD32(pseq);
813 BSTEP(bb, sz);
814 return (0);
815 }
816
817 /*----- The AEAD transform ------------------------------------------------*
818 *
819 * This transform uses a general authenticated encryption scheme. Processing
820 * additional authenticated data isn't needed for encrypting messages, but it
821 * is required for challenge generation. Good options include `chacha20-
822 * poly1305' or `rijndael-ocb3'; alas, `salsa20-naclbox' isn't acceptable.
823 *
824 * To be acceptable, the scheme must accept at least a 40-bit nonce. (All of
825 * Catacomb's current AEAD schemes are suitable in this respect.) The low 32
826 * bits are the sequence number. The type is written to the next 8--32
827 * bytes: if the nonce size is 64 bits or more (preferred, for compatibility
828 * reasons) then the type is written as 32 bits, and the remaining space is
829 * padded with zero bytes; otherwise, the type is right-aligned in the
830 * remaining space. Both fields are big-endian.
831 *
832 * +--------+--+
833 * | seq |ty|
834 * +--------+--+
835 * 32 8
836 *
837 * +--------+----+
838 * | seq | ty |
839 * +--------+----+
840 * 32 16
841 *
842 * +--------+------+
843 * | seq | type |
844 * +--------+------+
845 * 32 24
846 *
847 * +--------+--------+---...---+
848 * | seq | type | 0 |
849 * +--------+--------+---...---+
850 * 32 32 nsz - 64
851 *
852 * The ciphertext is formatted as
853 *
854 * +---...---+--------+------...------+
855 * | tag | seq | ciphertext |
856 * +---...---+--------+------...------+
857 * tagsz 32 sz
858 *
859 */
860
861 #define AEAD_NONCEMAX 64
862
863 typedef struct aead_algs {
864 bulkalgs _b;
865 const gcaead *c;
866 size_t ksz, nsz, tsz;
867 } aead_algs;
868
869 typedef struct aead_ctx {
870 bulkctx _b;
871 struct { gaead_key *k; } d[NDIR];
872 size_t nsz, tsz;
873 } aead_ctx;
874
875 static bulkalgs *aead_getalgs(const algswitch *asw, dstr *e,
876 key_file *kf, key *k)
877 {
878 aead_algs *a = CREATE(aead_algs);
879 const char *p;
880 char *qq;
881 gaead_key *kk = 0;
882 size_t ksz;
883 size_t csz = 0;
884 unsigned long n;
885
886 /* --- Collect the selected cipher and check that it's supported --- */
887
888 p = key_getattr(kf, k, "cipher"); if (!p) p = "rijndael-ocb3";
889 a->c = gaead_byname(p);
890 if (!a->c) { a_format(e, "unknown-cipher", "%s", p, A_END); goto fail; }
891 if (a->c->f&AEADF_NOAAD) {
892 a_format(e, "unsuitable-aead-cipher", "%s", p, "no-aad", A_END);
893 goto fail;
894 }
895 a->nsz = keysz_pad(8, a->c->noncesz);
896 if (!a->nsz) a->nsz = keysz_pad(5, a->c->noncesz);
897 if (!a->nsz) {
898 a_format(e, "unsuitable-aead-cipher", "%s", p, "nonce-too-small", A_END);
899 goto fail;
900 } else if (a->nsz > AEAD_NONCEMAX) {
901 a_format(e, "unsuitable-aead-cipher", "%s", p, "nonce-too-large", A_END);
902 goto fail;
903 }
904
905 /* --- Collect the selected MAC, and check the tag length --- *
906 *
907 * Of course, there isn't a separate MAC, so only accept `aead'.
908 */
909
910 p = key_getattr(kf, k, "tagsz");
911 if (!p) {
912 p = key_getattr(kf, k, "mac");
913 if (!p) ;
914 else if (strncmp(p, "aead", 4) != 0 || (p[4] && p[4] != '/'))
915 { a_format(e, "unknown-mac", "%s", p, A_END); goto fail; }
916 else if (p[4] == '/') p += 5;
917 else p = 0;
918 }
919 if (!p)
920 a->tsz = keysz(0, a->c->tagsz);
921 else {
922 n = strtoul(p, &qq, 0);
923 if (*qq) {
924 a_format(e, "bad-tag-length-string", "%s", p, A_END);
925 goto fail;
926 }
927 if (n%8 || (a->tsz = keysz(n/8, a->c->tagsz)) == 0)
928 { a_format(e, "bad-tag-length", "%lu", n, A_END); goto fail; }
929 }
930
931 /* --- Check that an empty message gives an empty ciphertext --- *
932 *
933 * This is necessary for producing challenges. If the overhead is zero
934 * then we're fine; otherwise, we have to check the hard way.
