From: Mark Wooding Date: Thu, 24 Aug 2017 20:25:53 +0000 (+0100) Subject: server/servutil.c: Add utilities for plain asymmetric encryption. X-Git-Tag: 1.5.0~49 X-Git-Url: https://git.distorted.org.uk/~mdw/tripe/commitdiff_plain/0c1cede3374c0e3110303fc031698c37d2450469 server/servutil.c: Add utilities for plain asymmetric encryption. The encryption is standard KEM/DEM fare, using a Diffie--Hellman KEM and a TrIPE bulk-crypto transform as a (very heavyweight) DEM. --- diff --git a/server/servutil.c b/server/servutil.c index 72de38a2..72b5b80e 100644 --- a/server/servutil.c +++ b/server/servutil.c @@ -131,6 +131,131 @@ int ratelim_withdraw(ratelim *r, unsigned n) else { r->n -= n; return (0); } } +/*----- Crypto ------------------------------------------------------------*/ + +/* --- @ies_encrypt@ --- * + * + * Arguments: @kdata *kpub@ = recipient's public key + * @unsigned ty@ = message type octet + * @buf *b@ = input message buffer + * @buf *bb@ = output buffer for the ciphertext + * + * Returns: On error, returns a @KSERR_...@ code or breaks the buffer; + * on success, returns zero and the buffer is good. + * + * Use: Encrypts a message for a recipient, given their public key. + * This does not (by itself) provide forward secrecy or sender + * authenticity. The ciphertext is self-delimiting (unlike + * @ks_encrypt@). + */ + +int ies_encrypt(kdata *kpub, unsigned ty, buf *b, buf *bb) +{ + dhgrp *g = kpub->grp; + dhsc *u = g->ops->randsc(g); + dhge *U = g->ops->mul(g, u, 0), *Z = g->ops->mul(g, u, kpub->K); + bulkalgs *algs = kpub->algs.bulk; + octet *len; + bulkctx *bulk; + deriveargs a; + size_t n; + buf bk; + int rc = 0; + + IF_TRACING(T_CRYPTO, { + trace(T_CRYPTO, + "crypto: encrypting IES message (type 0x%02x) for recipient `%s'", + ty, kpub->tag); + trace_block(T_CRYPTO, "crypto: plaintext message", BCUR(b), BLEFT(b)); + }) + + a.hc = kpub->algs.h; a.what = "tripe:ecies-"; a.f = DF_OUT; + buf_init(&bk, buf_u, sizeof(buf_u)); a.k = BBASE(&bk); + g->ops->stge(g, &bk, U, DHFMT_HASH); a.x = a.y = BLEN(&bk); + g->ops->stge(g, &bk, Z, DHFMT_HASH); a.z = BLEN(&bk); + assert(BOK(&bk)); + T( trace_block(T_CRYPTO, "crypto: KEM clue", a.k, a.x); + trace_block(T_CRYPTO, "crypto: shared secret", a.k + a.y, a.z - a.y); ) + + len = BCUR(bb); buf_get(bb, 2); + bulk = algs->ops->genkeys(algs, &a); + bulk->ops = algs->ops; + g->ops->stge(g, bb, U, DHFMT_VAR); if (BBAD(bb)) goto end; + rc = bulk->ops->encrypt(bulk, ty, b, bb, 0); + if (rc || BBAD(bb)) goto end; + n = BCUR(bb) - len - 2; assert(n <= MASK16); STORE16(len, n); + +end: + bulk->ops->freectx(bulk); + g->ops->freesc(g, u); + g->ops->freege(g, U); + g->ops->freege(g, Z); + return (rc); +} + +/* --- @ies_decrypt@ --- * + * + * Arguments: @kdata *kpub@ = private key key + * @unsigned ty@ = message type octet + * @buf *b@ = input ciphertext buffer + * @buf *bb@ = output buffer for the message + * + * Returns: On error, returns a @KSERR_...