X-Git-Url: https://git.distorted.org.uk/~mdw/tripe/blobdiff_plain/9a361a98e47bdade7bf107666441f41b4cb67dd9..c70a7c5cedab62209640b76f03d97c1876e38dc6:/server/bulkcrypto.c diff --git a/server/bulkcrypto.c b/server/bulkcrypto.c index 26ae9ede..288eed9d 100644 --- a/server/bulkcrypto.c +++ b/server/bulkcrypto.c @@ -50,6 +50,8 @@ trace_block(T_CRYPTO, "crypto: expected MAC", (pmac), (tagsz)); \ }) } while (0) +/*----- Common functionality for generic-composition transforms -----------*/ + #define CHECK_MAC(h, pmac, tagsz) do { \ ghash *_h = (h); \ const octet *_pmac = (pmac); \ @@ -64,6 +66,172 @@ } \ } while (0) +typedef struct gencomp_algs { + const gccipher *c; size_t cksz; + const gcmac *m; size_t mksz; size_t tagsz; +} gencomp_algs; + +typedef struct gencomp_chal { + bulkchal _b; + gmac *m; size_t tagsz; +} gencomp_chal; + +static int gencomp_getalgs(gencomp_algs *a, const algswitch *asw, + dstr *e, key_file *kf, key *k) +{ + const char *p; + char *q, *qq; + unsigned long n; + dstr d = DSTR_INIT; + int rc = -1; + + /* --- Symmetric encryption --- */ + + if ((p = key_getattr(kf, k, "cipher")) == 0) p = "blowfish-cbc"; + if ((a->c = gcipher_byname(p)) == 0) { + a_format(e, "unknown-cipher", "%s", p, A_END); + goto done; + } + + /* --- Message authentication --- */ + + if ((p = key_getattr(kf, k, "mac")) != 0) { + dstr_reset(&d); + dstr_puts(&d, p); + if ((q = strchr(d.buf, '/')) != 0) + *q++ = 0; + if ((a->m = gmac_byname(d.buf)) == 0) { + a_format(e, "unknown-mac", "%s", d.buf, A_END); + goto done; + } + if (!q) + a->tagsz = a->m->hashsz; + else { + n = strtoul(q, &qq, 0); + if (*qq) { + a_format(e, "bad-tag-length-string", "%s", q, A_END); + goto done; + } + if (n%8 || n/8 > a->m->hashsz) { + a_format(e, "bad-tag-length", "%lu", n, A_END); + goto done; + } + a->tagsz = n/8; + } + } else { + dstr_reset(&d); + dstr_putf(&d, "%s-hmac", asw->h->name); + if ((a->m = gmac_byname(d.buf)) == 0) { + a_format(e, "no-hmac-for-hash", "%s", asw->h->name, A_END); + goto done; + } + a->tagsz = asw->h->hashsz/2; + } + + rc = 0; +done: + dstr_destroy(&d); + return (rc); +} + +#ifndef NTRACE +static void gencomp_tracealgs(const gencomp_algs *a) +{ + trace(T_CRYPTO, "crypto: cipher = %s", a->c->name); + trace(T_CRYPTO, "crypto: mac = %s/%lu", + a->m->name, (unsigned long)a->tagsz * 8); +} +#endif + +static int gencomp_checkalgs(gencomp_algs *a, const algswitch *asw, dstr *e) +{ + /* --- Derive the key sizes --- * + * + * Must ensure that we have non-empty keys. This isn't ideal, but it + * provides a handy sanity check. Also must be based on a 64- or 128-bit + * block cipher or we can't do the data expiry properly. + */ + + if ((a->cksz = keysz(asw->hashsz, a->c->keysz)) == 0) { + a_format(e, "cipher", "%s", a->c->name, + "no-key-size", "%lu", (unsigned long)asw->hashsz, + A_END); + return (-1); + } + if ((a->mksz = keysz(asw->hashsz, a->m->keysz)) == 0) { + a_format(e, "mac", "%s", a->m->name, + "no-key-size", "%lu", (unsigned long)asw->hashsz, + A_END); + return (-1); + } + + return (0); +} + +static void gencomp_alginfo(const gencomp_algs *a, admin *adm) +{ + a_info(adm, + "cipher=%s", a->c->name, + "cipher-keysz=%lu", (unsigned long)a->cksz, + "cipher-blksz=%lu", (unsigned long)a->c->blksz, + A_END); + a_info(adm, + "mac=%s", a->m->name, + "mac-keysz=%lu", (unsigned long)a->mksz, + "mac-tagsz=%lu", (unsigned