935 */
936
937 if (a->c->ohd) {
938 ksz = keysz(0, a->c->keysz);
939 memset(buf_t, 0, ksz > a->nsz ? ksz : a->nsz);
940 kk = GAEAD_KEY(a->c, buf_t, ksz);
941 if (gaead_encrypt(kk, buf_t, a->nsz,
942 buf_t, ksz,
943 0, 0,
944 buf_t, &csz,
945 buf_t, a->tsz)) {
946 a_format(e, "unsuitable-aead-cipher", "%s", a->c->name,
947 "nonempty-ciphertext-for-empty-message", A_END);
948 goto fail;
949 }
950 GAEAD_DESTROY(kk); kk = 0;
951 }
952
953 return (&a->_b);
954 fail:
955 if (kk) GAEAD_DESTROY(kk);
956 DESTROY(a);
957 return (0);
958 }
959
960 #ifndef NTRACE
961 static void aead_tracealgs(const bulkalgs *aa)
962 {
963 const aead_algs *a = (const aead_algs *)aa;
964
965 trace(T_CRYPTO, "crypto: cipher = %s", a->c->name);
966 trace(T_CRYPTO, "crypto: noncesz = %lu", (unsigned long)a->nsz);
967 trace(T_CRYPTO, "crypto: tagsz = %lu", (unsigned long)a->tsz);
968 }
969 #endif
970
971 static int aead_checkalgs(bulkalgs *aa, const algswitch *asw, dstr *e)
972 {
973 aead_algs *a = (aead_algs *)aa;
974
975 if ((a->ksz = keysz(asw->hashsz, a->c->keysz)) == 0) {
976 a_format(e, "cipher", "%s", a->c->name,
977 "no-key-size", "%lu", (unsigned long)asw->hashsz,
978 A_END);
979 return (-1);
980 }
981 return (0);
982 }
983
984 static int aead_samealgsp(const bulkalgs *aa, const bulkalgs *bb)
985 {
986 const aead_algs *a = (const aead_algs *)aa,
987 *b = (const aead_algs *)bb;
988 return (a->c == b->c && a->tsz == b->tsz);
989 }
990
991 static void aead_alginfo(const bulkalgs *aa, admin *adm)
992 {
993 const aead_algs *a = (const aead_algs *)aa;
994 a_info(adm, "cipher=%s", a->c->name,
995 "cipher-keysz=%lu", (unsigned long)a->ksz,
996 A_END);
997 a_info(adm, "mac=aead", "mac-tagsz=%lu", (unsigned long)a->tsz, A_END);
998 }
999
1000 static size_t aead_overhead(const bulkalgs *aa)
1001 {
1002 const aead_algs *a = (const aead_algs *)aa;
1003 return (a->tsz + SEQSZ + a->c->ohd);
1004 }
1005
1006 static size_t aead_expsz(const bulkalgs *aa)
1007 {
1008 const aead_algs *a = (const aead_algs *)aa;
1009 return (a->c->blksz < 16 ? MEG(64) : MEG(2048));
1010 }
1011
1012 static bulkctx *aead_genkeys(const bulkalgs *aa, const deriveargs *da)
1013 {
1014 const aead_algs *a = (const aead_algs *)aa;
1015 aead_ctx *bc = CREATE(aead_ctx);
1016 octet k[MAXHASHSZ];
1017 int i;
1018
1019 for (i = 0; i < NDIR; i++) {
1020 if (!(da->f&(1 << i))) { bc->d[i].k = 0; continue; }
1021 derivekey(k, a->ksz, da, i, "encryption");
1022 bc->d[i].k = GAEAD_KEY(a->c, k, a->ksz);
1023 }
1024 bc->nsz = a->nsz; bc->tsz = a->tsz;
1025 return (&bc->_b);
1026 }
1027
1028 typedef struct aead_chal {
1029 bulkchal _b;
1030 gaead_key *k;
1031 } aead_chal;
1032
1033 static bulkchal *aead_genchal(const bulkalgs *aa)
1034 {
1035 const aead_algs *a = (const aead_algs *)aa;
1036 aead_chal *c = CREATE(aead_chal);
1037 rand_get(RAND_GLOBAL, buf_t, a->ksz);
