X-Git-Url: https://git.distorted.org.uk/~mdw/tripe/blobdiff_plain/c70a7c5cedab62209640b76f03d97c1876e38dc6..5b9f3d3788bafcba79c893b1afc6a1c77bc77d20:/server/dh.c diff --git a/server/dh.c b/server/dh.c new file mode 100644 index 00000000..bbaa1230 --- /dev/null +++ b/server/dh.c @@ -0,0 +1,634 @@ +/* -*-c-*- + * + * Diffie--Hellman groups + * + * (c) 2017 Straylight/Edgeware + */ + +/*----- Licensing notice --------------------------------------------------* + * + * This file is part of Trivial IP Encryption (TrIPE). + * + * TrIPE is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. + * + * TrIPE is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with TrIPE; if not, write to the Free Software Foundation, + * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. + */ + +/*----- Header files ------------------------------------------------------*/ + +#include "tripe.h" + +/*----- Common utilities --------------------------------------------------*/ + +/* --- @KLOAD@ --- * + * + * Arguments: @pre@ = prefix for defined functions + * @ty@, @TY@ = key type name (lower- and upper-case) + * @setgroup@ = code to initialize @kd->g@ + * @setpriv@ = code to initialize @kd->kpriv@ + * @setpub@ = code to initialize @kd->kpub@ + * + * Use: Generates the body of one of the (rather tedious) key loading + * functions. See the description of @KEYTYPES@ below for the + * details. + */ + +#define KLOAD_HALF(pre, ty, TY, which, WHICH, setgroup, setpriv, setpub) \ +static int pre##_ld##which(key_file *kf, key *k, key_data *d, \ + kdata *kd, dstr *t, dstr *e) \ +{ \ + key_packstruct kps[TY##_##WHICH##FETCHSZ]; \ + key_packdef *kp; \ + ty##_##which p; \ + int rc; \ + \ + /* --- Initialize things we've not set up yet --- */ \ + \ + kd->grp = 0; kd->k = 0; kd->K = 0; \ + \ + /* --- Unpack the key --- */ \ + \ + kp = key_fetchinit(ty##_##which##fetch, kps, &p); \ + if ((rc = key_unpack(kp, d, t)) != 0) { \ + a_format(e, "unpack-failed", "%s", key_strerror(rc), A_END); \ + goto fail; \ + } \ + \ + /* --- Extract the pieces of the key --- */ \ + \ + setgroup; \ + setpriv; \ + setpub; \ + \ + /* --- We win --- */ \ + \ + rc = 0; \ + goto done; \ + \ +fail: \ + if (kd->grp) { \ + if (kd->K) pre##_freege(kd->grp, kd->K); \ + if (kd->k) pre##_freesc(kd->grp, kd->k); \ + pre##_freegrp(kd->grp); \ + } \ + rc = -1; \ + \ +done: \ + key_fetchdone(kp); \ + return (rc); \ +} + +#define KLOAD(pre, ty, TY, setgroup, setpriv, setpub) \ +static void pre##_freegrp(dhgrp *); \ +static void pre##_freesc(const dhgrp *, dhsc *); \ +static void pre##_freege(const dhgrp *, dhge *); \ + KLOAD_HALF(pre, ty, TY, priv, PRIV, setgroup, setpriv, setpub) \ + KLOAD_HALF(pre, ty, TY, pub, PUB, setgroup, { kd->k = 0; }, setpub) + +#ifndef NTRACE +static void setupstr(mptext_stringctx *sc) + { sc->buf = (char *)buf_u; sc->lim = sc->buf + sizeof(buf_u); } + +static const char *donestr(mptext_stringctx *sc) + { *sc->buf = 0; return ((const char *)buf_u); } + +static void addlitstr(const char *p, mptext_stringctx *sc) + { mptext_stringops.put(p, strlen(p), sc); } + +static void addmpstr(mp *x, int radix, mptext_stringctx *sc) +{ + char b[12]; + + if (radix == 16) addlitstr("0x", sc); + else if (radix == 8) addlitstr("0", sc); + else if (radix != 10) { sprintf(b, "%d#", radix); addlitstr(b, sc); } + mp_write(x, radix, &mptext_stringops, sc); +} + +static const char *mpstr(mp *x, int radix) +{ + mptext_stringctx sc; + + setupstr(&sc); + addmpstr(x, radix, &sc); + return (donestr(&sc)); +} +#endif + +/*----- Schnorr groups ----------------------------------------------------*/ + +typedef struct intdh_grp { + dhgrp _g; + mpmont mm; + mp *q, *G; + size_t gesz; +} intdh_grp; + +typedef struct intdh_sc { mp *x; } intdh_sc; +typedef struct intdh_ge { mp *X; } intdh_ge; + +static dhgrp *intdh_mkgroup(const dh_param *dp) +{ + intdh_grp *g = CREATE(intdh_grp); + g->_g.scsz = mp_octets(dp->q); + g->gesz = mp_octets(dp->p); + mpmont_create(&g->mm, dp->p); + g->q = MP_COPY(dp->q); + g->G = mpmont_mul(&g->mm, MP_NEW, dp->g, g->mm.r2); + return (&g->_g); +} + +static dhsc *intdh_mptosc(const dhgrp *gg, mp *z) +{ + const intdh_grp *g = (const intdh_grp *)gg; + intdh_sc *x = CREATE(intdh_sc); + x->x = MP_NEW; mp_div(0, &x->x, z, g->q); + return ((dhsc *)x); +} + +static dhge *intdh_mptoge(const dhgrp *gg, mp *z) +{ + const intdh_grp *g = (const intdh_grp *)gg; + intdh_ge *Y = CREATE(intdh_ge); + mp *t = MP_NEW; mp_div(0, &t, z, g->mm.m); + Y->X = mpmont_mul(&g->mm, t, t, g->mm.r2); + return ((dhge *)Y); +} + +KLOAD(intdh, dh, DH, + { kd->grp = intdh_mkgroup(&p.dp); }, + { kd->k = intdh_mptosc(kd->grp, p.x); }, + { kd->K = intdh_mptoge(kd->grp, p.y); }) + +static const char *intdh_checkgrp(const dhgrp *gg) +{ + const intdh_grp *g = (const intdh_grp *)gg; + mp *t = MP_NEW; + + if (!pgen_primep(g->mm.m, &rand_global)) return ("p is not prime"); + if (!pgen_primep(g->q, &rand_global)) return ("q is not prime"); + mp_div(0, &t, g->mm.m, g->q); + if (!MP_EQ(t, MP_ONE)) return ("q is not a subgroup order"); + t = mpmont_expr(&g->mm, t, g->G, g->q); + if (!MP_EQ(t, g->mm.r)) return ("g not in the subgroup"); + return (0); +} + +static void intdh_grpinfo(const dhgrp *gg, admin *adm) +{ + const intdh_grp *g = (const intdh_grp *)gg; + a_info(adm, + "kx-group=prime", + "kx-group-order-bits=%lu", (unsigned long)mp_bits(g->q), + "kx-group-elt-bits=%lu", (unsigned long)mp_bits(g->mm.m), + A_END); +} + +#ifndef NTRACE +static void intdh_tracegrp(const dhgrp *gg) +{ + const intdh_grp *g = (const intdh_grp *)gg; + mp *t = MP_NEW; + trace(T_CRYPTO, "crypto: group type `dh'"); + trace(T_CRYPTO, "crypto: p = %s", mpstr(g->mm.m, 10)); + trace(T_CRYPTO, "crypto: q = %s", mpstr(g->q, 10)); + t = mpmont_reduce(&g->mm, t, g->G); + trace(T_CRYPTO, "crypto: g = %s", mpstr(t, 10)); + MP_DROP(t); +} +#endif + +static int intdh_samegrpp(const dhgrp *gg, const dhgrp *hh) +{ + const intdh_grp *g = (const intdh_grp *)gg, *h = (const intdh_grp *)hh; + return (MP_EQ(g->mm.m, h->mm.m) && MP_EQ(g->q, h->q) && MP_EQ(g->G, h->G)); +} + +static void intdh_freegrp(dhgrp *gg) +{ + intdh_grp *g = (intdh_grp *)gg; + mpmont_destroy(&g->mm); MP_DROP(g->q); MP_DROP(g->G); + DESTROY(g); +} + +static dhsc *intdh_ldsc(const dhgrp *gg, const void *p, size_t sz) +{ const intdh_grp *g = (const intdh_grp *)gg; + intdh_sc *x = CREATE(intdh_sc); + mp *t = mp_loadb(MP_NEW, p, sz); + mp_div(0, &t, t, g->q); x->x = t; + return ((dhsc *)x); +} + +static int intdh_stsc(const dhgrp *gg, void *p, size_t sz, const dhsc *xx) +{ + const intdh_sc *x = (const intdh_sc *)xx; + mp_storeb(x->x, p, sz); + return (0); +} + +static dhsc *intdh_randsc(const dhgrp *gg) +{ + const intdh_grp *g = (const intdh_grp *)gg; + intdh_sc *x = CREATE(intdh_sc); + x->x = mprand_range(MP_NEW, g->q, &rand_global, 0); + return ((dhsc *)x); +} + +#ifndef NTRACE +static const char *intdh_scstr(const dhgrp *gg, const dhsc *xx) + { const intdh_sc *x = (const intdh_sc *)xx; return (mpstr(x->x, 10)); } +#endif + +static void intdh_freesc(const dhgrp *gg, dhsc *xx) +{ + intdh_sc *x = (intdh_sc *)xx; + MP_DROP(x->x); DESTROY(x); +} + +static dhge *intdh_ldge(const dhgrp *gg, buf *b, int fmt) +{ + const intdh_grp *g = (const intdh_grp *)gg; + intdh_ge *Y; + mp *t; + const octet *p; + + switch (fmt) { + case DHFMT_VAR: case DHFMT_HASH: + if ((t = buf_getmp(b)) == 0) return (0); + break; + case DHFMT_STD: + if ((p = buf_get(b, g->gesz)) == 0) return (0); + t = mp_loadb(MP_NEW, p, g->gesz); + break; + default: + abort(); + } + Y = CREATE(intdh_ge); + mp_div(0, &t, t, g->mm.m); + Y->X = mpmont_mul(&g->mm, t, t, g->mm.r2); + return ((dhge *)Y); +} + +static int intdh_stge(const dhgrp *gg, buf *b, const dhge *YY, int fmt) +{ + const intdh_grp *g = (const intdh_grp *)gg; + const intdh_ge *Y = (const intdh_ge *)YY; + octet *p; + mp *t; + int rc; + + t = mpmont_reduce(&g->mm, MP_NEW, Y->X); + switch (fmt) { + case DHFMT_VAR: case DHFMT_HASH: + rc = buf_putmp(b, t); + break; + case DHFMT_STD: + if ((p = buf_get(b, g->gesz)) == 0) + rc = -1; + else { + mp_storeb(t, p, g->gesz); + rc = 0; + } + break; + default: + abort(); + } + MP_DROP(t); + return (rc); +} + +static int intdh_checkge(const dhgrp *gg, const dhge *YY) +{ + const intdh_grp *g = (const intdh_grp *)gg; + const intdh_ge *Y = (const intdh_ge *)YY; + mp *T; + int rc = 0; + + if (MP_EQ(Y->X, g->mm.r)) rc = -1; + T = mpmont_expr(&g->mm, MP_NEW, Y->X, g->q); + if (!MP_EQ(T, g->mm.r)) rc = -1; + MP_DROP(T); + return (rc); +} + +static int intdh_eq(const dhgrp *gg, const dhge *YY, const dhge *ZZ) +{ + const intdh_ge *Y = (const intdh_ge *)YY, *Z = (const intdh_ge *)ZZ; + return (MP_EQ(Y->X, Z->X)); +} + +static dhge *intdh_mul(const dhgrp *gg, const dhsc *xx, const dhge *YY) +{ + const intdh_grp *g = (const intdh_grp *)gg; + const intdh_sc *x = (const intdh_sc *)xx; + const intdh_ge *Y = (const intdh_ge *)YY; + intdh_ge *Z = CREATE(intdh_ge); + + Z->X = mpmont_expr(&g->mm, MP_NEW, Y ? Y->X : g->G, x->x); + return ((dhge *)Z); +} + +#ifndef NTRACE +static const char *intdh_gestr(const dhgrp *gg, const dhge *YY) +{ + const intdh_grp *g = (const intdh_grp *)gg; + const intdh_ge *Y = (const intdh_ge *)YY; + mp *t = mpmont_reduce(&g->mm, MP_NEW, Y->X); + const char *p = mpstr(t, 10); + MP_DROP(t); + return (p); +} +#endif + +static void intdh_freege(const dhgrp *gg, dhge *YY) + { intdh_ge *Y = (intdh_ge *)YY; MP_DROP(Y->X); DESTROY(Y); } + +/*----- Elliptic curve groups ---------------------------------------------*/ + +typedef struct ecdh_grp { + dhgrp _g; + ec_info ei; + ec P; +} ecdh_grp; + +typedef struct ecdh_sc { mp *x; } ecdh_sc; +typedef struct ecdh_ge { ec Q; } ecdh_ge; + +static dhgrp *ecdh_mkgroup(const char *cstr, dstr *e) +{ + ecdh_grp *g; + ec_info ei; + const char *err; + + if ((err = ec_getinfo(&ei, cstr)) != 0) { + a_format(e, "decode-failed", "%s", err, A_END); + return (0); + } + g = CREATE(ecdh_grp); + g->ei = ei; + EC_CREATE(&g->P); EC_IN(g->ei.c, &g->P, &g->ei.g); + g->_g.scsz = mp_octets(g->ei.r); + return (&g->_g); +} + +static dhsc *ecdh_mptosc(const dhgrp *gg, mp *z) +{ + const ecdh_grp *g = (const ecdh_grp *)gg; + ecdh_sc *x = CREATE(ecdh_sc); + x->x = MP_NEW; mp_div(0, &x->x, z, g->ei.r); + return ((dhsc *)x); +} + +static dhge *ecdh_ectoge(const dhgrp *gg, ec *Q) +{ + const ecdh_grp *g = (const ecdh_grp *)gg; + ecdh_ge *Y = CREATE(ecdh_ge); EC_CREATE(&Y->Q); + EC_IN(g->ei.c, &Y->Q, Q); + if (EC_CHECK(g->ei.c, &Y->Q)) + { EC_DESTROY(&Y->Q); DESTROY(Y); return (0); } + return ((dhge *)Y); +} + +KLOAD(ecdh, ec, EC, + { if ((kd->grp = ecdh_mkgroup(p.cstr, e)) == 0) goto fail; }, + { kd->k = ecdh_mptosc(kd->grp, p.x); }, + { if ((kd->K = ecdh_ectoge(kd->grp, &p.p)) == 0) { + a_format(e, "bad-public-vector", A_END); + goto fail; + } + }) + +static const char *ecdh_checkgrp(const dhgrp *gg) +{ + const ecdh_grp *g = (const ecdh_grp *)gg; + return (ec_checkinfo(&g->ei, &rand_global)); +} + +static void ecdh_grpinfo(const dhgrp *gg, admin *adm) +{ + const ecdh_grp *g = (const ecdh_grp *)gg; + a_info(adm, + "kx-group=ec", + "kx-group-order-bits=%lu", (unsigned long)mp_bits(g->ei.r), + "kx-group-elt-bits=%lu", (unsigned long)2*g->ei.c->f->nbits, + A_END); +} + +#ifndef NTRACE +static void addfestr(field *f, mp *x, mptext_stringctx *sc) + { addmpstr(x, F_TYPE(f) == FTY_PRIME ? 