long)a->tagsz, + A_END); +} + +static int gencomp_samealgsp(const gencomp_algs *a, const gencomp_algs *aa) +{ + return (a->c == aa->c && + a->m == aa->m && a->tagsz == aa->tagsz); +} + +static size_t gencomp_expsz(const gencomp_algs *a) + { return (a->c->blksz < 16 ? MEG(64) : MEG(2048)); } + +static bulkchal *gencomp_genchal(const gencomp_algs *a) +{ + gencomp_chal *gc = CREATE(gencomp_chal); + + rand_get(RAND_GLOBAL, buf_t, a->mksz); + gc->m = GM_KEY(a->m, buf_t, a->mksz); + gc->_b.tagsz = a->tagsz; + IF_TRACING(T_CHAL, { + trace(T_CHAL, "chal: generated new challenge key"); + trace_block(T_CRYPTO, "chal: new key", buf_t, a->mksz); + }) + return (&gc->_b); +} + +static int gencomp_chaltag(bulkchal *bc, const void *m, size_t msz, void *t) +{ + gencomp_chal *gc = (gencomp_chal *)bc; + ghash *h = GM_INIT(gc->m); + + GH_HASH(h, m, msz); + memcpy(t, GH_DONE(h, 0), bc->tagsz); + GH_DESTROY(h); + return (0); +} + +static int gencomp_chalvrf(bulkchal *bc, const void *m, size_t msz, + const void *t) +{ + gencomp_chal *gc = (gencomp_chal *)bc; + ghash *h = GM_INIT(gc->m); + int ok; + + GH_HASH(h, m, msz); + ok = ct_memeq(GH_DONE(h, 0), t, gc->_b.tagsz); + GH_DESTROY(h); + return (ok ? 0 : -1); +} + +static void gencomp_freechal(bulkchal *bc) + { gencomp_chal *gc = (gencomp_chal *)bc; GM_DESTROY(gc->m); DESTROY(gc); } + /*----- The original transform --------------------------------------------* * * We generate a random initialization vector (if the cipher needs one). We @@ -90,22 +258,110 @@ * ciphertext and extracts the sequence number. */ -static int v0_check(const algswitch *a, dstr *e) - { return (0); } +typedef struct v0_algs { + bulkalgs _b; + gencomp_algs ga; +} v0_algs; + +typedef struct v0_ctx { + bulkctx _b; + size_t tagsz; + struct { + gcipher *c; + gmac *m; + } d[NDIR]; +} v0_ctx; + +static bulkalgs *v0_getalgs(const algswitch *asw, dstr *e, + key_file *kf, key *k) +{ + v0_algs *a = CREATE(v0_algs); + if (gencomp_getalgs(&a->ga, asw, e, kf, k)) { DESTROY(a); return (0); } + return (&a->_b); +} + +#ifndef NTRACE +static void v0_tracealgs(const bulkalgs *aa) + { const v0_algs *a = (const v0_algs *)aa; gencomp_tracealgs(&a->ga); } +#endif + +static int v0_checkalgs(bulkalgs *aa, const algswitch *asw, dstr *e) +{ + v0_algs *a = (v0_algs *)aa; + if (gencomp_checkalgs(&a->ga, asw, e)) return (-1); + return (0); +} + +static int v0_samealgsp(const bulkalgs *aa, const bulkalgs *bb) +{ + const v0_algs *a = (const v0_algs *)aa, *b = (const v0_algs *)bb; + return (gencomp_samealgsp(&a->ga, &b->ga)); +} + +static void v0_alginfo(const bulkalgs *aa, admin *adm) + { const v0_algs *a = (const v0_algs *)aa; gencomp_alginfo(&a->ga, adm); } + +static size_t v0_overhead(const bulkalgs *aa) +{ + const v0_algs *a = (const v0_algs *)aa; + return (a->ga.tagsz + SEQSZ + a->ga.c->blksz); +} -static size_t v0_overhead(const algswitch *a) - { return a->tagsz + SEQSZ + a->c->blksz; } +static size_t v0_expsz(const bulkalgs *aa) + { const v0_algs *a = (const v0_algs *)aa; return (gencomp_expsz(&a->ga)); } -static int v0_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb) +static bulkctx *v0_genkeys(const bulkalgs *aa, const struct rawkey *rk) { + const v0_algs *a = (const v0_algs *)aa; + v0_ctx *bc = CREATE(v0_ctx); + octet k[MAXHASHSZ]; + int i; + + bc->tagsz = a->ga.tagsz; + for (i = 0; i < NDIR; i++) { + ks_derivekey(k, a->ga.cksz, rk, i, "encryption"); + bc->d[i].c = GC_INIT(a->ga.c, k, a->ga.cksz); + ks_derivekey(k, a->ga.mksz, rk, i, "integrity"); + bc->d[i].m = GM_KEY(a->ga.m, k, a->ga.mksz); + } + return (&bc->_b); +} + +static bulkchal *v0_genchal(const bulkalgs *aa) +{ + const v0_algs *a = (const v0_algs *)aa; + return (gencomp_genchal(&a->ga)); +} +#define v0_chaltag gencomp_chaltag +#define v0_chalvrf gencomp_chalvrf +#define v0_freechal gencomp_freechal + +static void v0_freealgs(bulkalgs *aa) + { v0_algs *a = (v0_algs *)aa; DESTROY(a); } + +static void v0_freectx(bulkctx *bbc) +{ + v0_ctx *bc = (v0_ctx *)bbc; + int i; + + for (i = 0; i < NDIR; i++) { + GC_DESTROY(bc->d[i].c); + GM_DESTROY(bc->d[i].m); + } + DESTROY(bc); +} + +static int v0_encrypt(bulkctx *bbc, unsigned ty, + buf *b, buf *bb, uint32 seq) +{ + v0_ctx *bc = (v0_ctx *)bbc; ghash *h; - gcipher *c = ks->out.c; + gcipher *c = bc->d[DIR_OUT].c; const octet *p = BCUR(b); size_t sz = BLEFT(b); octet *qmac, *qseq, *qiv, *qpk; - uint32 oseq; size_t ivsz = GC_CLASS(c)->blksz; - size_t tagsz = ks->tagsz; + size_t tagsz = bc->tagsz; octet t[4]; /* --- Determine the ciphertext layout --- */ @@ -123,8 +379,7 @@ static int v0_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb) /* --- Store the sequence number --- */ - oseq = ks->oseq++; - STORE32(qseq, oseq); + STORE32(qseq, seq); /* --- Establish an initialization vector if necessary --- */ @@ -142,7 +397,7 @@ static int v0_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb) /* --- Compute a MAC over type, sequence number, IV, and ciphertext --- */ if (tagsz) { - h = GM_INIT(ks->out.m); + h = GM_INIT(bc->d[DIR_OUT].m); GH_HASH(h, t, sizeof(t)); GH_HASH(h, qseq, SEQSZ + ivsz + sz); memcpy(qmac, GH_DONE(h, 0), tagsz); @@ -155,22 +410,24 @@ static int v0_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb) return (0); } -static int v0_decrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq) +static int v0_decrypt(bulkctx *bbc, unsigned ty, + buf *b, buf *bb, uint32 *seq) { + v0_ctx *bc = (v0_ctx *)bbc; const octet *pmac, *piv, *pseq, *ppk; size_t psz = BLEFT(b); size_t sz; octet *q = BCUR(bb); ghash *h; - gcipher *c = ks->in.c; + gcipher *c = bc->d[DIR_IN].c; size_t ivsz = GC_CLASS(c)->blksz; - size_t tagsz = ks->tagsz; + size_t tagsz = bc->tagsz; octet t[4]; /* --- Break up the packet into its components --- */ if (psz < ivsz + SEQSZ + tagsz) { - T( trace(T_KEYSET, "keyset: block too small for keyset %u", ks->seq); ) + T( trace(T_KEYSET, "keyset: block too small for keyset"); ) return (KSERR_MALFORMED); } sz = psz - ivsz - SEQSZ - tagsz; @@ -180,7 +437,7 @@ static int v0_decrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq) /* --- Verify the MAC on the packet --- */ if (tagsz) { - h = GM_INIT(ks->in.m); + h = GM_INIT(bc->d[DIR_IN].m); GH_HASH(h, t, sizeof(t)); GH_HASH(h, pseq, SEQSZ + ivsz + sz); CHECK_MAC(h, pmac, tagsz); @@ -229,9 +486,74 @@ static int v0_decrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq) * tagsz 32 sz */ -static int iiv_check(const algswitch *a, dstr *e) +typedef struct iiv_algs { + bulkalgs _b; + gencomp_algs ga; + const gccipher *b; size_t bksz; +} iiv_algs; + +typedef struct iiv_ctx { + bulkctx _b; + size_t tagsz; + struct { + gcipher *c, *b; + gmac *m; + } d[NDIR]; +} iiv_ctx; + + +static bulkalgs *iiv_getalgs(const