1038 c->k = GAEAD_KEY(a->c, buf_t, a->ksz);
1039 IF_TRACING(T_CHAL, {
1040 trace(T_CHAL, "chal: generated new challenge key");
1041 trace_block(T_CRYPTO, "chal: new key", buf_t, a->ksz);
1042 })
1043 c->_b.tagsz = a->tsz;
1044 return (&c->_b);
1045 }
1046
1047 static int aead_chaltag(bulkchal *bc, const void *m, size_t msz,
1048 uint32 seq, void *t)
1049 {
1050 aead_chal *c = (aead_chal *)bc;
1051 octet b[AEAD_NONCEMAX];
1052 size_t nsz = keysz_pad(4, c->k->ops->c->noncesz);
1053 size_t csz = 0;
1054 int rc;
1055
1056 assert(nsz); assert(nsz <= sizeof(b));
1057 memset(b, 0, nsz - 4); STORE32(b + nsz - 4, seq);
1058 rc = gaead_encrypt(c->k, b, nsz, m, msz, 0, 0,
1059 buf_t, &csz, t, c->_b.tagsz);
1060 assert(!rc);
1061 return (0);
1062 }
1063
1064 static int aead_chalvrf(bulkchal *bc, const void *m, size_t msz,
1065 uint32 seq, const void *t)
1066 {
1067 aead_chal *c = (aead_chal *)bc;
1068 octet b[AEAD_NONCEMAX];
1069 size_t nsz = keysz(4, c->k->ops->c->noncesz);
1070 size_t psz = 0;
1071 int rc;
1072
1073 assert(nsz); assert(nsz <= sizeof(b));
1074 memset(b, 0, nsz - 4); STORE32(b + nsz - 4, seq);
1075 rc = gaead_decrypt(c->k, b, nsz, m, msz, 0, 0,
1076 buf_t, &psz, t, c->_b.tagsz);
1077 assert(rc >= 0);
1078 return (rc == 1 ? 0 : -1);
1079 }
1080
1081 static void aead_freechal(bulkchal *bc)
1082 { aead_chal *c = (aead_chal *)bc; GAEAD_DESTROY(c->k); DESTROY(c); }
1083
1084 static void aead_freealgs(bulkalgs *aa)
1085 { aead_algs *a = (aead_algs *)aa; DESTROY(a); }
1086
1087 static void aead_freectx(bulkctx *bbc)
1088 {
1089 aead_ctx *bc = (aead_ctx *)bbc;
1090 int i;
1091
1092 for (i = 0; i < NDIR; i++) { if (bc->d[i].k) GAEAD_DESTROY(bc->d[i].k); }
1093 DESTROY(bc);
1094 }
1095
1096 static void aead_fmtnonce(aead_ctx *bc, octet *n, uint32 seq, unsigned ty)
1097 {
1098 assert(bc->nsz <= AEAD_NONCEMAX); assert(ty <= 255);
1099 STORE32(n, seq);
1100 switch (bc->nsz) {
1101 case 5: STORE8(n + SEQSZ, ty); break;
1102 case 6: STORE16(n + SEQSZ, ty); break;
1103 case 7: STORE24(n + SEQSZ, ty); break;
1104 default: memset(n + 8, 0, bc->nsz - 8); /* and continue */
1105 case 8: STORE32(n + SEQSZ, ty); break;
1106 }
1107 TRACE_IV(n, bc->nsz);
1108 }
1109
1110 static int aead_encrypt(bulkctx *bbc, unsigned ty,
1111 buf *b, buf *bb, uint32 seq)
1112 {
1113 aead_ctx *bc = (aead_ctx *)bbc;
1114 const octet *p = BCUR(b);
1115 gaead_key *k = bc->d[DIR_OUT].k;
1116 size_t sz = BLEFT(b);
1117 size_t csz = sz + k->ops->c->ohd;
1118 octet *qmac, *qseq, *qpk;
1119 octet n[AEAD_NONCEMAX];
1120 int rc;
1121
1122 assert(k);
1123
1124 if (buf_ensure(bb, bc->tsz + SEQSZ + csz)) return (0);
1125 qmac = BCUR(bb); qseq = qmac + bc->tsz; qpk = qseq + SEQSZ;
1126 STORE32(qseq, seq);
1127
1128 aead_fmtnonce(bc, n, seq, ty);
1129 rc = gaead_encrypt(k, n, bc->nsz, 0, 0, p, sz, qpk, &csz, qmac, bc->tsz);