10 : 16, sc); } + +static void addintfestr(field *f, mp *x, mptext_stringctx *sc) + { mp *t = F_OUT(f, MP_NEW, x); addfestr(f, x, sc); MP_DROP(t); } + +static const char *intfestr(field *f, mp *x) +{ + mptext_stringctx sc; + setupstr(&sc); + addintfestr(f, x, &sc); + return (donestr(&sc)); +} + +static void ecdh_tracegrp(const dhgrp *gg) +{ + const ecdh_grp *g = (const ecdh_grp *)gg; + const ec_curve *c = g->ei.c; + field *f = c->f; + + trace(T_CRYPTO, "crypto: group type `ec'"); + switch (F_TYPE(f)) { + case FTY_PRIME: + trace(T_CRYPTO, "crypto: prime field `%s'", F_NAME(f)); + trace(T_CRYPTO, "crypto: p = %s", mpstr(f->q, 10)); + break; + case FTY_BINARY: + trace(T_CRYPTO, "crypto: binary field `%s'", F_NAME(f)); + trace(T_CRYPTO, "crypto: degree = %lu", f->nbits - 1); + break; + default: + trace(T_CRYPTO, "crypto: unknown field type! `%s'", F_NAME(f)); + break; + } + trace(T_CRYPTO, "crypto: curve type `%s'", EC_NAME(c)); + trace(T_CRYPTO, "crypto: curve a = %s", intfestr(f, c->a)); + trace(T_CRYPTO, "crypto: curve b = %s", intfestr(f, c->b)); + trace(T_CRYPTO, "crypto: n = %s", mpstr(g->ei.r, 10)); + trace(T_CRYPTO, "crypto: h = %s", mpstr(g->ei.h, 10)); +} +#endif + +static int ecdh_samegrpp(const dhgrp *gg, const dhgrp *hh) +{ + const ecdh_grp *g = (const ecdh_grp *)gg, *h = (const ecdh_grp *)hh; + return (ec_sameinfop(&g->ei, &h->ei)); +} + +static void ecdh_freegrp(dhgrp *gg) +{ + ecdh_grp *g = (ecdh_grp *)gg; + EC_DESTROY(&g->P); ec_freeinfo(&g->ei); + DESTROY(g); +} + +static dhsc *ecdh_ldsc(const dhgrp *gg, const void *p, size_t sz) +{ + const ecdh_grp *g = (const ecdh_grp *)gg; + ecdh_sc *x = CREATE(ecdh_sc); + mp *t = mp_loadb(MP_NEW, p, sz); + mp_div(0, &t, t, g->ei.r); x->x = t; + return ((dhsc *)x); +} + +static int ecdh_stsc(const dhgrp *gg, void *p, size_t sz, const dhsc *xx) +{ + const ecdh_sc *x = (const ecdh_sc *)xx; + mp_storeb(x->x, p, sz); + return (0); +} + +static dhsc *ecdh_randsc(const dhgrp *gg) +{ + const ecdh_grp *g = (const ecdh_grp *)gg; + ecdh_sc *x = CREATE(ecdh_sc); + x->x = mprand_range(MP_NEW, g->ei.r, &rand_global, 0); + return ((dhsc *)x); +} + +#ifndef NTRACE +static const char *ecdh_scstr(const dhgrp *gg, const dhsc *xx) +{ + const ecdh_sc *x = (const ecdh_sc *)xx; + return (mpstr(x->x, 10)); +} +#endif + +static void ecdh_freesc(const dhgrp *gg, dhsc *xx) + { ecdh_sc *x = (ecdh_sc *)xx; MP_DROP(x->x); DESTROY(x); } + +static dhge *ecdh_ldge(const dhgrp *gg, buf *b, int fmt) +{ + const ecdh_grp *g = (const ecdh_grp *)gg; + ecdh_ge *Y; + ec T = EC_INIT; + + switch (fmt) { + case DHFMT_VAR: case DHFMT_HASH: if (buf_getec(b, &T)) return (0); break; + case DHFMT_STD: if (ec_getraw(g->ei.c, b, &T)) return (0); break; + default: + abort(); + } + EC_IN(g->ei.c, &T, &T); + Y = CREATE(ecdh_ge); Y->Q = T; + return ((dhge *)Y); +} + +static int ecdh_stge(const dhgrp *gg, buf *b, const dhge *YY, int fmt) +{ + const ecdh_grp *g = (const ecdh_grp *)gg; + const ecdh_ge *Y = (const ecdh_ge *)YY; + ec T = EC_INIT; + int rc; + + EC_OUT(g->ei.c, &T, &Y->Q); + switch (fmt) { + case DHFMT_VAR: case DHFMT_HASH: rc = buf_putec(b, &T); break; + case DHFMT_STD: rc = ec_putraw(g->ei.c, b, &T); break; + default: abort(); + } + EC_DESTROY(&T); + return (rc); +} + +static int ecdh_checkge(const dhgrp *gg, const dhge *YY) +{ + const ecdh_grp *g = (const ecdh_grp *)gg; + const ecdh_ge *Y = (const ecdh_ge *)YY; + ec T = EC_INIT; + int rc = 0; + + if (EC_ATINF(&Y->Q)) rc = -1; + ec_imul(g->ei.c, &T, &Y->Q, g->ei.r); + if (!EC_ATINF(&T)) rc = -1; + EC_DESTROY(&T); + return (rc); +} + +static int ecdh_eq(const dhgrp *gg, const dhge *YY, const dhge *ZZ) +{ + const ecdh_grp *g = (const ecdh_grp *)gg; + const ecdh_ge *Y = (const ecdh_ge *)YY, *Z = (const ecdh_ge *)ZZ; + ec T = EC_INIT, U = EC_INIT; int rc; + EC_FIX(g->ei.c, &T, &Y->Q); EC_FIX(g->ei.c, &U, &Z->Q); + rc = EC_EQ(&T, &U); + EC_DESTROY(&T); EC_DESTROY(&U); + return (rc); +} + +static dhge *ecdh_mul(const dhgrp *gg, const dhsc *xx, const dhge *YY) +{ + const ecdh_grp *g = (const ecdh_grp *)gg; + const ecdh_sc *x = (const ecdh_sc *)xx; + const ecdh_ge *Y = (const ecdh_ge *)YY; + ecdh_ge *Z = CREATE(ecdh_ge); EC_CREATE(&Z->Q); + + ec_imul(g->ei.c, &Z->Q, Y ? &Y->Q : &g->P, x->x); + return ((dhge *)Z); +} + +#ifndef NTRACE +static const char *ecdh_gestr(const dhgrp *gg, const dhge *YY) +{ + const ecdh_grp *g = (const ecdh_grp *)gg; + const ecdh_ge *Y = (const ecdh_ge *)YY; + ec T = EC_INIT; + field *f = g->ei.c->f; + mptext_stringctx sc; + + if (EC_ATINF(&Y->Q)) return ("inf"); + setupstr(&sc); + EC_OUT(g->ei.c, &T, &Y->Q); + addfestr(f, T.x, &sc); + addlitstr(", ", &sc); + addfestr(f, T.y, &sc); + EC_DESTROY(&T); + return (donestr(&sc)); +} +#endif + +static void ecdh_freege(const dhgrp *gg, dhge *YY) + { ecdh_ge *Y = (ecdh_ge *)YY; EC_DESTROY(&Y->Q); DESTROY(Y); } + +/*----- Diffie--Hellman group table ---------------------------------------*/ + +const dhops dhtab[] = { + +#define COMMA , + +#define DH(name, pre) \ + { name, pre##_ldpriv, pre##_ldpub, pre##_checkgrp, \ + pre##_grpinfo, T( pre##_tracegrp COMMA ) pre##_samegrpp, \ + pre##_freegrp, \ + pre##_ldsc, pre##_stsc, pre##_randsc, T( pre##_scstr COMMA ) \ + pre##_freesc, \ + pre##_ldge, pre##_stge, pre##_checkge, pre##_eq, pre##_mul, \ + T( pre##_gestr COMMA ) pre##_freege }, \ + + DH("dh", intdh) + DH("ec", ecdh) + +#undef DH + + { 0 } +}; + +/*----- That's all, folks -------------------------------------------------*/