algswitch *asw, dstr *e, + key_file *kf, key *k) +{ + iiv_algs *a = CREATE(iiv_algs); + dstr d = DSTR_INIT, dd = DSTR_INIT; + const char *p; + char *q; + + if (gencomp_getalgs(&a->ga, asw, e, kf, k)) goto fail; + + if ((p = key_getattr(kf, k, "blkc")) == 0) { + dstr_puts(&dd, a->ga.c->name); + if ((q = strrchr(dd.buf, '-')) != 0) *q = 0; + p = dd.buf; + } + dstr_putf(&d, "%s-ecb", p); + if ((a->b = gcipher_byname(d.buf)) == 0) { + a_format(e, "unknown-blkc", "%s", p, A_END); + goto fail; + } + + dstr_destroy(&d); dstr_destroy(&dd); + return (&a->_b); +fail: + dstr_destroy(&d); dstr_destroy(&dd); + DESTROY(a); + return (0); +} + +#ifndef NTRACE +static void iiv_tracealgs(const bulkalgs *aa) +{ + const iiv_algs *a = (const iiv_algs *)aa; + + gencomp_tracealgs(&a->ga); + trace(T_CRYPTO, "crypto: blkc = %.*s", strlen(a->b->name) - 4, a->b->name); +} +#endif + +static int iiv_checkalgs(bulkalgs *aa, const algswitch *asw, dstr *e) { - if (a->b->blksz < a->c->blksz) { + iiv_algs *a = (iiv_algs *)aa; + + if (gencomp_checkalgs(&a->ga, asw, e)) return (-1); + + if ((a->bksz = keysz(asw->hashsz, a->b->keysz)) == 0) { + a_format(e, "blkc", "%.*s", strlen(a->b->name) - 4, a->b->name, + "no-key-size", "%lu", (unsigned long)asw->hashsz, + A_END); + return (-1); + } + if (a->b->blksz < a->ga.c->blksz) { a_format(e, "blkc", "%.*s", strlen(a->b->name) - 4, a->b->name, "blksz-insufficient", A_END); return (-1); @@ -239,23 +561,91 @@ static int iiv_check(const algswitch *a, dstr *e) return (0); } -static size_t iiv_overhead(const algswitch *a) - { return a->tagsz + SEQSZ; } +static int iiv_samealgsp(const bulkalgs *aa, const bulkalgs *bb) +{ + const iiv_algs *a = (const iiv_algs *)aa, *b = (const iiv_algs *)bb; + return (gencomp_samealgsp(&a->ga, &b->ga) && a->b == b->b); +} + +static void iiv_alginfo(const bulkalgs *aa, admin *adm) +{ + const iiv_algs *a = (const iiv_algs *)aa; + gencomp_alginfo(&a->ga, adm); + a_info(adm, + "blkc=%.*s", strlen(a->b->name) - 4, a->b->name, + "blkc-keysz=%lu", (unsigned long)a->bksz, + "blkc-blksz=%lu", (unsigned long)a->b->blksz, + A_END); +} + +static size_t iiv_overhead(const bulkalgs *aa) + { const iiv_algs *a = (const iiv_algs *)aa; return (a->ga.tagsz + SEQSZ); } + +static size_t iiv_expsz(const bulkalgs *aa) +{ + const iiv_algs *a = (const iiv_algs *)aa; + return (gencomp_expsz(&a->ga)); +} + +static bulkctx *iiv_genkeys(const bulkalgs *aa, const struct rawkey *rk) +{ + const iiv_algs *a = (const iiv_algs *)aa; + iiv_ctx *bc = CREATE(iiv_ctx); + octet k[MAXHASHSZ]; + int i; + + bc->tagsz = a->ga.tagsz; + for (i = 0; i < NDIR; i++) { + ks_derivekey(k, a->ga.cksz, rk, i, "encryption"); + bc->d[i].c = GC_INIT(a->ga.c, k, a->ga.cksz); + ks_derivekey(k, a->bksz, rk, i, "blkc"); + bc->d[i].b = GC_INIT(a->b, k, a->bksz); + ks_derivekey(k, a->ga.mksz, rk, i, "integrity"); + bc->d[i].m = GM_KEY(a->ga.m, k, a->ga.mksz); + } + return (&bc->_b); +} + +static bulkchal *iiv_genchal(const bulkalgs *aa) +{ + const iiv_algs *a = (const iiv_algs *)aa; + return (gencomp_genchal(&a->ga)); +} +#define iiv_chaltag gencomp_chaltag +#define iiv_chalvrf gencomp_chalvrf +#define iiv_freechal gencomp_freechal + +static void iiv_freealgs(bulkalgs *aa) + { iiv_algs *a = (iiv_algs *)aa; DESTROY(a); } + +static void iiv_freectx(bulkctx *bbc) +{ + iiv_ctx *bc = (iiv_ctx *)bbc; + int