1130 assert(!rc);
1131 BSTEP(bb, bc->tsz + SEQSZ + csz);
1132 TRACE_CT(qpk, csz);
1133 TRACE_MAC(qmac, bc->tsz);
1134
1135 return (0);
1136 }
1137
1138 static int aead_decrypt(bulkctx *bbc, unsigned ty,
1139 buf *b, buf *bb, uint32 *seq_out)
1140 {
1141 aead_ctx *bc = (aead_ctx *)bbc;
1142 gaead_key *k = bc->d[DIR_IN].k;
1143 const octet *pmac, *pseq, *ppk;
1144 uint32 seq;
1145 size_t psz = BLEFT(b);
1146 size_t sz;
1147 octet *q = BCUR(bb);
1148 octet n[AEAD_NONCEMAX];
1149 int rc;
1150
1151 assert(k);
1152
1153 if (psz < bc->tsz + SEQSZ) {
1154 T( trace(T_KEYSET, "keyset: block too small for keyset"); )
1155 return (KSERR_MALFORMED);
1156 }
1157 sz = psz - bc->tsz - SEQSZ;
1158 pmac = BCUR(b); pseq = pmac + bc->tsz; ppk = pseq + SEQSZ;
1159 seq = LOAD32(pseq);
1160
1161 aead_fmtnonce(bc, n, seq, ty);
1162 rc = gaead_decrypt(k, n, bc->nsz, 0, 0, ppk, sz, q, &sz, pmac, bc->tsz);
1163 assert(rc >= 0);
1164 if (!rc) { TRACE_MACERR(pmac, bc->tsz); return (KSERR_DECRYPT); }
1165
1166 *seq_out = seq;
1167 BSTEP(bb, sz);
1168 return (0);
1169 }
1170
1171 /*----- The NaCl box transform --------------------------------------------*
1172 *
1173 * This transform is very similar to the NaCl `crypto_secretbox' transform
1174 * described in Bernstein, `Cryptography in NaCl', with the difference that,
1175 * rather than using XSalsa20, we use either Salsa20/r or ChaChar, because we
1176 * have no need of XSalsa20's extended nonce. The default cipher is Salsa20.
1177 *
1178 * Salsa20 and ChaCha accept a 64-bit nonce. The low 32 bits are the
1179 * sequence number, and the high 32 bits are the type, both big-endian.
1180 *
1181 * +--------+--------+
1182 * | seq | type |
1183 * +--------+--------+
1184 * 32 32
1185 *
1186 * A stream is generated by concatenating the raw output blocks generated
1187 * with this nonce and successive counter values starting from zero. The
1188 * first 32 bytes of the stream are used as a key for Poly1305: the first 16
1189 * bytes are the universal hash key r, and the second 16 bytes are the mask
1190 * value s.
1191 *
1192 * +------+------+ +------...------+
1193 * | r | s | | keystream |
1194 * +------+------+ +------...------+
1195 * 128 128 sz
1196 *
1197 * The remainder of the stream is XORed with the incoming plaintext to form a
1198 * ciphertext with the same length. The ciphertext (only) is then tagged
1199 * using Poly1305. The tag, sequence number, and ciphertext are concatenated
1200 * in this order, and transmitted.
1201 *
1202 *
1203 * +---...---+------+------...------+
1204 * | tag | seq | ciphertext |
1205 * +---...---+------+------...------+
1206 * 128 32 sz
1207 *
1208 * Note that there is no need to authenticate the type separately, since it
1209 * was used to select the cipher nonce, and hence the Poly1305 key. The
1210 * Poly1305 tag length is fixed.