@ code; on success, returns + * zero and the buffer is good. + * + * Use: Decrypts a message encrypted using @ies_encrypt@, given our + * private key. + */ + +int ies_decrypt(kdata *kpriv, unsigned ty, buf *b, buf *bb) +{ + dhgrp *g = kpriv->grp; + bulkalgs *algs = kpriv->algs.bulk; + bulkctx *bulk = 0; + T( const octet *m; ) + dhge *U = 0, *Z = 0; + deriveargs a; + uint32 seq; + buf bk, bc; + int rc; + + IF_TRACING(T_CRYPTO, { + trace(T_CRYPTO, + "crypto: decrypting IES message (type 0x%02x) to recipient `%s'", + ty, kpriv->tag); + trace_block(T_CRYPTO, "crypto: ciphertext message", BCUR(b), BLEFT(b)); + }) + + if (buf_getbuf16(b, &bc) || + (U = g->ops->ldge(g, &bc, DHFMT_VAR)) == 0 || + g->ops->checkge(g, U)) + { rc = KSERR_MALFORMED; goto end; } + Z = g->ops->mul(g, kpriv->k, U); + + a.hc = kpriv->algs.h; a.what = "tripe:ecies-"; a.f = DF_IN; + buf_init(&bk, buf_u, sizeof(buf_u)); a.k = BBASE(&bk); a.x = 0; + g->ops->stge(g, &bk, U, DHFMT_HASH); a.y = BLEN(&bk); + g->ops->stge(g, &bk, Z, DHFMT_HASH); a.z = BLEN(&bk); + T( trace_block(T_CRYPTO, "crypto: KEM clue", a.k + a.x, a.y - a.x); + trace_block(T_CRYPTO, "crypto: shared secret", a.k + a.y, a.z - a.y); ) + assert(BOK(&bk)); + + bulk = algs->ops->genkeys(algs, &a); + bulk->ops = algs->ops; + T( m = BCUR(bb); ) + rc = bulk->ops->decrypt(bulk, ty, &bc, bb, &seq); + if (rc) goto end; + if (seq) { rc = KSERR_SEQ; goto end; } + assert(BOK(bb)); + T( trace_block(T_CRYPTO, "crypto: decrypted message", m, BCUR(bb) - m); ) + +end: + if (bulk) bulk->ops->freectx(bulk); + g->ops->freege(g, U); + g->ops->freege(g, Z); + return (rc); +} + /*----- Random odds and sods ----------------------------------------------*/ /* --- @timestr@ --- * diff --git a/server/tripe.h b/server/tripe.h index 5550c1fd..940e3d61 100644 --- a/server/tripe.h +++ b/server/tripe.h @@ -1801,6 +1801,42 @@ extern void ratelim_init(ratelim */*r*/, extern int ratelim_withdraw(ratelim */*r*/, unsigned /*n*/); +/* --- @ies_encrypt@ --- * + * + * Arguments: @kdata *kpub@ = recipient's public key + * @unsigned ty@ = message type octet + * @buf *b@ = input message buffer + * @buf *bb@ = output buffer for the ciphertext + * + * Returns: On error, returns a @KSERR_...@ code or breaks the buffer; + * on success, returns zero and the buffer is good. + * + * Use: Encrypts a message for a recipient, given their public key. + * This does not (by itself) provide forward secrecy or sender + * authenticity. The ciphertext is self-delimiting (unlike + * @ks_encrypt@). + */ + +extern int ies_encrypt(kdata */*kpub*/, unsigned /*ty*/, + buf */*b*/, buf */*bb*/); + +/* --- @ies_decrypt@ --- * + * + * Arguments: @kdata *kpub@ = private key key + * @unsigned ty@ = message type octet + * @buf *b@ = input ciphertext buffer + * @buf *bb@ = output buffer for the message + * + * Returns: On error, returns a @KSERR_...@ code; on success, returns + * zero and the buffer is good. + * + * Use: Decrypts a message encrypted using @ies_encrypt@, given our + * private key. + */ + +extern int ies_decrypt(kdata */*kpriv*/, unsigned /*ty*/, + buf */*b*/, buf */*bb*/); + /*----- That's all, folks -------------------------------------------------*/ #ifdef __cplusplus