i; + + for (i = 0; i < NDIR; i++) { + GC_DESTROY(bc->d[i].c); + GC_DESTROY(bc->d[i].b); + GM_DESTROY(bc->d[i].m); + } + DESTROY(bc); +} #define TRACE_PRESEQ(qseq, ivsz) do { IF_TRACING(T_KEYSET, { \ trace_block(T_CRYPTO, "crypto: IV derivation input", (qseq), (ivsz)); \ }) } while (0) -static int iiv_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb) +static int iiv_encrypt(bulkctx *bbc, unsigned ty, + buf *b, buf *bb, uint32 seq) { + iiv_ctx *bc = (iiv_ctx *)bbc; ghash *h; - gcipher *c = ks->out.c, *blkc = ks->out.b; + gcipher *c = bc->d[DIR_OUT].c, *blkc = bc->d[DIR_OUT].b; const octet *p = BCUR(b); size_t sz = BLEFT(b); octet *qmac, *qseq, *qpk; - uint32 oseq; size_t ivsz = GC_CLASS(c)->blksz, blkcsz = GC_CLASS(blkc)->blksz; - size_t tagsz = ks->tagsz; + size_t tagsz = bc->tagsz; octet t[4]; /* --- Determine the ciphertext layout --- */ @@ -273,8 +663,7 @@ static int iiv_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb) /* --- Store the sequence number --- */ - oseq = ks->oseq++; - STORE32(qseq, oseq); + STORE32(qseq, seq); /* --- Establish an initialization vector if necessary --- */ @@ -295,7 +684,7 @@ static int iiv_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb) /* --- Compute a MAC over type, sequence number, and ciphertext --- */ if (tagsz) { - h = GM_INIT(ks->out.m); + h = GM_INIT(bc->d[DIR_OUT].m); GH_HASH(h, t, sizeof(t)); GH_HASH(h, qseq, SEQSZ + sz); memcpy(qmac, GH_DONE(h, 0), tagsz); @@ -308,22 +697,24 @@ static int iiv_encrypt(keyset *ks, unsigned ty, buf *b, buf *bb) return (0); } -static int iiv_decrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq) +static int iiv_decrypt(bulkctx *bbc, unsigned ty, + buf *b, buf *bb, uint32 *seq) { + iiv_ctx *bc = (iiv_ctx *)bbc; const octet *pmac, *pseq, *ppk; size_t psz = BLEFT(b); size_t sz; octet *q = BCUR(bb); ghash *h; - gcipher *c = ks->in.c, *blkc = ks->in.b; + gcipher *c = bc->d[DIR_IN].c, *blkc = bc->d[DIR_IN].b; size_t ivsz = GC_CLASS(c)->blksz, blkcsz = GC_CLASS(blkc)->blksz; - size_t tagsz = ks->tagsz; + size_t tagsz = bc->tagsz; octet t[4]; /* --- Break up the packet into its components --- */ if (psz < SEQSZ + tagsz) { - T( trace(T_KEYSET, "keyset: block too small for keyset %u", ks->seq); ) + T( trace(T_KEYSET, "keyset: block too small for keyset"); ) return (KSERR_MALFORMED); } sz = psz - SEQSZ - tagsz; @@ -333,7 +724,7 @@ static int iiv_decrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq) /* --- Verify the MAC on the packet --- */ if (tagsz) { - h = GM_INIT(ks->in.m); + h = GM_INIT(bc->d[DIR_IN].m); GH_HASH(h, t, sizeof(t)); GH_HASH(h, pseq, SEQSZ + sz); CHECK_MAC(h, pmac, tagsz); @@ -362,11 +753,18 @@ static int iiv_decrypt(keyset *ks, unsigned ty, buf *b, buf *bb, uint32 *seq) const bulkops bulktab[] = { -#define BULK(name, pre, prim) \ - { name, prim, pre##_check, pre##_overhead, pre##_encrypt, pre##_decrypt } +#define COMMA , + +#define BULK(name, pre) \ + { name, pre##_getalgs, T( pre##_tracealgs COMMA ) \ + pre##_checkalgs, pre##_samealgsp, \ + pre##_alginfo, pre##_overhead, pre##_expsz, \ + pre##_genkeys, pre##_genchal, pre##_freealgs, \ + pre##_encrypt, pre##_decrypt, pre##_freectx, \ + pre##_chaltag, pre##_chalvrf, pre##_freechal } - BULK("v0", v0, BCP_CIPHER | BCP_MAC), - BULK("iiv", iiv, BCP_CIPHER | BCP_MAC | BCP_BLKC), + BULK("v0", v0), + BULK("iiv", iiv), #undef BULK { 0 }