1211 */
1212
1213 typedef struct naclbox_algs {
1214 aead_algs _b;
1215 const gccipher *c;
1216 } naclbox_algs;
1217
1218 static bulkalgs *naclbox_getalgs(const algswitch *asw, dstr *e,
1219 key_file *kf, key *k)
1220 {
1221 naclbox_algs *a = CREATE(naclbox_algs);
1222 const char *p;
1223 char *qq;
1224 unsigned long n;
1225
1226 /* --- Collect the selected cipher and check that it's supported --- */
1227
1228 p = key_getattr(kf, k, "cipher");
1229 if (!p || strcmp(p, "salsa20") == 0)
1230 { a->_b.c = &salsa20_naclbox; a->c = &salsa20; }
1231 else if (strcmp(p, "salsa20/12") == 0)
1232 { a->_b.c = &salsa2012_naclbox; a->c = &salsa2012; }
1233 else if (strcmp(p, "salsa20/8") == 0)
1234 { a->_b.c = &salsa208_naclbox; a->c = &salsa208; }
1235 else if (strcmp(p, "chacha20") == 0)
1236 { a->_b.c = &chacha20_naclbox; a->c = &chacha20; }
1237 else if (strcmp(p, "chacha12") == 0)
1238 { a->_b.c = &chacha12_naclbox; a->c = &chacha12; }
1239 else if (strcmp(p, "chacha8") == 0)
1240 { a->_b.c = &chacha8_naclbox; a->c = &chacha8; }
1241 else {
1242 a_format(e, "unknown-cipher", "%s", p, A_END);
1243 goto fail;
1244 }
1245 a->_b.nsz = 8;
1246
1247 /* --- Collect the selected MAC, and check the tag length --- */
1248
1249 p = key_getattr(kf, k, "mac");
1250 if (!p)
1251 ;
1252 else if (strncmp(p, "poly1305", 8) != 0 || (p[8] && p[8] != '/')) {
1253 a_format(e, "unknown-mac", "%s", p, A_END);
1254 goto fail;
1255 } else if (p[8] == '/') {
1256 n = strtoul(p + 9, &qq, 0);
1257 if (*qq) {
1258 a_format(e, "bad-tag-length-string", "%s", p + 9, A_END);
1259 goto fail;
1260 }
1261 if (n != 128) {
1262 a_format(e, "bad-tag-length", "%lu", n, A_END);
1263 goto fail;
1264 }
1265 }
1266 a->_b.tsz = 16;
1267
1268 return (&a->_b._b);
1269 fail:
1270 DESTROY(a);
1271 return (0);
1272 }
1273
1274 #ifndef NTRACE
1275 static void naclbox_tracealgs(const bulkalgs *aa)
1276 {
1277 const naclbox_algs *a = (const naclbox_algs *)aa;
1278
1279 trace(T_CRYPTO, "crypto: cipher = %s", a->c->name);
1280 trace(T_CRYPTO, "crypto: mac = poly1305/128");
1281 }
1282 #endif
1283
1284 #define naclbox_checkalgs aead_checkalgs
1285 #define naclbox_samealgsp aead_samealgsp
1286
1287 static void naclbox_alginfo(const bulkalgs *aa, admin *adm)
1288 {
1289 const naclbox_algs *a = (const naclbox_algs *)aa;
1290 a_info(adm, "cipher=%s", a->c->name, "cipher-keysz=32", A_END);
1291 a_info(adm, "mac=poly1305", "mac-tagsz=16", A_END);
1292 }
1293
1294 #define naclbox_overhead aead_overhead
1295 #define naclbox_expsz aead_expsz
1296 #define naclbox_genkeys aead_genkeys
1297
1298 typedef struct naclbox_chal {
1299 bulkchal _b;
1300 gcipher *c;
1301 } naclbox_chal;
1302
1303 static bulkchal *naclbox_genchal(const bulkalgs *aa)
1304 {
1305 const naclbox_algs *a = (const naclbox_algs *)aa;
1306 naclbox_chal *c = CREATE(naclbox_chal);
1307 rand_get(RAND_GLOBAL, buf_t, a->_b.ksz);
1308 c->c = GC_INIT(a->c, buf_t, a->_b.ksz);
1309 IF_TRACING(T_CHAL, {
1310 trace(T_CHAL, "chal: generated new challenge key");
1311 trace_block(T_CRYPTO, "chal: new key", buf_t, a->_b.ksz);
1312 })
1313 c->_b.tagsz = POLY1305_TAGSZ;
1314 return (&c->_b);
1315 }
1316
1317 static int naclbox_chaltag(bulkchal *bc, const void *m, size_t msz,
1318 uint32 seq, void *t)
1319 {
1320 naclbox_chal *c = (naclbox_chal *)bc;
1321 poly1305_key pk;
1322 poly1305_ctx pm;
1323 octet b[POLY1305_KEYSZ + POLY1305_MASKSZ];
1324
1325 STATIC_ASSERT(SALSA20_NONCESZ <= sizeof(b), "Need more space for nonce");
1326
1327 memset(b, 0, SALSA20_NONCESZ - 4); STORE32(b + SALSA20_NONCESZ - 4, seq);
1328 GC_SETIV(c->c, b); GC_ENCRYPT(c->c, 0, b, sizeof(b));
1329 poly1305_keyinit(&pk, b, POLY1305_KEYSZ);
1330 poly1305_macinit(&pm, &pk, b + POLY1305_KEYSZ);
1331 if (msz) poly1305_hash(&pm, m, msz);
1332 poly1305_done(&pm, t);
1333 return (0);
1334 }
1335
1336 static int naclbox_chalvrf(bulkchal *bc, const void *m, size_t msz,
1337 uint32 seq, const void *t)
1338 {
1339 naclbox_chal *c = (naclbox_chal *)bc;
1340 poly1305_key pk;
1341 poly1305_ctx pm;
1342 octet b[POLY1305_KEYSZ + POLY1305_MASKSZ];
1343
1344 STATIC_ASSERT(SALSA20_NONCESZ <= sizeof(b), "Need more space for nonce");
1345 STATIC_ASSERT(POLY1305_TAGSZ <= sizeof(b), "Need more space for tag");
1346
1347 memset(b, 0, SALSA20_NONCESZ - 4); STORE32(b + SALSA20_NONCESZ - 4, seq);
1348 GC_SETIV(c->c, b); GC_ENCRYPT(c->c, 0, b, sizeof(b));
1349 poly1305_keyinit(&pk, b, POLY1305_KEYSZ);
1350 poly1305_macinit(&pm, &pk, b + POLY1305_KEYSZ);
1351 if (msz) poly1305_hash(&pm, m, msz);
1352 poly1305_done(&pm, b);
1353 return (ct_memeq(t, b, POLY1305_TAGSZ) ? 0 : -1);
1354 }
1355
1356 static void naclbox_freechal(bulkchal *bc)
1357 { naclbox_chal *c = (naclbox_chal *)bc; GC_DESTROY(c->c); DESTROY(c); }
1358
1359 static void naclbox_freealgs(bulkalgs *aa)
1360 { naclbox_algs *a = (naclbox_algs *)aa; DESTROY(a); }
1361
1362 #define naclbox_freectx aead_freectx
1363 #define naclbox_encrypt aead_encrypt
1364 #define naclbox_decrypt aead_decrypt
1365
1366 /*----- Bulk crypto transform table ---------------------------------------*/
1367
1368 const bulkops bulktab[] = {
1369
1370 #define COMMA ,
1371
1372 #define BULK(name, pre) \
1373 { name, pre##_getalgs, T( pre##_tracealgs COMMA ) \
1374 pre##_checkalgs, pre##_samealgsp, \
1375 pre##_alginfo, pre##_overhead, pre##_expsz, \
1376 pre##_genkeys, pre##_genchal, pre##_freealgs, \
1377 pre##_encrypt, pre##_decrypt, pre##_freectx, \
1378 pre##_chaltag, pre##_chalvrf, pre##_freechal }
1379
1380 BULK("v0", v0),
1381 BULK("iiv", iiv),
1382 BULK("aead", aead),
1383 BULK("naclbox", naclbox),
1384
1385 #undef BULK
1386 { 0 }
1387 };
1388
1389 /*----- That's all, folks -------------------------------------------------*/
Trivial IP Encryption: a simple VPN